Edit tour

Windows Analysis Report
x4ByCNJqst

Overview

General Information

Sample Name:	x4ByCNJqst (renamed file extension from none to dll)
Analysis ID:	626484
MD5:	8978c658ba95819f72866e0ffc41fa81
SHA1:	f8eed4cba5ff946b074a9b2f95e2fb92c0427651
SHA256:	50363092e6becfe6ad91c4118fcb2e9207ebb6d2016de3459d56b41fbc3b61c1
Tags:	exetrojan
Infos:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Query firmware table information (likely to detect VMs)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Program does not show much activity (idle)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Registers a DLL

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 4856 cmdline: loaddll64.exe "C:\Users\user\Desktop\x4ByCNJqst.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 5600 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6596 cmdline: rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

regsvr32.exe (PID: 6608 cmdline: regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6228 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HhAmkCb\GvrdyVBSmSfKAy.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 6112 cmdline: rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6360 cmdline: rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)

svchost.exe (PID: 6860 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6608 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7140 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4432 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3448 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.356801545.0000000000E30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.354544713.00000181D20E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.869836841.0000000001460000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.355023009.000001F155CA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.regsvr32.exe.e30000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.1460000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.1460000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.1f155ca0000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.181d20e0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.1f155ca0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.e30000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.181d20e0000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: x4ByCNJqst.dll

Virustotal: Detection: 38%

Perma Link

Antivirus detection for URL or domain

Source: https://23.239.0.12/r	Avira URL Cloud: Label: malware
Source: https://23.239.0.12/T	Avira URL Cloud: Label: malware

Source: unknown

HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.7:49768 version: TLS 1.2

Source: x4ByCNJqst.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msacm32.pdb source: regsvr32.exe, 00000005.00000002.869336135.0000000001075000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000005.00000002.869336135.0000000001075000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

5_2_000000018000D26C

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.239.0.12 443

Jump to behavior

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Cookie: NqJHMaZApWBzFHY=XnAC+Yb1BWcC8cxpMdN3mvvHxzbcP4UM0mJ8pO7OgrZppTTZ3OPUTY+lV3jxzl1zEtH5O7vy8t+RSI3ZA30/IzOJueLRq29KI/FUiptqaMFxmzK6Kmkmc0TaQsn05byGr1t0HOux/W6N2Y3frBwpBqmwgo+OHxPvOFc4iZLoa/jVUB9oykMB0IAEp3J4KRKAkPEKgx7W4zVV62pcwrXKzQXrtqv0iSL4w1N07tUAJqfbBOmr6Oaje3SOq+wQI/vlhkV9sj9wmBGDr/hLnOMXnSapOZnbbPPuHzc8DYjP7OyEgrMI3OLvLaNvFjazRL+vKUyOKX9EgoEpHost: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 23.239.0.12 23.239.0.12

Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768

Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12

Source: svchost.exe, 00000013.00000003.478105790.00000220EE95E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000013.00000003.478105790.00000220EE95E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000013.00000003.478117159.00000220EE96F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.478105790.00000220EE95E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000013.00000003.478117159.00000220EE96F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.478105790.00000220EE95E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 00000005.00000002.869787807.000000000119E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418140671.000000000119E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.521374066.00000220EE900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.869862141.00000284704E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000013.00000002.521310447.00000220EE0EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000013.00000003.497159683.00000220EE998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: regsvr32.exe, 00000005.00000003.418549404.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.869533417.0000000001142000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.869694191.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418532883.000000000116D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418511014.000000000116A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418437504.0000000001142000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/
Source: regsvr32.exe, 00000005.00000003.418549404.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.869694191.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418532883.000000000116D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418511014.000000000116A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/T
Source: regsvr32.exe, 00000005.00000003.418549404.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.869694191.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418532883.000000000116D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418511014.000000000116A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/r
Source: svchost.exe, 00000013.00000003.497159683.00000220EE998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000013.00000003.492534259.00000220EEE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492459524.00000220EE9B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492560853.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492435911.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492486674.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492696611.00000220EE96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492508675.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492411847.00000220EE9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000013.00000003.497159683.00000220EE998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000013.00000003.497159683.00000220EE998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000013.00000003.492534259.00000220EEE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492459524.00000220EE9B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492560853.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492435911.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492486674.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492696611.00000220EE96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492508675.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492411847.00000220EE9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000013.00000003.492534259.00000220EEE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492459524.00000220EE9B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492560853.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492435911.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492486674.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492696611.00000220EE96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492508675.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492411847.00000220EE9A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000013.00000003.501374114.00000220EE99A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.501319852.00000220EE9B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.501397864.00000220EEE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.502857776.00000220EE962000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.501338834.00000220EE9B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,

5_2_00000001800132F0

Source: global traffic

Source: unknown

HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.7:49768 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.1460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.1460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1f155ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.181d20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1f155ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.e30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.181d20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356801545.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.354544713.00000181D20E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.869836841.0000000001460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.355023009.000001F155CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\HhAmkCb\GvrdyVBSmSfKAy.dll:Zone.Identifier

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\HhAmkCb\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8A77C	2_2_00007FF8CAA8A77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA86F0C	2_2_00007FF8CAA86F0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8AF70	2_2_00007FF8CAA8AF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8FB6C	2_2_00007FF8CAA8FB6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8EB60	2_2_00007FF8CAA8EB60
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8FCA0	2_2_00007FF8CAA8FCA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8B5CC	2_2_00007FF8CAA8B5CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8895C	2_2_00007FF8CAA8895C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA85944	2_2_00007FF8CAA85944
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8E6C0	2_2_00007FF8CAA8E6C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8AA0C	2_2_00007FF8CAA8AA0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00D00000	2_2_00D00000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010FF4	2_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028C20	2_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C058	2_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009100	2_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007958	2_2_0000000180007958
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C964	2_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C608	2_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021618	2_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013E28	2_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E3AC	2_2_000000018001E3AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DBE8	2_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001FC0C	2_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000580C	2_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022010	2_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001481C	2_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A42C	2_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011834	2_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023831	2_2_0000000180023831
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021C3C	2_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000703C	2_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000AC48	2_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000FC48	2_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024458	2_2_0000000180024458
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006458	2_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C05C	2_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A460	2_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029888	2_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D49C	2_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008CA0	2_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800248A8	2_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015CB0	2_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800124B4	2_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C4B4	2_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800288B8	2_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800024B8	2_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D8C4	2_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800250CC	2_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800190D4	2_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017CE4	2_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800264F0	2_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800014F8	2_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020CFC	2_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C904	2_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017908	2_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021510	2_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F917	2_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000551C	2_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F128	2_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CD38	2_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016D3C	2_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F944	2_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018148	2_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D950	2_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013150	2_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001ED50	2_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E960	2_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019D60	2_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001D68	2_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001496C	2_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002D70	2_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024574	2_2_0000000180024574
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002178	2_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024D80	2_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018598	2_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003598	2_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A9A8	2_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800119A8	2_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025DAC	2_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018DAC	2_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800269B0	2_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800059B8	2_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800029BC	2_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800141C0	2_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800125C4	2_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800121CC	2_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BDD0	2_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800075D4	2_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800095DC	2_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F9E8	2_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002610	2_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019618	2_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001FA38	2_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A270	2_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019E78	2_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DA80	2_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024698	2_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000EE98	2_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800176B8	2_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AAB8	2_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011AD0	2_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008AD8	2_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800296EC	2_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A6EC	2_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800132F0	2_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019300	2_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BB04	2_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002870C	2_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026B10	2_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000131C	2_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000671C	2_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029B28	2_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012F28	2_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BB28	2_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001EB30	2_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020334	2_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010758	2_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001435C	2_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009F5C	2_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029368	2_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020768	2_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017378	2_2_0000000180017378
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013780	2_2_0000000180013780
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015388	2_2_0000000180015388
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000338C	2_2_000000018000338C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000738C	2_2_000000018000738C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002790	2_2_0000000180002790
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180027F9C	2_2_0000000180027F9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800197A0	2_2_00000001800197A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C7B4	2_2_000000018002C7B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DFB4	2_2_000000018001DFB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F7C0	2_2_000000018001F7C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800097C0	2_2_00000001800097C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800157D8	2_2_00000001800157D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019FDC	2_2_0000000180019FDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017BDC	2_2_0000000180017BDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F7E0	2_2_000000018000F7E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001FE0	2_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010FF4	3_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C058	3_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009100	3_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C608	3_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021618	3_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E3AC	3_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DBE8	3_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FC0C	3_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000580C	3_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022010	3_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001481C	3_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A42C	3_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011834	3_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021C3C	3_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000703C	3_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000AC48	3_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000FC48	3_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180006458	3_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C05C	3_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001A460	3_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029888	3_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D49C	3_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008CA0	3_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800248A8	3_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015CB0	3_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800124B4	3_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C4B4	3_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800288B8	3_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800024B8	3_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000D8C4	3_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800250CC	3_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800190D4	3_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017CE4	3_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800264F0	3_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800014F8	3_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020CFC	3_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C904	3_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017908	3_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021510	3_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F917	3_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000551C	3_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F128	3_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CD38	3_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180016D3C	3_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F944	3_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018148	3_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001ED50	3_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013150	3_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D950	3_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E960	3_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019D60	3_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C964	3_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180001D68	3_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001496C	3_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002D70	3_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002178	3_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024D80	3_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018598	3_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180003598	3_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A9A8	3_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800119A8	3_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180025DAC	3_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018DAC	3_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800269B0	3_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800059B8	3_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800029BC	3_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800141C0	3_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800125C4	3_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800121CC	3_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800075D4	3_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800095DC	3_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F9E8	3_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002610	3_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019618	3_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013E28	3_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FA38	3_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A270	3_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019E78	3_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DA80	3_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024698	3_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000EE98	3_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800176B8	3_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AAB8	3_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011AD0	3_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008AD8	3_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800296EC	3_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A6EC	3_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800132F0	3_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019300	3_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BB04	3_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002870C	3_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180026B10	3_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000131C	3_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000671C	3_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029B28	3_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180012F28	3_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000BB28	3_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EB30	3_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020334	3_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010758	3_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001435C	3_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009F5C	3_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029368	3_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020768	3_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017378	3_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013780	3_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015388	3_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000338C	3_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000738C	3_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002790	3_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800197A0	3_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C7B4	3_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DFB4	3_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F7C0	3_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800097C0	3_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800157D8	3_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019FDC	3_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017BDC	3_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F7E0	3_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180001FE0	3_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000181D0AB0000	3_2_00000181D0AB0000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010FF4	4_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C058	4_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009100	4_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C608	4_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021618	4_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E3AC	4_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DBE8	4_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FC0C	4_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000580C	4_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180022010	4_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001481C	4_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A42C	4_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011834	4_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021C3C	4_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000703C	4_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000AC48	4_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000FC48	4_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180006458	4_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C05C	4_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A460	4_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029888	4_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001D49C	4_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008CA0	4_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800248A8	4_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015CB0	4_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800124B4	4_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C4B4	4_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800288B8	4_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800024B8	4_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000D8C4	4_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800250CC	4_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800190D4	4_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017CE4	4_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800264F0	4_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800014F8	4_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020CFC	4_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C904	4_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017908	4_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021510	4_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F917	4_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000551C	4_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F128	4_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001CD38	4_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180016D3C	4_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F944	4_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018148	4_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001ED50	4_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013150	4_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001D950	4_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E960	4_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019D60	4_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C964	4_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001D68	4_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001496C	4_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002D70	4_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002178	4_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024D80	4_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018598	4_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003598	4_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A9A8	4_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800119A8	4_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025DAC	4_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018DAC	4_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800269B0	4_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800059B8	4_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800029BC	4_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800141C0	4_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800125C4	4_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800121CC	4_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800075D4	4_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800095DC	4_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F9E8	4_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002610	4_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019618	4_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013E28	4_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FA38	4_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A270	4_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019E78	4_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DA80	4_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024698	4_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000EE98	4_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800176B8	4_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AAB8	4_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011AD0	4_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008AD8	4_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800296EC	4_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A6EC	4_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800132F0	4_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019300	4_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BB04	4_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002870C	4_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180026B10	4_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000131C	4_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000671C	4_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029B28	4_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180012F28	4_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000BB28	4_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001EB30	4_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020334	4_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010758	4_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001435C	4_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009F5C	4_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029368	4_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020768	4_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017378	4_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013780	4_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015388	4_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000338C	4_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000738C	4_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002790	4_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800197A0	4_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C7B4	4_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DFB4	4_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F7C0	4_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800097C0	4_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800157D8	4_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019FDC	4_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017BDC	4_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F7E0	4_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001FE0	4_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001F155C90000	4_2_000001F155C90000
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_010D0000	5_2_010D0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180010FF4	5_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180028C20	5_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018002C058	5_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001ACA4	5_2_000000018001ACA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000551C	5_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180018148	5_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001496C	5_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000E1E0	5_2_000000018000E1E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000C608	5_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180021618	5_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180013E28	5_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018002AE44	5_2_000000018002AE44
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000D26C	5_2_000000018000D26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180025278	5_2_0000000180025278
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000EE98	5_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800046A8	5_2_00000001800046A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001AAB8	5_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180004ACA	5_2_0000000180004ACA
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800132F0	5_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180026B10	5_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001DBE8	5_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001FC0C	5_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000580C	5_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180022010	5_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001481C	5_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018002A42C	5_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180011834	5_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180021C3C	5_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000703C	5_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000AC48	5_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000FC48	5_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180024458	5_2_0000000180024458
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180006458	5_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001C05C	5_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001A460	5_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180029888	5_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001D49C	5_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180008CA0	5_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800248A8	5_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180015CB0	5_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800124B4	5_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000C4B4	5_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800288B8	5_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800024B8	5_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000D8C4	5_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800250CC	5_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800190D4	5_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180017CE4	5_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800264F0	5_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800014F8	5_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180020CFC	5_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180009100	5_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018002C904	5_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180017908	5_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180021510	5_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000F917	5_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000F128	5_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001CD38	5_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180016D3C	5_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001F944	5_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001D950	5_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180013150	5_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001ED50	5_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001E960	5_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180019D60	5_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001C964	5_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001C568	5_2_000000018001C568
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180001D68	5_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180002D70	5_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180024574	5_2_0000000180024574
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180002178	5_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180024D80	5_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180018598	5_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180003598	5_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001F1A4	5_2_000000018001F1A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018002A9A8	5_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800119A8	5_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180025DAC	5_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180018DAC	5_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800269B0	5_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800059B8	5_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800029BC	5_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800141C0	5_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800125C4	5_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800121CC	5_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000BDD0	5_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800075D4	5_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800095DC	5_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000F9E8	5_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180002610	5_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180019618	5_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001FA38	5_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000A270	5_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180019E78	5_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001DA80	5_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180024698	5_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800176B8	5_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018002CAD0	5_2_000000018002CAD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180011AD0	5_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180008AD8	5_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800296EC	5_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000A6EC	5_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180019300	5_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001BB04	5_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018002870C	5_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000131C	5_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000671C	5_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180029B28	5_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180012F28	5_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018000BB28	5_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001EB30	5_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180020334	5_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180010758	5_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_000000018001435C	5_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180009F5C	5_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180029368	5_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180020768	5_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180017378	5_2_0000000180017378

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior

Source: x4ByCNJqst.dll

Virustotal: Detection: 38%

Source: x4ByCNJqst.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\x4ByCNJqst.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllRegisterServer
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HhAmkCb\GvrdyVBSmSfKAy.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllUnregisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HhAmkCb\GvrdyVBSmSfKAy.dll"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@18/0@0/2

Source: C:\Windows\System32\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_00000001800046A8 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,

5_2_00000001800046A8

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: x4ByCNJqst.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: x4ByCNJqst.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msacm32.pdb source: regsvr32.exe, 00000005.00000002.869336135.0000000001075000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000005.00000002.869336135.0000000001075000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AFFD push ebp; retf	2_2_000000018001AFFE
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800051D1 push ebp; iretd	2_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BA32 push ebp; retf	2_2_000000018001BA33
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004E83 push es; ret	2_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B694 push es; ret	2_2_000000018001B6E9
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BADD push ebp; iretd	2_2_000000018001BADE
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B717 push ebp; iretd	2_2_000000018001B718
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AF4E push ebp; retf	2_2_000000018001AF4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800253BC pushfd ; retn 0057h	2_2_00000001800253BD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AFFD push ebp; retf	3_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800051D1 push ebp; iretd	3_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BA32 push ebp; retf	3_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180004E83 push es; ret	3_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B694 push es; ret	3_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BADD push ebp; iretd	3_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B717 push ebp; iretd	3_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180007B3F push esp; retf	3_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AF4E push ebp; retf	3_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AFFD push ebp; retf	4_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800051D1 push ebp; iretd	4_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BA32 push ebp; retf	4_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180004E83 push es; ret	4_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B694 push es; ret	4_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BADD push ebp; iretd	4_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B717 push ebp; iretd	4_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007B3F push esp; retf	4_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AF4E push ebp; retf	4_2_000000018001AF4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_00000001800051D1 push ebp; iretd	5_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180004E83 push es; ret	5_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 5_2_0000000180007B3F push esp; retf	5_2_0000000180007B40

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CAA87BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,

2_2_00007FF8CAA87BE8

Source: x4ByCNJqst.dll

Static PE information: real checksum: 0x85ab6 should be: 0x8b992

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\HhAmkCb\GvrdyVBSmSfKAy.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\HhAmkCb\GvrdyVBSmSfKAy.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\UYrZLVNFeIdzTkC\LxfzQvOVIaeTzd.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\HzTCrWQcE\UiEETQ.dll:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 4944	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 3908	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_2-10048

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 5_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

5_2_000000018000D26C

Source: C:\Windows\System32\regsvr32.exe

API call chain: ExitProcess graph end node

graph_2-10050

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 0000001C.00000002.869821840.00000284704BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0R
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware,
Source: regsvr32.exe, 00000005.00000002.869533417.0000000001142000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418437504.0000000001142000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: svchost.exe, 0000001C.00000002.870306006.0000028471654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: regsvr32.exe, 00000005.00000003.418549404.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.869694191.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418532883.000000000116D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418511014.000000000116A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.521310447.00000220EE0EB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.521165058.00000220EE082000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.869843016.00000284704D0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.869578948.000002847045B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.869395727.000002A6D0002000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000001C.00000002.870306006.0000028471654000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.ed
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89x
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89x
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: svchost.exe, 0000001C.00000002.870282812.000002847160C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
Source: svchost.exe, 0000000E.00000002.869436392.000002A6D0028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CAA820E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_00007FF8CAA820E0

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CAA87BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,

2_2_00007FF8CAA87BE8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA8D318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8CAA8D318
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA820E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8CAA820E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CAA86550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8CAA86550

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.239.0.12 443

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	2_2_00007FF8CAA8DF98
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_00007FF8CAA8C39C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FF8CAA8C7F4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FF8CAA8DF20
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FF8CAA8DF3C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FF8CAA8C8C8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FF8CAA8C834
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	2_2_00007FF8CAA8C450
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_00007FF8CAA8E1E8
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	2_2_00007FF8CAA8C934
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_00007FF8CAA8C16C
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	2_2_00007FF8CAA8C2B4
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	2_2_00007FF8CAA8C6E4

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CAA84558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00007FF8CAA84558

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CAA8E6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00007FF8CAA8E6C0

Source: svchost.exe, 0000001C.00000002.870253482.0000028470FED000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.1460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.1460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1f155ca0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.181d20e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1f155ca0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.e30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.181d20e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.356801545.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.354544713.00000181D20E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.869836841.0000000001460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.355023009.000001F155CA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	111 Process Injection	2 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	13 Virtualization/Sandbox Evasion	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
x4ByCNJqst.dll	38%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.181d20e0000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
2.2.regsvr32.exe.e30000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
5.2.regsvr32.exe.1460000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
4.2.rundll32.exe.1f155ca0000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://23.239.0.12/r	100%	Avira URL Cloud	malware
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://23.239.0.12/	0%	URL Reputation	safe
https://23.239.0.12/T	100%	Avira URL Cloud	malware
http://help.disneyplus.com.	0%	URL Reputation	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.239.0.12/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000013.00000003.497159683.00000220EE998000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000013.00000002.521310447.00000220EE0EB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000013.00000003.497159683.00000220EE998000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://23.239.0.12/r	regsvr32.exe, 00000005.00000003.418549404.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.869694191.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418532883.000000000116D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418511014.000000000116A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000013.00000003.501374114.00000220EE99A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.501319852.00000220EE9B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.501397864.00000220EEE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.502857776.00000220EE962000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.501338834.00000220EE9B0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://23.239.0.12/T	regsvr32.exe, 00000005.00000003.418549404.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000002.869694191.0000000001170000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418532883.000000000116D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000005.00000003.418511014.000000000116A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://help.disneyplus.com.	svchost.exe, 00000013.00000003.497159683.00000220EE998000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.hotspotshield.com/	svchost.exe, 00000013.00000003.492534259.00000220EEE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492459524.00000220EE9B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492560853.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492435911.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492486674.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492696611.00000220EE96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492508675.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492411847.00000220EE9A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hotspotshield.com/terms/	svchost.exe, 00000013.00000003.492534259.00000220EEE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492459524.00000220EE9B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492560853.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492435911.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492486674.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492696611.00000220EE96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492508675.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492411847.00000220EE9A8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 00000013.00000003.492534259.00000220EEE02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492459524.00000220EE9B2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492560853.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492435911.00000220EE996000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492486674.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492696611.00000220EE96B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492508675.00000220EEE1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000003.492411847.00000220EE9A8000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000013.00000003.497159683.00000220EE998000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.239.0.12	unknown	United States		63949	LINODE-APLinodeLLCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626484
Start date and time: 14/05/202204:32:15	2022-05-14 04:32:15 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	x4ByCNJqst (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@18/0@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 215
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, UsoClient.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.49.150.241, 20.223.24.244, 51.104.136.2
Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, settings-prod-neu-2.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, settings-prod-uks-2.uksouth.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, atm-settingsfe-prod-geo.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:34:29	API Interceptor	9x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
23.239.0.12	Ns2al4764F.dll	Get hash	malicious	Browse
	cX9TLU9gnx.dll	Get hash	malicious	Browse
	56vvRzZVQI.dll	Get hash	malicious	Browse
	8PnsJpuSdb.dll	Get hash	malicious	Browse
	yaEOuyT3Sg.dll	Get hash	malicious	Browse
	bsST3VDo8G.dll	Get hash	malicious	Browse
	wdxJNuEzAd.dll	Get hash	malicious	Browse
	yaEOuyT3Sg.dll	Get hash	malicious	Browse
	bsST3VDo8G.dll	Get hash	malicious	Browse
	6ez8Bx2x6f.dll	Get hash	malicious	Browse
	2Bgxulf6QF.dll	Get hash	malicious	Browse
	sEfyaa5VPQ.dll	Get hash	malicious	Browse
	40Gbs8Qkm6.dll	Get hash	malicious	Browse
	wdxJNuEzAd.dll	Get hash	malicious	Browse
	c63rCWoXA0.dll	Get hash	malicious	Browse
	okkVJeYYLQ.dll	Get hash	malicious	Browse
	kd5oAYcBC1.dll	Get hash	malicious	Browse
	3xB7n07o8r.dll	Get hash	malicious	Browse
	TODvFfngca.dll	Get hash	malicious	Browse
	6ez8Bx2x6f.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	Ns2al4764F.dll	Get hash	malicious	Browse	23.239.0.12
	cX9TLU9gnx.dll	Get hash	malicious	Browse	23.239.0.12
	56vvRzZVQI.dll	Get hash	malicious	Browse	23.239.0.12
	8PnsJpuSdb.dll	Get hash	malicious	Browse	23.239.0.12
	yaEOuyT3Sg.dll	Get hash	malicious	Browse	23.239.0.12
	bsST3VDo8G.dll	Get hash	malicious	Browse	23.239.0.12
	wdxJNuEzAd.dll	Get hash	malicious	Browse	23.239.0.12
	yaEOuyT3Sg.dll	Get hash	malicious	Browse	23.239.0.12
	bsST3VDo8G.dll	Get hash	malicious	Browse	23.239.0.12
	6ez8Bx2x6f.dll	Get hash	malicious	Browse	23.239.0.12
	2Bgxulf6QF.dll	Get hash	malicious	Browse	23.239.0.12
	sEfyaa5VPQ.dll	Get hash	malicious	Browse	23.239.0.12
	40Gbs8Qkm6.dll	Get hash	malicious	Browse	23.239.0.12
	wdxJNuEzAd.dll	Get hash	malicious	Browse	23.239.0.12
	c63rCWoXA0.dll	Get hash	malicious	Browse	23.239.0.12
	okkVJeYYLQ.dll	Get hash	malicious	Browse	23.239.0.12
	kd5oAYcBC1.dll	Get hash	malicious	Browse	23.239.0.12
	3xB7n07o8r.dll	Get hash	malicious	Browse	23.239.0.12
	TODvFfngca.dll	Get hash	malicious	Browse	23.239.0.12
	6ez8Bx2x6f.dll	Get hash	malicious	Browse	23.239.0.12

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	36yjawe0S4.dll	Get hash	malicious	Browse	23.239.0.12
	Ns2al4764F.dll	Get hash	malicious	Browse	23.239.0.12
	cX9TLU9gnx.dll	Get hash	malicious	Browse	23.239.0.12
	56vvRzZVQI.dll	Get hash	malicious	Browse	23.239.0.12
	8PnsJpuSdb.dll	Get hash	malicious	Browse	23.239.0.12
	yaEOuyT3Sg.dll	Get hash	malicious	Browse	23.239.0.12
	bsST3VDo8G.dll	Get hash	malicious	Browse	23.239.0.12
	wdxJNuEzAd.dll	Get hash	malicious	Browse	23.239.0.12
	yaEOuyT3Sg.dll	Get hash	malicious	Browse	23.239.0.12
	bsST3VDo8G.dll	Get hash	malicious	Browse	23.239.0.12
	6ez8Bx2x6f.dll	Get hash	malicious	Browse	23.239.0.12
	2Bgxulf6QF.dll	Get hash	malicious	Browse	23.239.0.12
	sEfyaa5VPQ.dll	Get hash	malicious	Browse	23.239.0.12
	40Gbs8Qkm6.dll	Get hash	malicious	Browse	23.239.0.12
	wdxJNuEzAd.dll	Get hash	malicious	Browse	23.239.0.12
	c63rCWoXA0.dll	Get hash	malicious	Browse	23.239.0.12
	okkVJeYYLQ.dll	Get hash	malicious	Browse	23.239.0.12
	kd5oAYcBC1.dll	Get hash	malicious	Browse	23.239.0.12
	3xB7n07o8r.dll	Get hash	malicious	Browse	23.239.0.12
	TODvFfngca.dll	Get hash	malicious	Browse	23.239.0.12

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.482091984293291
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	x4ByCNJqst.dll
File size:	545280
MD5:	8978c658ba95819f72866e0ffc41fa81
SHA1:	f8eed4cba5ff946b074a9b2f95e2fb92c0427651
SHA256:	50363092e6becfe6ad91c4118fcb2e9207ebb6d2016de3459d56b41fbc3b61c1
SHA512:	0b093d2867d42ea43caa0e59cd5d6913a3552eec6ea13eb0fa9bb1a67dcf5841fb481d4090d9fe71f216dabd350909679df891423ed15df3a346221d7842f90d
SSDEEP:	12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZIHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVg
TLSH:	41C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1800423a8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627D8598 [Thu May 12 22:09:28 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b268dbaa2e6eb6acd16e04d482356598

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007EFE50B17CB7h
call 00007EFE50B19E44h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007EFE50B17B60h
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00014D05h]
call dword ptr [0000FC7Fh]
dec esp
mov ebx, dword ptr [00014DF0h]
dec esp
mov dword ptr [esp+58h], ebx
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+60h]
dec eax
mov ecx, dword ptr [esp+58h]
call 00007EFE50B2683Ah
dec eax
mov dword ptr [esp+50h], eax
dec eax
cmp dword ptr [esp+50h], 00000000h
je 00007EFE50B17CF3h
dec eax
mov dword ptr [esp+38h], 00000000h
dec eax
lea eax, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], eax
dec eax
lea eax, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
lea eax, dword ptr [00014CB0h]
dec eax
mov dword ptr [esp+20h], eax
dec esp
mov ecx, dword ptr [esp+50h]
dec esp
mov eax, dword ptr [esp+58h]
dec eax
mov edx, dword ptr [esp+60h]
xor ecx, ecx
call 00007EFE50B267E8h
jmp 00007EFE50B17CD4h
dec eax
mov eax, dword ptr [eax+eax+00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x55cf0	0x6f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5544c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x2dffc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x59000	0xe1c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0x1d8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52000	0x288	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x504ca	0x50600	False	0.389081940124	zlib compressed data	5.26882252971	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x52000	0x3d5f	0x3e00	False	0.355342741935	data	5.39270768906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x56000	0x20d8	0x1200	False	0.180772569444	data	2.18161586025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x59000	0xe1c	0x1000	False	0.44580078125	data	4.98556265168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x2dffc	0x2e000	False	0.839408542799	data	7.73448363752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0x6f8	0x800	False	0.1796875	data	1.81179169858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x5a0a0	0x2de00	data	English	United States
RT_MANIFEST	0x87ea0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

ExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA

ole32.dll

CoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180042050
DllUnregisterServer	2	0x180042080

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 04:33:57.288245916 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:57.288285971 CEST	443	49768	23.239.0.12	192.168.2.7
May 14, 2022 04:33:57.288382053 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:57.307290077 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:57.307332993 CEST	443	49768	23.239.0.12	192.168.2.7
May 14, 2022 04:33:57.849215031 CEST	443	49768	23.239.0.12	192.168.2.7
May 14, 2022 04:33:57.849348068 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:58.573134899 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:58.573179007 CEST	443	49768	23.239.0.12	192.168.2.7
May 14, 2022 04:33:58.573751926 CEST	443	49768	23.239.0.12	192.168.2.7
May 14, 2022 04:33:58.573858023 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:58.582647085 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:58.624521017 CEST	443	49768	23.239.0.12	192.168.2.7
May 14, 2022 04:33:59.963490963 CEST	443	49768	23.239.0.12	192.168.2.7
May 14, 2022 04:33:59.963613987 CEST	443	49768	23.239.0.12	192.168.2.7
May 14, 2022 04:33:59.963675022 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:59.963702917 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:59.992057085 CEST	49768	443	192.168.2.7	23.239.0.12
May 14, 2022 04:33:59.992101908 CEST	443	49768	23.239.0.12	192.168.2.7

HTTP Request Dependency Graph

23.239.0.12

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49768	23.239.0.12	443	C:\Windows\System32\regsvr32.exe

Timestamp	Direction	Data
2022-05-14 02:33:58 UTC	OUT	GET / HTTP/1.1 Cookie: NqJHMaZApWBzFHY=XnAC+Yb1BWcC8cxpMdN3mvvHxzbcP4UM0mJ8pO7OgrZppTTZ3OPUTY+lV3jxzl1zEtH5O7vy8t+RSI3ZA30/IzOJueLRq29KI/FUiptqaMFxmzK6Kmkmc0TaQsn05byGr1t0HOux/W6N2Y3frBwpBqmwgo+OHxPvOFc4iZLoa/jVUB9oykMB0IAEp3J4KRKAkPEKgx7W4zVV62pcwrXKzQXrtqv0iSL4w1N07tUAJqfbBOmr6Oaje3SOq+wQI/vlhkV9sj9wmBGDr/hLnOMXnSapOZnbbPPuHzc8DYjP7OyEgrMI3OLvLaNvFjazRL+vKUyOKX9EgoEp Host: 23.239.0.12 Connection: Keep-Alive Cache-Control: no-cache
2022-05-14 02:33:59 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 May 2022 02:33:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-05-14 02:33:59 UTC	IN	Data Raw: 31 39 65 0d 0a f2 0c 94 f7 82 ad be 39 8b a2 ce ed 15 04 31 aa da 8f 71 20 a5 1c ea 7c 62 34 21 e6 a1 ba c1 5f a5 27 65 ac 40 f2 84 72 58 13 28 d6 da ef 1a 10 89 17 53 e0 84 1c 89 8e 71 3f 99 d4 24 84 0c c6 85 20 eb 41 ac 46 57 29 9c a0 e4 8f 62 0e 28 50 08 74 99 fe 82 f4 41 5c 9f ae ba 1e b9 51 d3 93 db a9 c8 7b a0 b6 65 91 a5 06 00 aa 5d 24 38 c6 cd 94 44 06 4d 61 46 4b 5e eb f2 4c c3 8c e8 ee 68 b0 bc 61 1a bb 46 25 a8 71 38 1d 19 70 8d 35 2f 98 f1 a7 c7 da 0f 76 71 fb c4 50 30 b9 a1 c0 92 89 f6 df 29 a2 0a 12 b9 76 0c 1e 8d e3 36 ae e4 34 f1 58 13 f0 a1 5f f9 9e 07 68 0a d6 2c aa 2a 3a 1c 72 c6 9b d3 36 73 e7 5a 31 48 95 05 a7 cd d1 47 04 45 48 5b 5f 89 52 e5 da a5 50 42 c4 65 3e b9 0b a2 ca df fd 76 0e 59 1d 9a 74 66 3f f5 63 60 d9 7c 9c a1 fd 75 77 Data Ascii: 19e91q \|b4!_'e@rX(Sq?$ AFW)b(PtA\Q{e]$8DMaFK^LhaF%q8p5/vqP0)v64X_h,*:r6sZ1HGEH[_RPBe>vYtf?c`\|uw

Target ID:	0
Start time:	04:33:26
Start date:	14/05/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\x4ByCNJqst.dll"
Imagebase:	0x7ff793fd0000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	04:33:26
Start date:	14/05/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
Imagebase:	0x7ff6a6590000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	04:33:26
Start date:	14/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\x4ByCNJqst.dll
Imagebase:	0x7ff69c640000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.356801545.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	04:33:27
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\x4ByCNJqst.dll",#1
Imagebase:	0x7ff680810000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.354544713.00000181D20E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	04:33:27
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllRegisterServer
Imagebase:	0x7ff680810000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.355023009.000001F155CA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	04:33:31
Start date:	14/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HhAmkCb\GvrdyVBSmSfKAy.dll"
Imagebase:	0x7ff69c640000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.869836841.0000000001460000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	04:33:31
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\x4ByCNJqst.dll,DllUnregisterServer
Imagebase:	0x7ff680810000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	04:33:50
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	04:34:07
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	15
Start time:	04:34:12
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	19
Start time:	04:34:24
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	28
Start time:	04:35:59
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	16.1%
Total number of Nodes:	684
Total number of Limit Nodes:	6

Executed Functions

Function 00D00000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00D00450
GetNativeSystemInfo.KERNELBASE ref: 00D00539
VirtualAlloc.KERNELBASE ref: 00D00580
VirtualProtect.KERNELBASE ref: 00D009E9
RtlAddFunctionTable.KERNEL32 ref: 00D00A79

Strings

urce, xrefs: 00D00340
ativ, xrefs: 00D0013D
tion, xrefs: 00D00128
Free, xrefs: 00D0034D
Virt, xrefs: 00D000E0
Size, xrefs: 00D00311
Reso, xrefs: 00D002FC
RtlA, xrefs: 00D0015C
ualA, xrefs: 00D000E8
urce, xrefs: 00D0035D
GetN, xrefs: 00D00136
Lock, xrefs: 00D00330
ncti, xrefs: 00D0016A
truc, xrefs: 00D00121
urce, xrefs: 00D002E7
Load, xrefs: 00D000C8
Libr, xrefs: 00D000D0
urce, xrefs: 00D00304
rote, xrefs: 00D00106
lloc, xrefs: 00D000F0
Slee, xrefs: 00D000B7
Virt, xrefs: 00D000F8
temI, xrefs: 00D0014B
Find, xrefs: 00D002D0
ofRe, xrefs: 00D00318
ddFu, xrefs: 00D00163
hIns, xrefs: 00D0011A
aryA, xrefs: 00D000D8
Reso, xrefs: 00D00338
eSys, xrefs: 00D00144
Reso, xrefs: 00D00355
Flus, xrefs: 00D00113
Cach, xrefs: 00D0012F
onTa, xrefs: 00D00171
ualP, xrefs: 00D000FF
Load, xrefs: 00D002F4
sour, xrefs: 00D0031F
Reso, xrefs: 00D002DB

Memory Dump Source

Source File: 00000002.00000002.356455417.0000000000D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d00000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 9e516e7d0960b484892ba54661c7aeb670e9abf9b8b43586fb6db934cad72fb6
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 8772D430618B489BDB29DF18C8857B9BBE1FB98305F14462DE8CEC7251DB34E942CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z, xrefs: 000000018002C36B
#C, xrefs: 000000018002C55D
Ekf, xrefs: 000000018002C0CA
l, xrefs: 000000018002C347
(I, xrefs: 000000018002C62C
-:, xrefs: 000000018002C100
<W, xrefs: 000000018002C1D0
l, xrefs: 000000018002C1F5

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: af6d23bac9e0564b4dade6cc976aa0f49490c733fc6aa684993268249fb5a7be
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: af6d23bac9e0564b4dade6cc976aa0f49490c733fc6aa684993268249fb5a7be
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c)K, xrefs: 0000000180007D79
J, xrefs: 0000000180007DB2
9i&, xrefs: 0000000180007F21
oh, xrefs: 0000000180007F5E
oh, xrefs: 0000000180007F68
0n)G, xrefs: 00000001800080D5
IS_, xrefs: 0000000180007E52

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0n)G$9i&$IS_$c)K$oh$oh$J
API String ID: 0-4168131144
Opcode ID: a2fd07809090c8a4a54937da8c6413b95d54b2adce31cd57800155d5b9f01661
Instruction ID: 1745985c1503e7a5a98bbeacef01b65c9f03634c62e3202666f04ad1fcc3199d
Opcode Fuzzy Hash: a2fd07809090c8a4a54937da8c6413b95d54b2adce31cd57800155d5b9f01661
Instruction Fuzzy Hash: 69423870A0470CABCB58DF68C58AADEBBF1FB44304F40C169EC4AAB250D7759B19CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/Zb, xrefs: 000000018001119F
\, xrefs: 0000000180011205
/v|, xrefs: 00000001800113E2
OV4T, xrefs: 0000000180011307
)|x, xrefs: 000000018001168C
lA, xrefs: 0000000180011819

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.pN, xrefs: 0000000180021AE0
&.+, xrefs: 000000018002180B
)O, xrefs: 000000018002164B
t(/, xrefs: 0000000180021ABB
F>9, xrefs: 0000000180021937
, xrefs: 00000001800219DA

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: af092a803e8c5a8f60e198926b85640c086359e1e86988e2bc1304063bab4e4b
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: af092a803e8c5a8f60e198926b85640c086359e1e86988e2bc1304063bab4e4b
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q27, xrefs: 0000000180028EC2, 000000018002907C, 0000000180028CC6, 0000000180028E8F, 0000000180028F2F, 0000000180028FEB, 00000001800290DD, 0000000180029134, 0000000180028DCC, 0000000180029040, 0000000180028FD5, 0000000180029047, 0000000180028F82
Mh, xrefs: 0000000180029055
:G, xrefs: 0000000180028C4C
yy8x, xrefs: 0000000180028D19
_5, xrefs: 00000001800290F7

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :G$Q27$_5$yy8x$Mh
API String ID: 0-3587547327
Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K', xrefs: 000000018000CAC7
w\H, xrefs: 000000018000C959
+#;), xrefs: 000000018000CBDA
sf, xrefs: 000000018000CE95

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 4270ae10590fc2f5bcc1345d173ce3869455f0ae6b4cef3f0208413052bdacb8
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 4270ae10590fc2f5bcc1345d173ce3869455f0ae6b4cef3f0208413052bdacb8
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<8, xrefs: 000000018001E63C
<w., xrefs: 000000018001E582
<4P, xrefs: 000000018001E690

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

'1O", xrefs: 0000000180013F6E
%'#, xrefs: 0000000180013EFA

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %'#$'1O"
API String ID: 0-3508158491
Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

xDC, xrefs: 000000018001CAFA

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: xDC
API String ID: 0-90241050
Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA83EEC Relevance: 15.1, APIs: 10, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA83F1B
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA83F35
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA83F5B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA83FB0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA83FEC
free.LIBCMT ref: 00007FF8CAA83FFA
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA84005
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA8401D
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA8405E
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA8407A

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
Instruction ID: f05ba9346ae09ad126a07790b5c89f2c11a1b1daf019839bf16153feb29f5f9f
Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
Instruction Fuzzy Hash: 4E418E31A0D78686EAA49F21B56603977B1BF48BD0F1444B4DA4E1BF54CF3CE892C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA82154 Relevance: 10.6, APIs: 7, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8CAA84110: HeapCreate.KERNELBASE(?,?,?,?,00007FF8CAA82169), ref: 00007FF8CAA84122
Part of subcall function 00007FF8CAA84110: HeapSetInformation.KERNEL32 ref: 00007FF8CAA8414C

_RTC_Initialize.LIBCMT ref: 00007FF8CAA82184
GetCommandLineA.KERNEL32 ref: 00007FF8CAA82189

Part of subcall function 00007FF8CAA83EEC: GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA83F1B
Part of subcall function 00007FF8CAA83EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA8219B), ref: 00007FF8CAA83F5B

Part of subcall function 00007FF8CAA83758: GetStartupInfoA.KERNEL32 ref: 00007FF8CAA8377D

__setargv.LIBCMT ref: 00007FF8CAA821B2
_cinit.LIBCMT ref: 00007FF8CAA821C6

Part of subcall function 00007FF8CAA82C94: FlsFree.KERNEL32(?,?,?,?,00007FF8CAA82217), ref: 00007FF8CAA82CA3
Part of subcall function 00007FF8CAA82C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA82217), ref: 00007FF8CAA86A32
Part of subcall function 00007FF8CAA82C94: free.LIBCMT ref: 00007FF8CAA86A3B
Part of subcall function 00007FF8CAA82C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA82217), ref: 00007FF8CAA86A5B

Part of subcall function 00007FF8CAA83A48: free.LIBCMT ref: 00007FF8CAA83A8F

Part of subcall function 00007FF8CAA83108: Sleep.KERNEL32(?,?,0000000A,00007FF8CAA82DA3,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8314D

FlsSetValue.KERNEL32 ref: 00007FF8CAA8224C
GetCurrentThreadId.KERNEL32 ref: 00007FF8CAA82260
free.LIBCMT ref: 00007FF8CAA8226F

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
String ID:
API String ID: 1549890855-0
Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
Instruction ID: 66d94d0582e2dca938c40cc09ed6ffe366467bd5862cc364761146625c3584ba
Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
Instruction Fuzzy Hash: 1B310420E0C30346FAA46FB5783327911955F557D0F2041F4DA2E97AC7FE2DB85B4222

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA84CD4 Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getptd.LIBCMT ref: 00007FF8CAA84CF3

Part of subcall function 00007FF8CAA848C0: _getptd.LIBCMT ref: 00007FF8CAA848CA

Part of subcall function 00007FF8CAA8497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FF8CAA84D0E,?,?,?,?,?,00007FF8CAA84EE3), ref: 00007FF8CAA849A6

Part of subcall function 00007FF8CAA8309C: Sleep.KERNEL32(?,?,00000000,00007FF8CAA86B19,?,?,00000000,00007FF8CAA86BC3,?,?,?,?,?,?,00000000,00007FF8CAA82DC8), ref: 00007FF8CAA830D2

free.LIBCMT ref: 00007FF8CAA84D7F

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

_lock.LIBCMT ref: 00007FF8CAA84DB7
free.LIBCMT ref: 00007FF8CAA84E67
free.LIBCMT ref: 00007FF8CAA84E97
_errno.LIBCMT ref: 00007FF8CAA84E9C

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
String ID:
API String ID: 1264244385-0
Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
Instruction ID: d76915390f90985d142b2be6a640870264291e5146145e31ed94ba9f475b8cfb
Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
Instruction Fuzzy Hash: F751BC319097428BE7509F65B4222B9B7A1FB84BD4F1442B6DA5E43BA9CF3CE402C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA86C34 Relevance: 7.5, APIs: 5, Instructions: 47
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF8CAA86C64
RtlAllocateHeap.NTDLL(?,?,00000000,00007FF8CAA830C0,?,?,00000000,00007FF8CAA86B19,?,?,00000000,00007FF8CAA86BC3), ref: 00007FF8CAA86C89
_errno.LIBCMT ref: 00007FF8CAA86CAD
_errno.LIBCMT ref: 00007FF8CAA86CB8
_errno.LIBCMT ref: 00007FF8CAA86CCD

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeap
String ID:
API String ID: 502529563-0
Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
Instruction ID: 5864c0f26ae12c0981914dd351779d4f3afe3f3e80cc58ab110416c80e1c8680
Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
Instruction Fuzzy Hash: D8113064A0974285FA556F66B8332B93651EF84BD0F0442B0EA1D47BE2DE3CE852C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA81EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00007FF8CAA81F24
RtlDeleteBoundaryDescriptor.NTDLL ref: 00007FF8CAA81F56

Strings

vb4vcW2kAW3Twaz?30, xrefs: 00007FF8CAA81F6C

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: AllocateBoundaryDeleteDescriptorHeap
String ID: vb4vcW2kAW3Twaz?30
API String ID: 254689257-4179232793
Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
Instruction ID: 403f617b58cb96879fa0e414557889d76bc26389028b2a486bcf27c15bc2f02c
Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
Instruction Fuzzy Hash: 5021073260CF8686E7308F24F4653A577A5FB88788F004575C6CD93765DF7DA9068B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA82FA0 Relevance: 4.5, APIs: 3, Instructions: 35
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8CAA836F0: _initp_misc_winsig.LIBCMT ref: 00007FF8CAA83729
Part of subcall function 00007FF8CAA836F0: EncodePointer.KERNEL32(?,?,?,00007FF8CAA82FAB,?,?,?,00007FF8CAA82179), ref: 00007FF8CAA83745

FlsAlloc.KERNEL32(?,?,?,00007FF8CAA82179), ref: 00007FF8CAA82FBB

Part of subcall function 00007FF8CAA83108: Sleep.KERNEL32(?,?,0000000A,00007FF8CAA82DA3,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8314D

FlsSetValue.KERNEL32(?,?,?,00007FF8CAA82179), ref: 00007FF8CAA82FEC

Part of subcall function 00007FF8CAA82CBC: _lock.LIBCMT ref: 00007FF8CAA82D0C
Part of subcall function 00007FF8CAA82CBC: _lock.LIBCMT ref: 00007FF8CAA82D2C

GetCurrentThreadId.KERNEL32 ref: 00007FF8CAA83000

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
String ID:
API String ID: 54287522-0
Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
Instruction ID: 628f4d18c9d39c76fef4dc05c1409b971840b81929cf186adf63eddcd20434b4
Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
Instruction Fuzzy Hash: 42014F60E0970381FBA4AF75B86727962A15F447E0F0446B4C67D876E2EE2CA48B9230

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000000180001D4C

Strings

:}, xrefs: 0000000180001C92

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: :}
API String ID: 963392458-2902022129
Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA82050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00007FF8CAA82075

Strings

JKvDDasqwOPvGXZdqW, xrefs: 00007FF8CAA8205D

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: JKvDDasqwOPvGXZdqW
API String ID: 621844428-4059861069
Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
Instruction ID: c12a228a5064aa80b44e0e2dff2673b63d7e427e2506b84566099550ff44a9a1
Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
Instruction Fuzzy Hash: FED09E21958B8182DA209B20F81635A67A0BB89788F800171D58D57614DF7CD156C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA86CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CAA86D0F

Part of subcall function 00007FF8CAA866D8: DecodePointer.KERNEL32 ref: 00007FF8CAA866FF

RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FF8CAA8313B,?,?,0000000A,00007FF8CAA82DA3,?,?,?,00007FF8CAA82DFF), ref: 00007FF8CAA86D58

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: AllocateDecodeHeapPointer_errno
String ID:
API String ID: 15861996-0
Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
Instruction ID: 6758735b707e07f13e1179975abc22f4131715516e5f40f5d7e60bfc0ce6a732
Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
Instruction Fuzzy Hash: 3611A726B0D74246FF555F25F6263B962D19F407E4F088A76CE1D07EE8EE7CA4428600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA836F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 00007FF8CAA83729

Part of subcall function 00007FF8CAA8755C: EncodePointer.KERNEL32(?,?,?,?,00007FF8CAA8373E,?,?,?,00007FF8CAA82FAB,?,?,?,00007FF8CAA82179), ref: 00007FF8CAA87567

EncodePointer.KERNEL32(?,?,?,00007FF8CAA82FAB,?,?,?,00007FF8CAA82179), ref: 00007FF8CAA83745

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: EncodePointer$_initp_misc_winsig
String ID:
API String ID: 190222155-0
Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
Instruction ID: be569aa0a5b9eb0e365f12d8bfba322517533c5106461658769e9940c3c8c0d5
Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
Instruction Fuzzy Hash: 55F04E40E8934744E919FF6679B30B826405F96BC1F8820F4E82F1BBA3DD2CE5578754

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA84110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,?,?,00007FF8CAA82169), ref: 00007FF8CAA84122
HeapSetInformation.KERNEL32 ref: 00007FF8CAA8414C

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
Instruction ID: 7d87e3e3b3c1761242601761c4392a3447e6156f51295e6bf2343f6d5de3c816
Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
Instruction Fuzzy Hash: 3AE04F75A2679183E7989F25B82A7656250FB88380F905079EA4D13B94DF3CD05A8A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA873F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,?,00007FF8CAA834AF,?,?,?,00007FF8CAA821CB), ref: 00007FF8CAA8740D

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
Instruction ID: afcb68e06b9aee23eddb4ecfde5686c6d39b156b7183b314c5cd665013c64f12
Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
Instruction Fuzzy Hash: BBD05B32F5474181DB518F21F5A117C2364FB84BD4F588071D65C07655DD3CC457C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA83108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8CAA86CEC: _errno.LIBCMT ref: 00007FF8CAA86D0F

Sleep.KERNEL32(?,?,0000000A,00007FF8CAA82DA3,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8314D

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
Instruction ID: 2347e75dfb63e029e5d0b0438f50130e0871a0046f93cb0ee84fe587b809d24f
Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
Instruction Fuzzy Hash: 01018632A24B8186FA549F16B862029B7A5FB88FD0F095175DF5D07B50DF3CE852C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8CAA86C34: _FF_MSGBANNER.LIBCMT ref: 00007FF8CAA86C64
Part of subcall function 00007FF8CAA86C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF8CAA830C0,?,?,00000000,00007FF8CAA86B19,?,?,00000000,00007FF8CAA86BC3), ref: 00007FF8CAA86C89
Part of subcall function 00007FF8CAA86C34: _errno.LIBCMT ref: 00007FF8CAA86CAD
Part of subcall function 00007FF8CAA86C34: _errno.LIBCMT ref: 00007FF8CAA86CB8

Sleep.KERNEL32(?,?,00000000,00007FF8CAA86B19,?,?,00000000,00007FF8CAA86BC3,?,?,?,?,?,?,00000000,00007FF8CAA82DC8), ref: 00007FF8CAA830D2

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeapSleep
String ID:
API String ID: 4153772858-0
Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
Instruction ID: 89383415ed6644c754f7c6bc63778238809c71dbc8838e57893bb6e66c9a8dd7
Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
Instruction Fuzzy Hash: FAF09632A0978586EA95DF26B46203E72A1FB84BD0F544174EA5D13B95DF3CE893C740

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF8CAA8895C Relevance: 24.4, APIs: 16, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,00007FF8CAA83E11,?,?,?,?,?,00007FF8CAA821B7), ref: 00007FF8CAA889CE
GetLastError.KERNEL32(?,00007FF8CAA83E11,?,?,?,?,?,00007FF8CAA821B7), ref: 00007FF8CAA889E4
MultiByteToWideChar.KERNEL32 ref: 00007FF8CAA88A8E
MultiByteToWideChar.KERNEL32 ref: 00007FF8CAA88B36
LCMapStringW.KERNEL32 ref: 00007FF8CAA88B5B
LCMapStringW.KERNEL32 ref: 00007FF8CAA88BAB
LCMapStringW.KERNEL32 ref: 00007FF8CAA88C38
WideCharToMultiByte.KERNEL32 ref: 00007FF8CAA88C7B
free.LIBCMT ref: 00007FF8CAA88C8C
free.LIBCMT ref: 00007FF8CAA88C9A
LCMapStringA.KERNEL32(?,00007FF8CAA83E11,?,?,?,?,?,00007FF8CAA821B7), ref: 00007FF8CAA88D29
LCMapStringA.KERNEL32(?,00007FF8CAA83E11,?,?,?,?,?,00007FF8CAA821B7), ref: 00007FF8CAA88DE0
free.LIBCMT ref: 00007FF8CAA88E28
LCMapStringA.KERNEL32(?,00007FF8CAA83E11,?,?,?,?,?,00007FF8CAA821B7), ref: 00007FF8CAA88E48
free.LIBCMT ref: 00007FF8CAA88E5A
free.LIBCMT ref: 00007FF8CAA88E6C

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: String$free$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1446610345-0
Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
Instruction ID: 5dc426166eec6d5159f6be29793f9dc183f2ba7e0119418b39f1fa9c91700b3f
Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
Instruction Fuzzy Hash: 93F10172A097818AE7248F24F4261B977A1FB48BE8F144275EA5D57FD8DF3CE9428700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA87BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FF8CAA87C06
_errno.LIBCMT ref: 00007FF8CAA87C13

Part of subcall function 00007FF8CAA866D8: DecodePointer.KERNEL32 ref: 00007FF8CAA866FF

LoadLibraryA.KERNEL32 ref: 00007FF8CAA87C4F
GetProcAddress.KERNEL32 ref: 00007FF8CAA87C67
_errno.LIBCMT ref: 00007FF8CAA87C75
GetLastError.KERNEL32 ref: 00007FF8CAA87C7D
GetLastError.KERNEL32 ref: 00007FF8CAA87CA0

Strings

ADVAPI32.DLL, xrefs: 00007FF8CAA87C48
SystemFunction036, xrefs: 00007FF8CAA87C5D

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
String ID: ADVAPI32.DLL$SystemFunction036
API String ID: 1558914745-1064046199
Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
Instruction ID: e73829d110fdcbab2e503302eddfe1b9d4fe2e3f3b916f5115753378ea93c917
Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
Instruction Fuzzy Hash: D6319C61A0974286FB15AF31B8332B922D1AF84BD4F0444B4EE0D4BB96EE3CE40A8640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CAA8C956
GetUserDefaultLCID.KERNEL32 ref: 00007FF8CAA8CA56
IsValidCodePage.KERNEL32 ref: 00007FF8CAA8CAA7
IsValidLocale.KERNEL32 ref: 00007FF8CAA8CABD
GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8CB38
GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8CB55
_itow_s.LIBCMT ref: 00007FF8CAA8CB73

Strings

Norwegian-Nynorsk, xrefs: 00007FF8CAA8CAF8

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
Instruction ID: e2b6dfa46a4afbb0113fa72a36168a7ab6587b260011aae207b6a661c4811e0e
Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
Instruction Fuzzy Hash: DC617C62A08742A6FB649F21F4267B923A1FF44BC4F0841B6CA4D47AD5DF3CE946CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8B5CC Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA8B35C), ref: 00007FF8CAA8B6BC
GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA8B35C), ref: 00007FF8CAA8B751
free.LIBCMT ref: 00007FF8CAA8B78E
__ascii_stricmp.LIBCMT ref: 00007FF8CAA8B825

Strings

am/pm, xrefs: 00007FF8CAA8B81B
a/p, xrefs: 00007FF8CAA8B87D

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: FormatTime$__ascii_stricmpfree
String ID: a/p$am/pm
API String ID: 2252689280-3206640213
Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
Instruction ID: 3402750cfc80d23530bdb38cfe9e421b7816080aa9b7925705e42df8f2ca6e36
Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
Instruction Fuzzy Hash: 9AF1F222A1D7928AE7748F24B4761BCA7A1FB057C4F4490B2EA9D47F85DE3DAC46C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA86F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CAA87194,?,?,?,?,00007FF8CAA86C69,?,?,00000000,00007FF8CAA830C0), ref: 00007FF8CAA86FCF
GetStdHandle.KERNEL32(?,?,?,?,?,00007FF8CAA87194,?,?,?,?,00007FF8CAA86C69,?,?,00000000,00007FF8CAA830C0), ref: 00007FF8CAA870DB
WriteFile.KERNEL32 ref: 00007FF8CAA87115

Strings

Runtime Error!Program: , xrefs: 00007FF8CAA86F8E
<program name unknown>, xrefs: 00007FF8CAA86FD9
Microsoft Visual C++ Runtime Library, xrefs: 00007FF8CAA870BF
..., xrefs: 00007FF8CAA87032

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
Instruction ID: db0a8acb128dd1eef22519d77ac3ea1842fb2c227789587a2e2018e42a88ffa8
Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
Instruction Fuzzy Hash: EF51A821B1874341FB64DF35B9777BA2261AF883D4F4046B6D94D47EE6DE2CE5078210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA820E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF8CAA823FB
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8CAA8241A
RtlVirtualUnwind.KERNEL32 ref: 00007FF8CAA82466
IsDebuggerPresent.KERNEL32 ref: 00007FF8CAA824D8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA824F0
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA824FD
GetCurrentProcess.KERNEL32 ref: 00007FF8CAA82516
TerminateProcess.KERNEL32 ref: 00007FF8CAA82524

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
Instruction ID: 7cc069d85f3c7752c1f6694d9ec868425d4d48bc6a788711ab1c0b08c936f86e
Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
Instruction Fuzzy Hash: 7E31F735908B4286EB909F21F8623A973A0FB847D4F5001B6DA9D63B75EF7CE45AC710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8E6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CAA8E6EB

Part of subcall function 00007FF8CAA8E550: _errno.LIBCMT ref: 00007FF8CAA8E559

free.LIBCMT ref: 00007FF8CAA8E7E2

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

Part of subcall function 00007FF8CAA87FBC: _errno.LIBCMT ref: 00007FF8CAA87FD4

___lc_codepage_func.LIBCMT ref: 00007FF8CAA8E76B

Part of subcall function 00007FF8CAA86550: RtlCaptureContext.KERNEL32 ref: 00007FF8CAA8658F
Part of subcall function 00007FF8CAA86550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CAA8662D
Part of subcall function 00007FF8CAA86550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA86637
Part of subcall function 00007FF8CAA86550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA86642
Part of subcall function 00007FF8CAA86550: GetCurrentProcess.KERNEL32 ref: 00007FF8CAA86658
Part of subcall function 00007FF8CAA86550: TerminateProcess.KERNEL32 ref: 00007FF8CAA86666

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
String ID:
API String ID: 178205154-0
Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
Instruction ID: 3a92754f26889e6b83afc2f082c0ecb660287276ecaa0be0a3d2a082eeed70ee
Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
Instruction Fuzzy Hash: 51D1A432A0838285E7749F24B4626B977A6BF857C0F4441B5DA8D6BFA5DF3CE8538700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8DF98 Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CAA8E1C2), ref: 00007FF8CAA8DFF2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CAA8E1C2), ref: 00007FF8CAA8E004
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CAA8E1C2), ref: 00007FF8CAA8E04F
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CAA8E1C2), ref: 00007FF8CAA8E0E1
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CAA8E1C2), ref: 00007FF8CAA8E11B
free.LIBCMT ref: 00007FF8CAA8E12F

Part of subcall function 00007FF8CAA86C34: _FF_MSGBANNER.LIBCMT ref: 00007FF8CAA86C64
Part of subcall function 00007FF8CAA86C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF8CAA830C0,?,?,00000000,00007FF8CAA86B19,?,?,00000000,00007FF8CAA86BC3), ref: 00007FF8CAA86C89
Part of subcall function 00007FF8CAA86C34: _errno.LIBCMT ref: 00007FF8CAA86CAD
Part of subcall function 00007FF8CAA86C34: _errno.LIBCMT ref: 00007FF8CAA86CB8

GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CAA8E1C2), ref: 00007FF8CAA8E145

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
String ID:
API String ID: 2309262205-0
Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
Instruction ID: 2113555d75f3c1681c76ceaace1d6c0893064bd2120ad2c80280d04cfe689550
Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
Instruction Fuzzy Hash: 1651AE32A08742C6EBB09F20B86216963B2BB447E4F540676DA1E1BFD4CF3CE9468700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8FCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CAA8FCC3
_errno.LIBCMT ref: 00007FF8CAA8FCD5

Part of subcall function 00007FF8CAA866D8: DecodePointer.KERNEL32 ref: 00007FF8CAA866FF

_errno.LIBCMT ref: 00007FF8CAA8FD14

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
Instruction ID: 5b977870851e5861cf4df2a358045c75e2fe5d94be4cc974674d3fa1bcfd3c50
Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
Instruction Fuzzy Hash: AE316C22A1875342FB55AE61B5677BE6291AF887C8F048475DF0C4BF8ADF2CE4128740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA86550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF8CAA8658F
IsDebuggerPresent.KERNEL32 ref: 00007FF8CAA8662D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA86637
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA86642
GetCurrentProcess.KERNEL32 ref: 00007FF8CAA86658
TerminateProcess.KERNEL32 ref: 00007FF8CAA86666

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
Instruction ID: e947d18069dfdcb44332d5086e058473e49b32a86a5d6684d442ff9a93f69fd6
Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
Instruction Fuzzy Hash: 8D312132A08BC682EB649F65F4563AAB3A0FB88794F500175D78D43A59EF7CD54ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON

Download Yara Rule

Strings

94, xrefs: 0000000180022371
"+H, xrefs: 000000018002236A
M8;, xrefs: 0000000180022338
]k, xrefs: 0000000180022069
]$d, xrefs: 00000001800220D6
1l7., xrefs: 00000001800220AF
]k, xrefs: 000000018002232E

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8C1C7
GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8C209
GetACP.KERNEL32 ref: 00007FF8CAA8C22C

Strings

ACP, xrefs: 00007FF8CAA8C195
OCP, xrefs: 00007FF8CAA8C1A5

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
Instruction ID: 19ea28aa4f162a2758483651bc7e40c3db07f938260b8f0301e3802939642812
Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
Instruction Fuzzy Hash: 3F216331B0C743A6FA609F20F9622B967A0BF447C4F544171DA4D579A5EF2CE947CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON

Download Yara Rule

Strings

IY, xrefs: 0000000180003ECF
I-, xrefs: 0000000180004227
QL&, xrefs: 0000000180003C57
o, xrefs: 0000000180003CAE
1h, xrefs: 0000000180004545
li7, xrefs: 0000000180003802

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1h$I-$IY$QL&$li7$o
API String ID: 0-890095520
Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON

Download Yara Rule

Strings

1, xrefs: 000000018000AD5C
i, xrefs: 000000018000B672
", xrefs: 000000018000B539
Rku, xrefs: 000000018000B40E
$-%, xrefs: 000000018000B3AF
{,, xrefs: 000000018000AD2C

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$ {,$"$$-%$Rku$ i
API String ID: 0-1845893065
Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON

Download Yara Rule

Strings

VUS/, xrefs: 000000018002A254
YV~, xrefs: 000000018002A301
EX, xrefs: 000000018002A39C
OX, xrefs: 000000018002A0D4
@, xrefs: 0000000180029B80
p, xrefs: 000000018002A15A

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: VUS/$YV~$p$@$EX$OX
API String ID: 0-2743166816
Opcode ID: 42abff069bb8dd677487b4024391c19b5d6520d96b7057ef658f077a6ca5f53c
Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
Opcode Fuzzy Hash: 42abff069bb8dd677487b4024391c19b5d6520d96b7057ef658f077a6ca5f53c
Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON

Download Yara Rule

Strings

-!zt, xrefs: 0000000180005BD7
ru, xrefs: 000000018000623C
d}9J, xrefs: 0000000180006179
R3T, xrefs: 0000000180005C59
Mv`b, xrefs: 0000000180005D4E
t:v, xrefs: 0000000180005E76

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON

Download Yara Rule

Strings

"`2, xrefs: 00000001800139CE
kO, xrefs: 000000018001387E
lbzZ, xrefs: 0000000180013863
lmq, xrefs: 0000000180013A6B
tro, xrefs: 00000001800139A0
$, xrefs: 0000000180013C6D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA84558 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8CAA8458F
GetCurrentProcessId.KERNEL32 ref: 00007FF8CAA8459A
GetCurrentThreadId.KERNEL32 ref: 00007FF8CAA845A6
GetTickCount.KERNEL32 ref: 00007FF8CAA845B2
QueryPerformanceCounter.KERNEL32 ref: 00007FF8CAA845C3

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
Instruction ID: 0aa70229e8fcb58f3693ce499c3dd6f06a15d36de2872ed33aaea3490a0d3027
Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
Instruction Fuzzy Hash: 1B018431A29B0186EB908F31F8A12696364FF49BE0F546570DE5E577A0DF3CD9AAC300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

PT, xrefs: 000000018001038A
2f, xrefs: 000000018001051C
UbA, xrefs: 00000001800103C4
)#?, xrefs: 0000000180010418
EX., xrefs: 000000018001032D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

?F, xrefs: 0000000180020023
tZp, xrefs: 000000018001FFAF
$T, xrefs: 000000018001FF09
QP|m, xrefs: 000000018001FCBC
qjf, xrefs: 000000018001FD57

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: 5b73a1a625f2cfc86355e0bd41939d36f11956a340da434ded1f42b2c003968d
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: 5b73a1a625f2cfc86355e0bd41939d36f11956a340da434ded1f42b2c003968d
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

JQ, xrefs: 0000000180016D72
x\J, xrefs: 00000001800171C3
k&(, xrefs: 0000000180017125
t, xrefs: 0000000180017275
v, xrefs: 00000001800170BE

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: bdc050f96bf44494249bd4848307985b7cf3b13daba02c673abc667a99b0703a
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: bdc050f96bf44494249bd4848307985b7cf3b13daba02c673abc667a99b0703a
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

V, xrefs: 0000000180007053
?rIc, xrefs: 000000018000710E
L==, xrefs: 0000000180007159
)H8, xrefs: 000000018000709E
R, xrefs: 00000001800070D3

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

S, xrefs: 0000000180011A92
+, xrefs: 00000001800119DA
vird, xrefs: 00000001800119C2
bt, xrefs: 0000000180011A1E
Qq, xrefs: 0000000180011A84

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C450 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CAA8C477
GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8C4AC
GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8C504
GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8C5F8

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
Instruction ID: 97badf84113166edde47cfd4afbe17556b9fbcace560920ffb576de6078984bd
Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
Instruction Fuzzy Hash: 2D616272B08786A7DA6C9E60F9563E9B351FB88785F10117AC71D87A90CF3CE4658B00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

P9, xrefs: 0000000180011DC0
@, xrefs: 0000000180011F6B
V, xrefs: 0000000180011B81
^_", xrefs: 0000000180011D6E

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 6e4761af9cbbc7e56b0ebe3f2fd9ebbf1bb807a40d07775ef569cdf1f58d0d70
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 6e4761af9cbbc7e56b0ebe3f2fd9ebbf1bb807a40d07775ef569cdf1f58d0d70
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

syG, xrefs: 000000018001339D
b/, xrefs: 000000018001347F
=_, xrefs: 00000001800136EB
F)k, xrefs: 000000018001336C

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: 8e62bb2442717ef834bc9e0d2db0d031a8489eaa3450fb87a3fdc8a088d62545
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: 8e62bb2442717ef834bc9e0d2db0d031a8489eaa3450fb87a3fdc8a088d62545
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

#X, xrefs: 0000000180002E74
iJ6, xrefs: 0000000180003091
vG, xrefs: 000000018000316F
'Xsa, xrefs: 0000000180002EA2

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

MIC, xrefs: 0000000180009BF0
*i^, xrefs: 0000000180009A7A
-Z, xrefs: 0000000180009D06
]2, xrefs: 0000000180009CC2

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

Strings

LsRW, xrefs: 000000018002820A
>97", xrefs: 0000000180028161
~x, xrefs: 0000000180028423
?, xrefs: 0000000180027FC1

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >97"$?$LsRW$~x
API String ID: 0-2554301858
Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

_, xrefs: 0000000180010A56
QsF, xrefs: 0000000180010894
B, xrefs: 0000000180010AEC
EG, xrefs: 000000018001082C

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 044ffeba6cf6caf628ab0d946c02a3f7d28cd574b6d4e2350068ec5c70ab2904
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 044ffeba6cf6caf628ab0d946c02a3f7d28cd574b6d4e2350068ec5c70ab2904
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

-`G, xrefs: 00000001800206A2
., xrefs: 00000001800206DC
Z`35, xrefs: 00000001800205D3
5B.Y, xrefs: 000000018002045A

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

#o, xrefs: 000000018000EFD8
WSh, xrefs: 000000018000EEF0
\O, xrefs: 000000018000F046
*+_, xrefs: 000000018000EF25

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

\<, xrefs: 0000000180024E9B
M*K, xrefs: 0000000180024E36
.B, xrefs: 0000000180025032
O, xrefs: 0000000180024F9B

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

~O, xrefs: 000000018002A626
xVO, xrefs: 000000018002A587
$, xrefs: 000000018002A454
$, xrefs: 000000018002A477

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

l, xrefs: 0000000180002548
JMg, xrefs: 000000018000252F
,IW, xrefs: 0000000180002565
G, xrefs: 0000000180002557

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8AF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CAA8B009
_errno.LIBCMT ref: 00007FF8CAA8B293
__tzset.LIBCMT ref: 00007FF8CAA8B489

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$__tzset
String ID:
API String ID: 3587134695-0
Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
Instruction ID: 3d43718950a11df4059b0f8a29660e93bc4c3f5e9497b679cc4d22afc0464f2d
Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
Instruction Fuzzy Hash: E8025F32A0878286E7A88F69B0B213D27A1FF44BC1F64807AD74F47E95DE78E556C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8FB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CAA8FB92
_errno.LIBCMT ref: 00007FF8CAA8FBA4

Part of subcall function 00007FF8CAA866D8: DecodePointer.KERNEL32 ref: 00007FF8CAA866FF

_errno.LIBCMT ref: 00007FF8CAA8FBF0

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
Instruction ID: 0bfcc1f18e9f0ab792a239751b8f132926a31456922a29933660ed69fb8a06af
Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
Instruction Fuzzy Hash: F231BE61B0C74342FB66AE65B57737E6191AF587C4F0440B4EE4D87E8AEE2CE8028300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8D318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF8CAA8D357
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA8D39D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA8D3A8

Part of subcall function 00007FF8CAA86F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CAA87194,?,?,?,?,00007FF8CAA86C69,?,?,00000000,00007FF8CAA830C0), ref: 00007FF8CAA86FCF

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
Instruction ID: f004df7295815c77e340802d6994f232f9daf0c47efcbdbf889c96e90f8d6be0
Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
Instruction Fuzzy Hash: 99119125A28B4642E7649F20F8763BA63A1FF85380F440179E58D03FA5DF3DE806CB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON

Download Yara Rule

Strings

5F, xrefs: 0000000180014AA5
S^r, xrefs: 0000000180014FB9
*4, xrefs: 0000000180014A1B

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *4$5F$S^r
API String ID: 0-3556444313
Opcode ID: 32f12f089b8a2f529f06453d9d247e753f5514636137a2d7872eb14875660eb0
Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
Opcode Fuzzy Hash: 32f12f089b8a2f529f06453d9d247e753f5514636137a2d7872eb14875660eb0
Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON

Download Yara Rule

Strings

&lz2, xrefs: 000000018001BE19
<x<, xrefs: 000000018001BED4
'~W, xrefs: 000000018001BEA8

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &lz2$'~W$<x<
API String ID: 0-2268522332
Opcode ID: d353bb3380a978666a479ee450a37b931469c1cc25af52acd29372fd61dce81c
Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
Opcode Fuzzy Hash: d353bb3380a978666a479ee450a37b931469c1cc25af52acd29372fd61dce81c
Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BDD0 Relevance: 4.0, Strings: 3, Instructions: 262COMMON

Download Yara Rule

Strings

{Fl&, xrefs: 000000018000C123
o6., xrefs: 000000018000BFE9
s8Q, xrefs: 000000018000C31F

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o6.$s8Q${Fl&
API String ID: 0-2665016659
Opcode ID: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
Instruction ID: 345269621f88c341702fdf3610a73dbdf39058324611beb6fba665c489d4de0b
Opcode Fuzzy Hash: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
Instruction Fuzzy Hash: 48E1D7705087C88BDBFEDF64C88A7DA7BACFB44708F105219EA4A8E258DB745749CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON

Download Yara Rule

Strings

T]0, xrefs: 00000001800209FC
ba^2, xrefs: 0000000180020A27
$, xrefs: 0000000180020AED

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$T]0$ba^2
API String ID: 0-1276948933
Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

EDO, xrefs: 000000018001D752
V , xrefs: 000000018001D544
6w5*, xrefs: 000000018001D7AF

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6w5*$EDO$V
API String ID: 0-1640223502
Opcode ID: 944acd662e311639990576df567dfaf1aeae203cd7960374855798ea7e62004e
Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
Opcode Fuzzy Hash: 944acd662e311639990576df567dfaf1aeae203cd7960374855798ea7e62004e
Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

Y(), xrefs: 000000018000A773
i_"o, xrefs: 000000018000AB62
|Y, xrefs: 000000018000AB17

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y()$i_"o$|Y
API String ID: 0-942011364
Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

,G, xrefs: 000000018001749E
O), xrefs: 0000000180017436
-, xrefs: 00000001800174FF

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: O)$,G$-
API String ID: 0-23008916
Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

Q#, xrefs: 000000018000A498
L, xrefs: 000000018000A3C5
;U[, xrefs: 000000018000A476

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;U[$L$Q#
API String ID: 0-2933747092
Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

Strings

<:*, xrefs: 000000018001E0BA
qwX, xrefs: 000000018001E11A
5(, xrefs: 000000018001E16D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5($<:*$qwX
API String ID: 0-3944236288
Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

s`~, xrefs: 000000018001C1CE
v;, xrefs: 000000018001C13F
79&, xrefs: 000000018001C10D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 79&$s`~$v;
API String ID: 0-3844292866
Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

1_, xrefs: 000000018000579C
ac, xrefs: 0000000180005543
wQ_, xrefs: 000000018000561A

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wQ_$1_$ac
API String ID: 0-1037425278
Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON

Download Yara Rule

Strings

)K, xrefs: 000000018002390F
|1-, xrefs: 00000001800238AE
U|, xrefs: 0000000180023A9A

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )K$U|$|1-
API String ID: 0-2543966960
Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

H~z, xrefs: 00000001800294EE
6|, xrefs: 0000000180029474
6`d, xrefs: 0000000180029414

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6|$6`d$H~z
API String ID: 0-1702722476
Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON

Download Yara Rule

Strings

d~, xrefs: 0000000180019780
`5, xrefs: 0000000180019696
t>, xrefs: 0000000180019652

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: d~$`5$t>
API String ID: 0-1282322184
Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

#St, xrefs: 000000018000BC5D
hmn, xrefs: 000000018000BC20
JYr, xrefs: 000000018000BB50

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #St$JYr$hmn
API String ID: 0-1556749129
Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON

Download Yara Rule

Strings

K, xrefs: 000000018000261C
W}, xrefs: 0000000180002698
TGA, xrefs: 00000001800026C3

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: TGA$K$W}
API String ID: 0-588348707
Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

:1,, xrefs: 0000000180007470
{C=, xrefs: 0000000180007424
@H, xrefs: 00000001800074B7

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :1,$@H${C=
API String ID: 0-2737386091
Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON

Download Yara Rule

Strings

q<C, xrefs: 000000018001491B
prP, xrefs: 00000001800148D3
uL , xrefs: 00000001800148B7

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: prP$q<C$uL
API String ID: 0-1414207395
Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON

Download Yara Rule

Strings

(R', xrefs: 00000001800064CE
:00D, xrefs: 00000001800064D2
Kl, xrefs: 0000000180006524

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :00D$Kl$(R'
API String ID: 0-3661897330
Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA85944 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CAA8597E

Part of subcall function 00007FF8CAA87FBC: _errno.LIBCMT ref: 00007FF8CAA87FD4

Part of subcall function 00007FF8CAA86550: RtlCaptureContext.KERNEL32 ref: 00007FF8CAA8658F
Part of subcall function 00007FF8CAA86550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CAA8662D
Part of subcall function 00007FF8CAA86550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA86637
Part of subcall function 00007FF8CAA86550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA86642
Part of subcall function 00007FF8CAA86550: GetCurrentProcess.KERNEL32 ref: 00007FF8CAA86658
Part of subcall function 00007FF8CAA86550: TerminateProcess.KERNEL32 ref: 00007FF8CAA86666

Strings

C, xrefs: 00007FF8CAA859CC

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
String ID: C
API String ID: 1583075380-1037565863
Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
Instruction ID: e1990fb8bfc0b8fcb2da31be18de216aee52e5075953184be99ea9ed8512ab84
Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
Instruction Fuzzy Hash: 8C517122A1878341FB649F22B56A7BAA790FF94BC8F4480B5DE4D47E89DE3DD406C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C6E4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CAA8C706
GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8C73B

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
Instruction ID: 9de6323a732c78a93e62f1684768715790d2de39ee170f91f86b065d503dd5dc
Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
Instruction Fuzzy Hash: 2C213E32B0878296EB689F25F9663E973A0FB88785F044175C71D87A95DF3CE4658B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C2B4 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CAA8C2DB
GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8C310

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
Instruction ID: 97c94c8d4b11da7f92d3eb521dcf4fdf8f865f3d084ed3a66b48ede838677b71
Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
Instruction Fuzzy Hash: 0F216A32A0878196EB288F60F8563AAB3A1FB88B84F444175DA5D87B54DF3CE556CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

Y}, xrefs: 00000001800265BF
$, xrefs: 000000018002686D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$Y}
API String ID: 0-941771097
Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

?C, xrefs: 000000018001823C
7;}~, xrefs: 000000018001830E

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 7;}~$?C
API String ID: 0-2633536567
Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON

Download Yara Rule

Strings

5"*, xrefs: 0000000180025E9D
Wu, xrefs: 0000000180026174

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5"*$Wu
API String ID: 0-3407213400
Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

F/|, xrefs: 0000000180026ECB
]M, xrefs: 0000000180026CA3

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F/|$]M
API String ID: 0-4182351379
Opcode ID: 6ca5dc36d9275e72bb52b2201a87e4efd5e3077112f043bed35ba482a866e2ca
Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
Opcode Fuzzy Hash: 6ca5dc36d9275e72bb52b2201a87e4efd5e3077112f043bed35ba482a866e2ca
Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

;SH, xrefs: 0000000180021D77
nK, xrefs: 0000000180021D5B

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;SH$nK
API String ID: 0-1681473137
Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

z, xrefs: 000000018000150B
,, xrefs: 0000000180001690

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$z
API String ID: 0-3532108746
Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

g/?, xrefs: 000000018001A61B
~l;, xrefs: 000000018001A543

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g/?$~l;
API String ID: 0-1448562259
Opcode ID: d2040acbbcff242154b89f912e397b4bdfd0b20ea052fb69228554049ff3a845
Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
Opcode Fuzzy Hash: d2040acbbcff242154b89f912e397b4bdfd0b20ea052fb69228554049ff3a845
Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

S, xrefs: 000000018000F363
JM, xrefs: 000000018000F3F0

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JM$S
API String ID: 0-422059844
Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

sT>, xrefs: 000000018000694E
\4t, xrefs: 000000018000678D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \4t$sT>
API String ID: 0-514966222
Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

lh, xrefs: 0000000180007774
6 zT, xrefs: 000000018000776A

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6 zT$lh
API String ID: 0-3667112246
Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

t<p, xrefs: 00000001800249FD
2Q', xrefs: 0000000180024A93

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2Q'$t<p
API String ID: 0-2959822804
Opcode ID: b2351d3b708b15bcd3604af59b95d6174f592116e14d9e00cc8b524fb472ed52
Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
Opcode Fuzzy Hash: b2351d3b708b15bcd3604af59b95d6174f592116e14d9e00cc8b524fb472ed52
Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

95s, xrefs: 00000001800130A8
\`s, xrefs: 000000018001308C

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 95s$\`s
API String ID: 0-3495284040
Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

3*, xrefs: 000000018001AB25
qMu, xrefs: 000000018001AB45

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3*$qMu
API String ID: 0-4093015089
Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018002C99B
"n&E, xrefs: 000000018002C9F6

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$"n&E
API String ID: 0-1188898577
Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

Bw~, xrefs: 0000000180017803
fy, xrefs: 00000001800176C4

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Bw~$fy
API String ID: 0-1663007907
Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

XyLe, xrefs: 0000000180013245
/0, xrefs: 00000001800131B1

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /0$XyLe
API String ID: 0-3562702181
Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

>I, xrefs: 000000018001910D
>I, xrefs: 00000001800191E1

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >I$>I
API String ID: 0-3948471910
Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

}i#c, xrefs: 000000018001DB7A
{H2}, xrefs: 000000018001DB0E

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {H2}$}i#c
API String ID: 0-1724349491
Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

so, xrefs: 0000000180026A7A
4V, xrefs: 0000000180026AB2

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4V$so
API String ID: 0-1060102820
Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

F+', xrefs: 000000018002985C
O$, xrefs: 000000018002973D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F+'$O$
API String ID: 0-4064122715
Opcode ID: 65d5816d26685df18d8fe2bf41853c6ad5a30473c75acd7588c5af8b031b1464
Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
Opcode Fuzzy Hash: 65d5816d26685df18d8fe2bf41853c6ad5a30473c75acd7588c5af8b031b1464
Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

1, xrefs: 00000001800121E3
bO6, xrefs: 000000018001228D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$bO6
API String ID: 0-3242911120
Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

)j-J, xrefs: 0000000180019DA5
\rba, xrefs: 0000000180019D7E

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )j-J$\rba
API String ID: 0-105394296
Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

7c, xrefs: 000000018002471E
5T, xrefs: 00000001800246BF

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5T$7c
API String ID: 0-2666566123
Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

PX, xrefs: 0000000180017C43
",)x, xrefs: 0000000180017C8A

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ",)x$PX
API String ID: 0-926260526
Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C39C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8C3DD

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
Instruction ID: f1c74a54000b38b74deed88e1edaac9b6285ca16b4c8f67345895ec3a6aea131
Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
Instruction Fuzzy Hash: E5119832A0878255FA705F65F4A63F95250EB84BC8F544071DA8D87A81DE2CE587CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FF8CAA8C884

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
Instruction ID: 10f92937b809a1443b5f25bdaa88f2ad8d15b475710a41c05e4e1f111271e4ba
Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
Instruction Fuzzy Hash: 6B115A72A087059BFB988E31F02A37926A0FB94B89F144475C60D43AC6CF7CD5A68B81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8CAA85A8C), ref: 00007FF8CAA8C8FD

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
Instruction ID: cefaf02a099c34230aa26a748157259281e5abce6991ff3c7babad588e7eaf30
Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
Instruction Fuzzy Hash: C3F0A462E0870656F7189E35F4273B933D1AB94B88F1880B2C64D43AC6CE6DD5928640

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8DF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8CAA82534: _getptd.LIBCMT ref: 00007FF8CAA8254A

GetLocaleInfoW.KERNEL32 ref: 00007FF8CAA8DF6C

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
Instruction ID: 9bdd2ec409af608784c6a92db43928afc53b915eb31482314c2dddd744bcb8c3
Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
Instruction Fuzzy Hash: 4CF05E22A187C083D7518B1AF05516AA761FBC4BE0F584265EAAD17B99CE2CC856CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8E1E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF8CAA8E210

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
Instruction ID: 616d618eabbca6776c2b732ae7975360b7703b028c0f5360f797fa0ead31f178
Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
Instruction Fuzzy Hash: 72E0EC25A1C74181F6709B20F4623A66760BF587D8F900271D59D57AA5DE2CD156C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8C7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FF8CAA8C81E

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
Instruction ID: c205f8e4b8242378428b878cd5eadbd62a362a2de2ced3595c11380a761c2ab8
Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
Instruction Fuzzy Hash: E8E04F66E0570582EB489F61F4563742251EB98B89F088071CA0C021959F7CC5978B40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

cYte, xrefs: 00000001800128D1

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: cYte
API String ID: 0-489798635
Opcode ID: 4acd880b1b9242ae3f66c3fdc32505bc5e4dc901df3d7cd7ffb66f12f89e51a1
Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
Opcode Fuzzy Hash: 4acd880b1b9242ae3f66c3fdc32505bc5e4dc901df3d7cd7ffb66f12f89e51a1
Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

Pc, xrefs: 000000018002AC68

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Pc
API String ID: 0-2609325410
Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

g >, xrefs: 000000018001EF27

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g >
API String ID: 0-3862707646
Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

2, xrefs: 0000000180018DDB

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2
API String ID: 0-2012265552
Opcode ID: fb4f60d061479647d3fac6d2f693c32068a5ad75f13adf9d903438d0578f57c4
Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
Opcode Fuzzy Hash: fb4f60d061479647d3fac6d2f693c32068a5ad75f13adf9d903438d0578f57c4
Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

Wcl, xrefs: 0000000180028B98

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Wcl
API String ID: 0-2623992880
Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

ws8, xrefs: 00000001800299E0

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ws8
API String ID: 0-2196714860
Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

p/g, xrefs: 0000000180017A5F

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: p/g
API String ID: 0-1786412500
Opcode ID: 12e0429f3d25b53aa03a660b5e037e54bcd2ac93df657abae010b2d02fa62e0c
Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
Opcode Fuzzy Hash: 12e0429f3d25b53aa03a660b5e037e54bcd2ac93df657abae010b2d02fa62e0c
Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

%, xrefs: 0000000180001481

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %
API String ID: 0-3714942587
Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

A.}, xrefs: 000000018000DA2D

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A.}
API String ID: 0-2880059976
Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

0#, xrefs: 0000000180001DF0

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0#
API String ID: 0-456275806
Opcode ID: 2a5e92d38432702302bb854991be2d1fec0b328a8259ee1ce7fe1531fc30a302
Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
Opcode Fuzzy Hash: 2a5e92d38432702302bb854991be2d1fec0b328a8259ee1ce7fe1531fc30a302
Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

n), xrefs: 0000000180008DD6

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n)
API String ID: 0-1227437150
Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

H&0, xrefs: 000000018001EBA0

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H&0
API String ID: 0-1691334370
Opcode ID: 176f3dafecf3041be65652fa330368668244bab9b7972e65e66ffc3ed07b0be6
Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
Opcode Fuzzy Hash: 176f3dafecf3041be65652fa330368668244bab9b7972e65e66ffc3ed07b0be6
Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

<+o, xrefs: 000000018002884F

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <+o
API String ID: 0-2035106886
Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

2d, xrefs: 0000000180015418

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2d
API String ID: 0-3866551247
Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

ZF{;, xrefs: 0000000180025218

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ZF{;
API String ID: 0-2351138993
Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

o^, xrefs: 00000001800118C1

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o^
API String ID: 0-3380573087
Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

8N, xrefs: 0000000180017DB3

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8N
API String ID: 0-1657423088
Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

J3n, xrefs: 00000001800021BA

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: J3n
API String ID: 0-3694000235
Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

c&A, xrefs: 000000018001F817

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c&A
API String ID: 0-649646960
Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

(3, xrefs: 0000000180002ABA

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (3
API String ID: 0-2570504824
Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

[r\^, xrefs: 000000018002C8A4

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [r\^
API String ID: 0-4041245994
Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018001A072

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

[[x, xrefs: 00000001800028BE

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [[x
API String ID: 0-2553898450
Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

g\&, xrefs: 000000018001E9C1

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g\&
API String ID: 0-1994035986
Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

#X, xrefs: 0000000180003431

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

GfMu, xrefs: 0000000180009601

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GfMu
API String ID: 0-241548529
Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

k|, xrefs: 000000018000FABD

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: k|
API String ID: 0-998972391
Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

wz_, xrefs: 000000018001D9E9

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wz_
API String ID: 0-2163964638
Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

{?Q, xrefs: 00000001800058F9

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {?Q
API String ID: 0-927583641
Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

|}6\, xrefs: 00000001800215C8

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |}6\
API String ID: 0-3074799505
Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

3&a, xrefs: 000000018001FB09

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3&a
API String ID: 0-537350193
Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

o0:X, xrefs: 000000018001438E

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o0:X
API String ID: 0-645126758
Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

D4}, xrefs: 0000000180020DB4

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D4}
API String ID: 0-491520632
Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8AA0C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
String ID:
API String ID: 1583075380-0
Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
Instruction ID: 24d71eb5fd44737f6bca8b3e67c2409288714b82992e325c55287afb2dd13291
Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
Instruction Fuzzy Hash: 55A17372B1878141EB649F26B62A7FEA352BF85BC4F548175DE4D5BE49CE3CE4028300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8EB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
Instruction ID: 5a65f00c5b23457c203b103750e9a6cb5bb94f8fc4be538ea9c223e059625eb0
Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
Instruction Fuzzy Hash: 9371C872F183468BD36C8F18F96267866A6EBD4344F589075D50ACFF94EA3DF5028740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018598 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019300 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ace7ea2d26746cc3390ccab9d64ee1f2d7dc726b4390747d9cc592a488b98cf
Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
Opcode Fuzzy Hash: 2ace7ea2d26746cc3390ccab9d64ee1f2d7dc726b4390747d9cc592a488b98cf
Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F917 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8A77C Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
Instruction ID: 4ac4897b97f303e248ec99183265afe88e70f7c178c62bcddefdcdd1cd59d14c
Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
Instruction Fuzzy Hash: 5431B232A1478581EB55DF2AF42A3AA67A1EF85BC4F194175EA4D07B95DF3CD402C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024574 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ebaef5654986e3774d51b7b5ee7bc532e1d9e9fdd7c85144d94fdf612fce43
Instruction ID: b456e1b49498020112758906e0882963a909b4f1eceaef019be325c5d28b8920
Opcode Fuzzy Hash: c1ebaef5654986e3774d51b7b5ee7bc532e1d9e9fdd7c85144d94fdf612fce43
Instruction Fuzzy Hash: E0317570629781ABC78CDF28C59591ABBE1FBD9344F806A2DF8868B350D774D445CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024458 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465da7405903931a99b4b25fdb97e1be200aa994c495fca1ee02f708772e1815
Instruction ID: e1cdac85440212a901397aaa30fe146fec046d1320b50ea199ee65054a90651b
Opcode Fuzzy Hash: 465da7405903931a99b4b25fdb97e1be200aa994c495fca1ee02f708772e1815
Instruction Fuzzy Hash: 0F317FB56187848B9388DF28C48641ABBE1FBDD30CF504B2DF8CAA6254D778D645CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F944 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357338774.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8DF20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
Instruction ID: a145e57327a46f0e1a7d6bac3edfed1cd0452859d699d59ccb9d3b13137215f4
Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
Instruction Fuzzy Hash: 43B09B2570C754454765470764155155552B79CBE4A0440349D0D63B54D93C9A454780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA898A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CAA898B9

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

free.LIBCMT ref: 00007FF8CAA898C2
free.LIBCMT ref: 00007FF8CAA898CB
free.LIBCMT ref: 00007FF8CAA898D4
free.LIBCMT ref: 00007FF8CAA898DD
free.LIBCMT ref: 00007FF8CAA898E6
free.LIBCMT ref: 00007FF8CAA898EE
free.LIBCMT ref: 00007FF8CAA898F7
free.LIBCMT ref: 00007FF8CAA89900
free.LIBCMT ref: 00007FF8CAA89909
free.LIBCMT ref: 00007FF8CAA89912
free.LIBCMT ref: 00007FF8CAA8991B
free.LIBCMT ref: 00007FF8CAA89924
free.LIBCMT ref: 00007FF8CAA8992D
free.LIBCMT ref: 00007FF8CAA89936
free.LIBCMT ref: 00007FF8CAA8993F
free.LIBCMT ref: 00007FF8CAA8994B
free.LIBCMT ref: 00007FF8CAA89957
free.LIBCMT ref: 00007FF8CAA89963
free.LIBCMT ref: 00007FF8CAA8996F
free.LIBCMT ref: 00007FF8CAA8997B
free.LIBCMT ref: 00007FF8CAA89987
free.LIBCMT ref: 00007FF8CAA89993
free.LIBCMT ref: 00007FF8CAA8999F
free.LIBCMT ref: 00007FF8CAA899AB
free.LIBCMT ref: 00007FF8CAA899B7
free.LIBCMT ref: 00007FF8CAA899C3
free.LIBCMT ref: 00007FF8CAA899CF
free.LIBCMT ref: 00007FF8CAA899DB
free.LIBCMT ref: 00007FF8CAA899E7
free.LIBCMT ref: 00007FF8CAA899F3
free.LIBCMT ref: 00007FF8CAA899FF
free.LIBCMT ref: 00007FF8CAA89A0B
free.LIBCMT ref: 00007FF8CAA89A17
free.LIBCMT ref: 00007FF8CAA89A23
free.LIBCMT ref: 00007FF8CAA89A2F
free.LIBCMT ref: 00007FF8CAA89A3B
free.LIBCMT ref: 00007FF8CAA89A47
free.LIBCMT ref: 00007FF8CAA89A53
free.LIBCMT ref: 00007FF8CAA89A5F
free.LIBCMT ref: 00007FF8CAA89A6B
free.LIBCMT ref: 00007FF8CAA89A77
free.LIBCMT ref: 00007FF8CAA89A83

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
Instruction ID: fff6c1568a39440d2f82bf76650a7f3622b09aa114afe199970bac81da3d3ae4
Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
Instruction Fuzzy Hash: A5418522A15681C1EEA6EF31F4632BC5370AF84B84F04A171DB4D4F9A7CE15D846C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8D0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D0F5
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D111
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D139
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D142
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D158
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D161
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D177
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D180
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D19E
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D1A7
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D1D9
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D1E8
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D240
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D260
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CAA870D4,?,?,?,?,?,00007FF8CAA87194), ref: 00007FF8CAA8D279

Strings

GetLastActivePopup, xrefs: 00007FF8CAA8D147
GetUserObjectInformationA, xrefs: 00007FF8CAA8D166
GetActiveWindow, xrefs: 00007FF8CAA8D128
MessageBoxA, xrefs: 00007FF8CAA8D107
GetProcessWindowStation, xrefs: 00007FF8CAA8D194
USER32.DLL, xrefs: 00007FF8CAA8D0EE

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
Instruction ID: 01a445904ff05e17003c1b68593fef3c3956124388ff19517bb9bc6c9f3da8f4
Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
Instruction Fuzzy Hash: 5C510660A0AB4381FEA5DF62B87657823906F45BD0F4400BADC5E17BA5FE3CE54B8650

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA9028C Relevance: 21.3, APIs: 14, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA907CE), ref: 00007FF8CAA902F9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA907CE), ref: 00007FF8CAA9030D
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA907CE), ref: 00007FF8CAA90410

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
Instruction ID: b94562d28467e4729c6cc31a9ac10f4b141d325d5ff7b023fa65d9bd086a0449
Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
Instruction Fuzzy Hash: C3E1C222A083828AEB708F36B4622BE7792FB447D4F448575DA5D67BC4DF3DA946C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA876A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CAA877F1
SetConsoleCtrlHandler.KERNEL32 ref: 00007FF8CAA87816
__doserrno.LIBCMT ref: 00007FF8CAA87829
GetLastError.KERNEL32 ref: 00007FF8CAA87831
DecodePointer.KERNEL32 ref: 00007FF8CAA8786F
EncodePointer.KERNEL32 ref: 00007FF8CAA87884
DecodePointer.KERNEL32 ref: 00007FF8CAA87899
EncodePointer.KERNEL32 ref: 00007FF8CAA878AA
DecodePointer.KERNEL32 ref: 00007FF8CAA878BF
EncodePointer.KERNEL32 ref: 00007FF8CAA878D0
DecodePointer.KERNEL32 ref: 00007FF8CAA878E5
EncodePointer.KERNEL32 ref: 00007FF8CAA878F6
_errno.LIBCMT ref: 00007FF8CAA8792C

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
String ID:
API String ID: 3466867069-0
Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
Instruction ID: c1d176ddf1a95ae07dc04ede03b5b262a69ac05b7ea7f21605698169e6004fa6
Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
Instruction Fuzzy Hash: 31718F71E0D74345FEA9AF28B4772792291AF41BC0F5845B6C55E07EE1DE2DE883C241

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA82E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CAA82E37

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

free.LIBCMT ref: 00007FF8CAA82E45
free.LIBCMT ref: 00007FF8CAA82E53
free.LIBCMT ref: 00007FF8CAA82E61
free.LIBCMT ref: 00007FF8CAA82E6F
free.LIBCMT ref: 00007FF8CAA82E7D
free.LIBCMT ref: 00007FF8CAA82E8E
free.LIBCMT ref: 00007FF8CAA82EA6
_lock.LIBCMT ref: 00007FF8CAA82EB0
free.LIBCMT ref: 00007FF8CAA82EDE
_lock.LIBCMT ref: 00007FF8CAA82EF3
free.LIBCMT ref: 00007FF8CAA82F3D

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
Instruction ID: 246dcb2de0927e64f5563a53bd0ac32528e1e386dbfb9e1e0504268fd169efde
Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
Instruction Fuzzy Hash: E4310E15A1B74285FEA9EEA1B07337852A5AF80BC4F0851B5DA1E07E96CF1CE846C325

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA90A34 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CAA90A5C

Part of subcall function 00007FF8CAA866D8: DecodePointer.KERNEL32 ref: 00007FF8CAA866FF

__wtomb_environ.LIBCMT ref: 00007FF8CAA90B55
_errno.LIBCMT ref: 00007FF8CAA90B5F
free.LIBCMT ref: 00007FF8CAA90C51
SetEnvironmentVariableA.KERNEL32 ref: 00007FF8CAA90D9C
_errno.LIBCMT ref: 00007FF8CAA90DAA
free.LIBCMT ref: 00007FF8CAA90DB8
free.LIBCMT ref: 00007FF8CAA90DC5
free.LIBCMT ref: 00007FF8CAA90DD7

Strings

@C, xrefs: 00007FF8CAA90AB7, 00007FF8CAA90BC9, 00007FF8CAA90C23, 00007FF8CAA90C95, 00007FF8CAA90CAE

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID: @C
API String ID: 3451773520-1665380956
Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
Instruction ID: 078d5793c0bec29010901c824a9bc4a2da28bbb22121fc69ad459ae34f571300
Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
Instruction Fuzzy Hash: ACA12825F0974241FA60AF36B93227A6291FF40BD8F1486B5DA5D67BC5DF3EA4878300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8A250 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF8CAA8A377

Part of subcall function 00007FF8CAA87D10: GetLastError.KERNEL32 ref: 00007FF8CAA87D79
Part of subcall function 00007FF8CAA87D10: free.LIBCMT ref: 00007FF8CAA87E05

free.LIBCMT ref: 00007FF8CAA8A540
free.LIBCMT ref: 00007FF8CAA8A550
free.LIBCMT ref: 00007FF8CAA8A560
free.LIBCMT ref: 00007FF8CAA8A56C
free.LIBCMT ref: 00007FF8CAA8A5C1
free.LIBCMT ref: 00007FF8CAA8A5C9
free.LIBCMT ref: 00007FF8CAA8A5D1
free.LIBCMT ref: 00007FF8CAA8A5D9
free.LIBCMT ref: 00007FF8CAA8A5E3

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
Instruction ID: 774d83ea4fe113323a2fede320244b851990fad92fca95a3c2d91e2883fd6c26
Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
Instruction Fuzzy Hash: C7B1CB72A0879286DB64CF24F4663AD77A0FB48B84F45417AEB9D87B91DF39D442CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA84F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CAA84F50

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

Part of subcall function 00007FF8CAA89DF8: free.LIBCMT ref: 00007FF8CAA89E16
Part of subcall function 00007FF8CAA89DF8: free.LIBCMT ref: 00007FF8CAA89E28
Part of subcall function 00007FF8CAA89DF8: free.LIBCMT ref: 00007FF8CAA89E3A
Part of subcall function 00007FF8CAA89DF8: free.LIBCMT ref: 00007FF8CAA89E4C
Part of subcall function 00007FF8CAA89DF8: free.LIBCMT ref: 00007FF8CAA89E5E
Part of subcall function 00007FF8CAA89DF8: free.LIBCMT ref: 00007FF8CAA89E70
Part of subcall function 00007FF8CAA89DF8: free.LIBCMT ref: 00007FF8CAA89E82

free.LIBCMT ref: 00007FF8CAA84F72
free.LIBCMT ref: 00007FF8CAA84F8A
free.LIBCMT ref: 00007FF8CAA84F96
free.LIBCMT ref: 00007FF8CAA84FBA
free.LIBCMT ref: 00007FF8CAA84FCE
free.LIBCMT ref: 00007FF8CAA84FDD
free.LIBCMT ref: 00007FF8CAA84FE9
free.LIBCMT ref: 00007FF8CAA85016
free.LIBCMT ref: 00007FF8CAA8503E
free.LIBCMT ref: 00007FF8CAA85058

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
Instruction ID: aa96e65cf210c944a6ed6d1ef293e666f7d526b100ae9784ee8aa8cde0e5091a
Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
Instruction Fuzzy Hash: 6F41EF32A0978689EFA5DF65F4623B823A0AF84BC4F045475DA0D4BA95CF2DE892C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8E23C Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E292
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E2B1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E356
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E3B5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E3F0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E42C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E46C
free.LIBCMT ref: 00007FF8CAA8E47A
free.LIBCMT ref: 00007FF8CAA8E49C

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree
String ID:
API String ID: 1638741495-0
Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
Instruction ID: 37a0718e91302630f013385613c3e220ca3420d07e8764a945f5ec0cdc3c8b66
Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
Instruction Fuzzy Hash: C161D432A08781CAE7309F25B4611B966E1FB84BE8F584675DA1D4BFD4DF3CD9428200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CAA83555
DecodePointer.KERNEL32 ref: 00007FF8CAA83588
DecodePointer.KERNEL32 ref: 00007FF8CAA835A5
DecodePointer.KERNEL32 ref: 00007FF8CAA835E4
DecodePointer.KERNEL32 ref: 00007FF8CAA835FD
DecodePointer.KERNEL32 ref: 00007FF8CAA8360C
_initterm.LIBCMT ref: 00007FF8CAA8364B
_initterm.LIBCMT ref: 00007FF8CAA8365E
ExitProcess.KERNEL32 ref: 00007FF8CAA83697

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
Instruction ID: 750ce5abd813ed61e9f97eea489cf8a3c62700dd4f466ddf8e643f74ea955107
Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
Instruction Fuzzy Hash: 93419131A0E74285FA509F15F86617AA294FF887D4F4401B4EA4E53BA6EF3CE457C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA88F34 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CAA89206), ref: 00007FF8CAA88F94
GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CAA89206), ref: 00007FF8CAA88FA6
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CAA89206), ref: 00007FF8CAA89006
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CAA89206), ref: 00007FF8CAA890BC
GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CAA89206), ref: 00007FF8CAA890D3
free.LIBCMT ref: 00007FF8CAA890E4
GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CAA89206), ref: 00007FF8CAA89161
free.LIBCMT ref: 00007FF8CAA89171

Part of subcall function 00007FF8CAA8E23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E292
Part of subcall function 00007FF8CAA8E23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E2B1
Part of subcall function 00007FF8CAA8E23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E3B5
Part of subcall function 00007FF8CAA8E23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CAA8E3F0

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
String ID:
API String ID: 3535580693-0
Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
Instruction ID: bcbcebac04a0686c62d1a1b392c9c40d1679c9baa46a1923b8d1a22f3d522bbb
Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
Instruction Fuzzy Hash: 2B61D732B0874286EB609F65F46647867A2FB447E4F140275EA1D57FD4DF3CE8468340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA83758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 00007FF8CAA8377D

Part of subcall function 00007FF8CAA83108: Sleep.KERNEL32(?,?,0000000A,00007FF8CAA82DA3,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8314D

GetFileType.KERNEL32 ref: 00007FF8CAA838FA

Strings

@, xrefs: 00007FF8CAA839F5

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
Instruction ID: 24b7382cb0333fee15181c104da0123264c2fe14bbddec460dc943dc5cbbeb71
Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
Instruction Fuzzy Hash: 63916A22A1878281E7108F28F46A6683A95BB057B4F6587B5C67D477D0DF7DE883C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA825F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8CAA82534: _getptd.LIBCMT ref: 00007FF8CAA8254A

_errno.LIBCMT ref: 00007FF8CAA82638
_errno.LIBCMT ref: 00007FF8CAA827F2

Strings

-, xrefs: 00007FF8CAA826CA
+, xrefs: 00007FF8CAA826D5
0, xrefs: 00007FF8CAA82731
0, xrefs: 00007FF8CAA82703

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
Instruction ID: fbfe6bf55e7f12ff564275add7c6ae2d5f34b769906d118cfff468a474ff9cf7
Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
Instruction Fuzzy Hash: 2571C362D0C78285FBB54E16B43637A2691FF547D4F1541B6CEAA03ED2DE7CE84A8301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA86AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF8CAA86ADF

Part of subcall function 00007FF8CAA86F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CAA87194,?,?,?,?,00007FF8CAA86C69,?,?,00000000,00007FF8CAA830C0), ref: 00007FF8CAA86FCF

Part of subcall function 00007FF8CAA8334C: ExitProcess.KERNEL32 ref: 00007FF8CAA8335B

Part of subcall function 00007FF8CAA8309C: Sleep.KERNEL32(?,?,00000000,00007FF8CAA86B19,?,?,00000000,00007FF8CAA86BC3,?,?,?,?,?,?,00000000,00007FF8CAA82DC8), ref: 00007FF8CAA830D2

_errno.LIBCMT ref: 00007FF8CAA86B21
_lock.LIBCMT ref: 00007FF8CAA86B35
free.LIBCMT ref: 00007FF8CAA86B57
_errno.LIBCMT ref: 00007FF8CAA86B5C
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF8CAA86BC3,?,?,?,?,?,?,00000000,00007FF8CAA82DC8,?,?,?,00007FF8CAA82DFF), ref: 00007FF8CAA86B82

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
String ID:
API String ID: 1354249094-0
Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
Instruction ID: 63dd273163ea8f55a54c41c8b9cb1ab18c3e5a362d7fc324d642d998c31fc167
Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
Instruction Fuzzy Hash: D5215321E5974282F650AF11B8763FA62A5EF847D4F0450B5EA4E47AE2CF3CE8428751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA82D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA82D7A
FlsGetValue.KERNEL32(?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA82D88
SetLastError.KERNEL32(?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA82DE0

Part of subcall function 00007FF8CAA83108: Sleep.KERNEL32(?,?,0000000A,00007FF8CAA82DA3,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8314D

FlsSetValue.KERNEL32(?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA82DB4
free.LIBCMT ref: 00007FF8CAA82DD7

Part of subcall function 00007FF8CAA82CBC: _lock.LIBCMT ref: 00007FF8CAA82D0C
Part of subcall function 00007FF8CAA82CBC: _lock.LIBCMT ref: 00007FF8CAA82D2C

GetCurrentThreadId.KERNEL32 ref: 00007FF8CAA82DC8

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
Instruction ID: da4f433210068943a8a034d5d38cbb303e94cc0a055682dc2aadd90ffd879957
Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
Instruction Fuzzy Hash: 7D018820A09B4342FB955F75B47717826A2AF487E0F4481B4C92D177D5EE3CE84AC210

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA89DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CAA89E16

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

free.LIBCMT ref: 00007FF8CAA89E28
free.LIBCMT ref: 00007FF8CAA89E3A
free.LIBCMT ref: 00007FF8CAA89E4C
free.LIBCMT ref: 00007FF8CAA89E5E
free.LIBCMT ref: 00007FF8CAA89E70
free.LIBCMT ref: 00007FF8CAA89E82

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
Instruction ID: 21fe6a51398634f5de9433be5ef76c8864868c1ade57513e5b2b0d9242e45b49
Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
Instruction Fuzzy Hash: 5B019C13A0974291FEA5DFA1F4B30745761AF947C4F4810B1E60E5B995CF6DF8828325

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA89E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CAA89F10
free.LIBCMT ref: 00007FF8CAA89F37
free.LIBCMT ref: 00007FF8CAA8A208
free.LIBCMT ref: 00007FF8CAA8A214

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
Instruction ID: f30601c13b363126b058bed06aef24ef426db98c632cc83a915a405688eb7ec6
Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
Instruction Fuzzy Hash: EEB18232B18B4589EB20DF62F4516EA77A0FB85784F404571EA8E43B89EF3CD106C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA860B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CAA860F3
free.LIBCMT ref: 00007FF8CAA86133
free.LIBCMT ref: 00007FF8CAA86153
free.LIBCMT ref: 00007FF8CAA861B0
free.LIBCMT ref: 00007FF8CAA861C8

Part of subcall function 00007FF8CAA83108: Sleep.KERNEL32(?,?,0000000A,00007FF8CAA82DA3,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8314D

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$Sleep_errno
String ID:
API String ID: 2081351063-0
Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
Instruction ID: fae404fa2ff770c5020907cedb2d661360b231b6d8e2b7acb0a0c5522c864684
Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
Instruction Fuzzy Hash: 1D314321A0874285FB55AF21F9722BD66A1AF44FC4F488075DE0D0BBA7DE3CE812C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA872D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF8CAA873E5,?,?,?,?,00007FF8CAA834D2,?,?,?,00007FF8CAA821CB), ref: 00007FF8CAA872FD
DecodePointer.KERNEL32(?,?,?,00007FF8CAA873E5,?,?,?,?,00007FF8CAA834D2,?,?,?,00007FF8CAA821CB), ref: 00007FF8CAA8730C

Part of subcall function 00007FF8CAA8D070: _errno.LIBCMT ref: 00007FF8CAA8D079

EncodePointer.KERNEL32(?,?,?,00007FF8CAA873E5,?,?,?,?,00007FF8CAA834D2,?,?,?,00007FF8CAA821CB), ref: 00007FF8CAA87389

Part of subcall function 00007FF8CAA8318C: realloc.LIBCMT ref: 00007FF8CAA831B7
Part of subcall function 00007FF8CAA8318C: Sleep.KERNEL32(?,?,00000000,00007FF8CAA87379,?,?,?,00007FF8CAA873E5,?,?,?,?,00007FF8CAA834D2), ref: 00007FF8CAA831D3

EncodePointer.KERNEL32(?,?,?,00007FF8CAA873E5,?,?,?,?,00007FF8CAA834D2,?,?,?,00007FF8CAA821CB), ref: 00007FF8CAA87398
EncodePointer.KERNEL32(?,?,?,00007FF8CAA873E5,?,?,?,?,00007FF8CAA834D2,?,?,?,00007FF8CAA821CB), ref: 00007FF8CAA873A4

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
Instruction ID: a2a11e65834e4db9da975548a95410d8ad0e4262f1ffc9682ebdaa7e9c9372b5
Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
Instruction Fuzzy Hash: F621A121B0974241EE15EF22F56A0B9A291FB45BC0F4448B5DD0D1BB9AEE7CE087C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA871A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FF8CAA871C6
DecodePointer.KERNEL32 ref: 00007FF8CAA871D5

Part of subcall function 00007FF8CAA8D070: _errno.LIBCMT ref: 00007FF8CAA8D079

EncodePointer.KERNEL32 ref: 00007FF8CAA87248

Part of subcall function 00007FF8CAA8318C: realloc.LIBCMT ref: 00007FF8CAA831B7
Part of subcall function 00007FF8CAA8318C: Sleep.KERNEL32(?,?,00000000,00007FF8CAA87379,?,?,?,00007FF8CAA873E5,?,?,?,?,00007FF8CAA834D2), ref: 00007FF8CAA831D3

EncodePointer.KERNEL32 ref: 00007FF8CAA87257
EncodePointer.KERNEL32 ref: 00007FF8CAA87263

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
Instruction ID: 880e4581d2f41580ccff8e3514b6ab7fe32f5f1a18dc29bde75242fe774a7b01
Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
Instruction Fuzzy Hash: D121D160B0E78284EE44EF52F66A179A351BB45BC0F4804B5EE5D0BF5AEE3CE056C300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA83AEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__initmbctable.LIBCMT ref: 00007FF8CAA83B09
free.LIBCMT ref: 00007FF8CAA83BD0
free.LIBCMT ref: 00007FF8CAA83C09

Strings

@C, xrefs: 00007FF8CAA83C02

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$__initmbctable
String ID: @C
API String ID: 2804101511-1665380956
Opcode ID: 62b67f3d166044e4c3a65fa2a8f4440ca774743433b5403a5dc793ed1f544cce
Instruction ID: 6f31c3416f9c05614aedacd280402e6ab9bec83a7e253ac5292384c0788b3cbc
Opcode Fuzzy Hash: 62b67f3d166044e4c3a65fa2a8f4440ca774743433b5403a5dc793ed1f544cce
Instruction Fuzzy Hash: EA317A61E0C79285FB949F25F82B3796790AF45BC4F0845B5DA4C17A96EF3CE4468320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA83310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF8CAA83359,?,?,00000028,00007FF8CAA86C7D,?,?,00000000,00007FF8CAA830C0,?,?,00000000,00007FF8CAA86B19), ref: 00007FF8CAA8331F
GetProcAddress.KERNEL32(?,?,000000FF,00007FF8CAA83359,?,?,00000028,00007FF8CAA86C7D,?,?,00000000,00007FF8CAA830C0,?,?,00000000,00007FF8CAA86B19), ref: 00007FF8CAA83334

Strings

mscoree.dll, xrefs: 00007FF8CAA83318
CorExitProcess, xrefs: 00007FF8CAA8332A

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
Instruction ID: 180a18c350cd1e2f367e8d9011e5cade31f33bca25cadb33d513497497ba214a
Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
Instruction Fuzzy Hash: 0DE01250F1A70251FE595F70B8A61341290AF58BA0F4864B8C81F173A0EE7CAA9EC350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8CAA8309C: Sleep.KERNEL32(?,?,00000000,00007FF8CAA86B19,?,?,00000000,00007FF8CAA86BC3,?,?,?,?,?,?,00000000,00007FF8CAA82DC8), ref: 00007FF8CAA830D2

Part of subcall function 00007FF8CAA8BDF4: _errno.LIBCMT ref: 00007FF8CAA8BE0F

free.LIBCMT ref: 00007FF8CAA858A5
free.LIBCMT ref: 00007FF8CAA858C1

Part of subcall function 00007FF8CAA86550: RtlCaptureContext.KERNEL32 ref: 00007FF8CAA8658F
Part of subcall function 00007FF8CAA86550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CAA8662D
Part of subcall function 00007FF8CAA86550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA86637
Part of subcall function 00007FF8CAA86550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CAA86642
Part of subcall function 00007FF8CAA86550: GetCurrentProcess.KERNEL32 ref: 00007FF8CAA86658
Part of subcall function 00007FF8CAA86550: TerminateProcess.KERNEL32 ref: 00007FF8CAA86666

free.LIBCMT ref: 00007FF8CAA858D6

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

free.LIBCMT ref: 00007FF8CAA858F5
free.LIBCMT ref: 00007FF8CAA85911

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
String ID:
API String ID: 2294642566-0
Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
Instruction ID: 2550e7df787062008bdb435e5ec7e6c316abb6a66e5f7046f0d7ddb43ebf4ab4
Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
Instruction Fuzzy Hash: F7518136A04B8282EB619F29F82216D63A5FB84BE8F584076DE4D47B95DE3CD947C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA85B84 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CAA85BB6

Part of subcall function 00007FF8CAA85944: _getptd.LIBCMT ref: 00007FF8CAA8597E

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
Instruction ID: ba7df2f1232879a6be55efc70e52b7b22c4d02b5a75416af4e1705e360ed88fa
Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
Instruction Fuzzy Hash: 11818C72A0978296EB24DF25F1956AAB7A0FB44788F504136DF8D47B54EF3CE452CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA861F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CAA86217

Part of subcall function 00007FF8CAA866D8: DecodePointer.KERNEL32 ref: 00007FF8CAA866FF

_getptd.LIBCMT ref: 00007FF8CAA8623D
_lock.LIBCMT ref: 00007FF8CAA86276
_lock.LIBCMT ref: 00007FF8CAA86309

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
Instruction ID: 82a897e3f3128c779229154c4a964cf38be3677856b009c6a95d27eca68b8a0b
Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
Instruction Fuzzy Hash: 0B516C31A0978286FB54EF25B8627BA6691FF447C4F1040B9DE4E57BA2DE7CE4428700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8F9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CAA8FA07

Part of subcall function 00007FF8CAA866D8: DecodePointer.KERNEL32 ref: 00007FF8CAA866FF

calloc.LIBCMT ref: 00007FF8CAA8FA65
_errno.LIBCMT ref: 00007FF8CAA8FA72
_errno.LIBCMT ref: 00007FF8CAA8FA7D

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointercalloc
String ID:
API String ID: 1531210114-0
Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
Instruction ID: 39bfce2f0365cec68ac23165ff66fed1eb3e87701f3ab9be8ba4ebdd7e2885e3
Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
Instruction Fuzzy Hash: D9217122A0874345FB559F65B4223BEA291AF58BD4F448574DF4C47F86DF3DD8128740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CAA853B2
free.LIBCMT ref: 00007FF8CAA853D7

Part of subcall function 00007FF8CAA83024: HeapFree.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8303A
Part of subcall function 00007FF8CAA83024: _errno.LIBCMT ref: 00007FF8CAA83044
Part of subcall function 00007FF8CAA83024: GetLastError.KERNEL32(?,?,00000000,00007FF8CAA82DDC,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8304C

_lock.LIBCMT ref: 00007FF8CAA853F2
free.LIBCMT ref: 00007FF8CAA85438

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _lockfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 3188102813-0
Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
Instruction ID: 79511659adaf980bd0601400b349a75193bfd1cb135a56ab56d1d9ef68ddf26a
Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
Instruction Fuzzy Hash: 50113011E8B70385FF559E70F4733B822A19F40B88F0491B5DA5E07AD5DE6CA8438321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA82C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FF8CAA82217), ref: 00007FF8CAA82CA3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA82217), ref: 00007FF8CAA86A32
free.LIBCMT ref: 00007FF8CAA86A3B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CAA82217), ref: 00007FF8CAA86A5B

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
Instruction ID: 5118d7a01e874c04e464621972cbe2ec31e5f21806224c69ff6f4608afa2510f
Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
Instruction Fuzzy Hash: E9116031E0974286FA148F15F8A61B87360FF44BD0F588570D66D13AA5CF3CE4A78700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CAA85456

Part of subcall function 00007FF8CAA83108: Sleep.KERNEL32(?,?,0000000A,00007FF8CAA82DA3,?,?,?,00007FF8CAA82DFF,?,?,?,00007FF8CAA8254F,?,?,?,00007FF8CAA8262A), ref: 00007FF8CAA8314D

_errno.LIBCMT ref: 00007FF8CAA85473
_lock.LIBCMT ref: 00007FF8CAA854A6
_lock.LIBCMT ref: 00007FF8CAA854C4

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _lock$Sleep_errno_getptd
String ID:
API String ID: 2111406555-0
Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
Instruction ID: 6705138e878854ab9f364537e80e81638b1936b2a7becb4bfc563eeea5a16bfa
Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
Instruction Fuzzy Hash: 78015E21A0974286FB486F75F4737BD6261EF44BC8F448074DA0D07BD7DE2CA8668361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA8BB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8CAA82534: _getptd.LIBCMT ref: 00007FF8CAA8254A

_errno.LIBCMT ref: 00007FF8CAA8BCD8
_errno.LIBCMT ref: 00007FF8CAA8BD12

Strings

#, xrefs: 00007FF8CAA8BC70

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd
String ID: #
API String ID: 3432092939-1885708031
Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
Instruction ID: 345eb20c9febb41ef80ab93041cb2605cc3a9c36bbce226f6b844b7fb2a07925
Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
Instruction Fuzzy Hash: 4B51A222A0CBC585E7219F25F4612BEBBA0FB85BC0F584172DA9D17B59CE3DD842CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CAA89BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CAA89C43
free.LIBCMT ref: 00007FF8CAA89CDB
free.LIBCMT ref: 00007FF8CAA89D76
free.LIBCMT ref: 00007FF8CAA89D82

Memory Dump Source

Source File: 00000002.00000002.357518371.00007FF8CAA41000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CAA40000, based on PE: true

Associated: 00000002.00000002.357500599.00007FF8CAA40000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357614302.00007FF8CAA92000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357622078.00007FF8CAA96000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.357628641.00007FF8CAA99000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8caa40000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
Instruction ID: 45bb50bf378c7756a80ef51b6cbbc673a327ee581ef17d0d7d981ce03f55062f
Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
Instruction Fuzzy Hash: 0051B332A087828AEB609F62F4621B977A0BB45BC0F544572DB9E47B85CF3DE943C304

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6596, Parent PID: 5600COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 00000181D0AB0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00000181D0AB0450
GetNativeSystemInfo.KERNELBASE ref: 00000181D0AB0539
VirtualAlloc.KERNELBASE ref: 00000181D0AB0580
VirtualProtect.KERNELBASE ref: 00000181D0AB09E9
RtlAddFunctionTable.KERNEL32 ref: 00000181D0AB0A79

Strings

Load, xrefs: 00000181D0AB02F4
hIns, xrefs: 00000181D0AB011A
ualA, xrefs: 00000181D0AB00E8
ddFu, xrefs: 00000181D0AB0163
Slee, xrefs: 00000181D0AB00B7
eSys, xrefs: 00000181D0AB0144
Reso, xrefs: 00000181D0AB0338
tion, xrefs: 00000181D0AB0128
Lock, xrefs: 00000181D0AB0330
urce, xrefs: 00000181D0AB0340
sour, xrefs: 00000181D0AB031F
GetN, xrefs: 00000181D0AB0136
Flus, xrefs: 00000181D0AB0113
Cach, xrefs: 00000181D0AB012F
truc, xrefs: 00000181D0AB0121
Reso, xrefs: 00000181D0AB02FC
Virt, xrefs: 00000181D0AB00F8
Load, xrefs: 00000181D0AB00C8
Reso, xrefs: 00000181D0AB0355
onTa, xrefs: 00000181D0AB0171
rote, xrefs: 00000181D0AB0106
lloc, xrefs: 00000181D0AB00F0
urce, xrefs: 00000181D0AB035D
RtlA, xrefs: 00000181D0AB015C
ativ, xrefs: 00000181D0AB013D
Virt, xrefs: 00000181D0AB00E0
Free, xrefs: 00000181D0AB034D
ncti, xrefs: 00000181D0AB016A
ofRe, xrefs: 00000181D0AB0318
urce, xrefs: 00000181D0AB0304
Size, xrefs: 00000181D0AB0311
Reso, xrefs: 00000181D0AB02DB
ualP, xrefs: 00000181D0AB00FF
urce, xrefs: 00000181D0AB02E7
temI, xrefs: 00000181D0AB014B
aryA, xrefs: 00000181D0AB00D8
Find, xrefs: 00000181D0AB02D0
Libr, xrefs: 00000181D0AB00D0

Memory Dump Source

Source File: 00000003.00000002.354516906.00000181D0AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000181D0AB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_181d0ab0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: f8d79bef3658706135220a1894f7d984f07e043c36bd1a885373c293b3560305
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: BA72D331518B489BDB69DF58C889BEDB7E4FB94344F108A2DE88AC3251DF34D642CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-:, xrefs: 000000018002C100
(I, xrefs: 000000018002C62C
<W, xrefs: 000000018002C1D0
Z, xrefs: 000000018002C36B
l, xrefs: 000000018002C347
l, xrefs: 000000018002C1F5
Ekf, xrefs: 000000018002C0CA
#C, xrefs: 000000018002C55D

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/Zb, xrefs: 000000018001119F
/v|, xrefs: 00000001800113E2
lA, xrefs: 0000000180011819
)|x, xrefs: 000000018001168C
OV4T, xrefs: 0000000180011307
\, xrefs: 0000000180011205

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)O, xrefs: 000000018002164B
F>9, xrefs: 0000000180021937
t(/, xrefs: 0000000180021ABB
&.+, xrefs: 000000018002180B
, xrefs: 00000001800219DA
.pN, xrefs: 0000000180021AE0

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K', xrefs: 000000018000CAC7
sf, xrefs: 000000018000CE95
w\H, xrefs: 000000018000C959
+#;), xrefs: 000000018000CBDA

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<4P, xrefs: 000000018001E690
<8, xrefs: 000000018001E63C
<w., xrefs: 000000018001E582

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]k, xrefs: 0000000180022069
]k, xrefs: 000000018002232E
"+H, xrefs: 000000018002236A
M8;, xrefs: 0000000180022338
]$d, xrefs: 00000001800220D6
94, xrefs: 0000000180022371
1l7., xrefs: 00000001800220AF

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Mv`b, xrefs: 0000000180005D4E
R3T, xrefs: 0000000180005C59
t:v, xrefs: 0000000180005E76
d}9J, xrefs: 0000000180006179
-!zt, xrefs: 0000000180005BD7
ru, xrefs: 000000018000623C

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

lmq, xrefs: 0000000180013A6B
lbzZ, xrefs: 0000000180013863
$, xrefs: 0000000180013C6D
kO, xrefs: 000000018001387E
"`2, xrefs: 00000001800139CE
tro, xrefs: 00000001800139A0

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2f, xrefs: 000000018001051C
EX., xrefs: 000000018001032D
)#?, xrefs: 0000000180010418
PT, xrefs: 000000018001038A
UbA, xrefs: 00000001800103C4

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tZp, xrefs: 000000018001FFAF
qjf, xrefs: 000000018001FD57
QP|m, xrefs: 000000018001FCBC
?F, xrefs: 0000000180020023
$T, xrefs: 000000018001FF09

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

k&(, xrefs: 0000000180017125
x\J, xrefs: 00000001800171C3
t, xrefs: 0000000180017275
v, xrefs: 00000001800170BE
JQ, xrefs: 0000000180016D72

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

R, xrefs: 00000001800070D3
?rIc, xrefs: 000000018000710E
L==, xrefs: 0000000180007159
)H8, xrefs: 000000018000709E
V, xrefs: 0000000180007053

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

bt, xrefs: 0000000180011A1E
S, xrefs: 0000000180011A92
+, xrefs: 00000001800119DA
vird, xrefs: 00000001800119C2
Qq, xrefs: 0000000180011A84

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

P9, xrefs: 0000000180011DC0
V, xrefs: 0000000180011B81
@, xrefs: 0000000180011F6B
^_", xrefs: 0000000180011D6E

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

b/, xrefs: 000000018001347F
syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB
F)k, xrefs: 000000018001336C

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

'Xsa, xrefs: 0000000180002EA2
iJ6, xrefs: 0000000180003091
vG, xrefs: 000000018000316F
#X, xrefs: 0000000180002E74

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

*i^, xrefs: 0000000180009A7A
-Z, xrefs: 0000000180009D06
]2, xrefs: 0000000180009CC2
MIC, xrefs: 0000000180009BF0

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

EG, xrefs: 000000018001082C
_, xrefs: 0000000180010A56
QsF, xrefs: 0000000180010894
B, xrefs: 0000000180010AEC

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

5B.Y, xrefs: 000000018002045A
Z`35, xrefs: 00000001800205D3
., xrefs: 00000001800206DC
-`G, xrefs: 00000001800206A2

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

#o, xrefs: 000000018000EFD8
WSh, xrefs: 000000018000EEF0
\O, xrefs: 000000018000F046
*+_, xrefs: 000000018000EF25

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

.B, xrefs: 0000000180025032
M*K, xrefs: 0000000180024E36
\<, xrefs: 0000000180024E9B
O, xrefs: 0000000180024F9B

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

$, xrefs: 000000018002A477
xVO, xrefs: 000000018002A587
$, xrefs: 000000018002A454
~O, xrefs: 000000018002A626

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

G, xrefs: 0000000180002557
JMg, xrefs: 000000018000252F
,IW, xrefs: 0000000180002565
l, xrefs: 0000000180002548

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

,, xrefs: 0000000180018B66
,, xrefs: 0000000180018C14
2S=, xrefs: 0000000180018BF3
i`}G, xrefs: 0000000180018BFA

Memory Dump Source

Source File: 00000003.00000002.354213067.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$,$2S=$i`}G
API String ID: 0-4285990414
Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6112, Parent PID: 4856COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 000001F155C90000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001F155C90450
GetNativeSystemInfo.KERNELBASE ref: 000001F155C90539
VirtualAlloc.KERNELBASE ref: 000001F155C90580
VirtualProtect.KERNELBASE ref: 000001F155C909E9
RtlAddFunctionTable.KERNEL32 ref: 000001F155C90A79

Strings

Lock, xrefs: 000001F155C90330
Load, xrefs: 000001F155C902F4
urce, xrefs: 000001F155C9035D
tion, xrefs: 000001F155C90128
temI, xrefs: 000001F155C9014B
sour, xrefs: 000001F155C9031F
Size, xrefs: 000001F155C90311
urce, xrefs: 000001F155C902E7
Reso, xrefs: 000001F155C902FC
ualP, xrefs: 000001F155C900FF
Reso, xrefs: 000001F155C90338
GetN, xrefs: 000001F155C90136
ativ, xrefs: 000001F155C9013D
Free, xrefs: 000001F155C9034D
Find, xrefs: 000001F155C902D0
Reso, xrefs: 000001F155C90355
Virt, xrefs: 000001F155C900F8
lloc, xrefs: 000001F155C900F0
ddFu, xrefs: 000001F155C90163
rote, xrefs: 000001F155C90106
ofRe, xrefs: 000001F155C90318
ualA, xrefs: 000001F155C900E8
truc, xrefs: 000001F155C90121
urce, xrefs: 000001F155C90304
Load, xrefs: 000001F155C900C8
Cach, xrefs: 000001F155C9012F
Virt, xrefs: 000001F155C900E0
onTa, xrefs: 000001F155C90171
ncti, xrefs: 000001F155C9016A
Flus, xrefs: 000001F155C90113
Reso, xrefs: 000001F155C902DB
RtlA, xrefs: 000001F155C9015C
aryA, xrefs: 000001F155C900D8
urce, xrefs: 000001F155C90340
Slee, xrefs: 000001F155C900B7
eSys, xrefs: 000001F155C90144
hIns, xrefs: 000001F155C9011A
Libr, xrefs: 000001F155C900D0

Memory Dump Source

Source File: 00000004.00000002.355020115.000001F155C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001F155C90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1f155c90000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 0d8fab6f32206aa781006948643da331bcbc2be368fd11e710939403828f901e
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 5572DE71618A49CBDB68DF18C8856F9B7F5FBD9304F10422DE88AD3251DB34E942CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l, xrefs: 000000018002C347
-:, xrefs: 000000018002C100
l, xrefs: 000000018002C1F5
#C, xrefs: 000000018002C55D
(I, xrefs: 000000018002C62C
<W, xrefs: 000000018002C1D0
Ekf, xrefs: 000000018002C0CA
Z, xrefs: 000000018002C36B

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

lA, xrefs: 0000000180011819
/Zb, xrefs: 000000018001119F
OV4T, xrefs: 0000000180011307
)|x, xrefs: 000000018001168C
/v|, xrefs: 00000001800113E2
\, xrefs: 0000000180011205

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&.+, xrefs: 000000018002180B
t(/, xrefs: 0000000180021ABB
F>9, xrefs: 0000000180021937
)O, xrefs: 000000018002164B
.pN, xrefs: 0000000180021AE0
, xrefs: 00000001800219DA

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K', xrefs: 000000018000CAC7
sf, xrefs: 000000018000CE95
+#;), xrefs: 000000018000CBDA
w\H, xrefs: 000000018000C959

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<8, xrefs: 000000018001E63C
<4P, xrefs: 000000018001E690
<w., xrefs: 000000018001E582

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1l7., xrefs: 00000001800220AF
]$d, xrefs: 00000001800220D6
94, xrefs: 0000000180022371
]k, xrefs: 000000018002232E
"+H, xrefs: 000000018002236A
]k, xrefs: 0000000180022069
M8;, xrefs: 0000000180022338

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ru, xrefs: 000000018000623C
d}9J, xrefs: 0000000180006179
-!zt, xrefs: 0000000180005BD7
R3T, xrefs: 0000000180005C59
t:v, xrefs: 0000000180005E76
Mv`b, xrefs: 0000000180005D4E

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

lmq, xrefs: 0000000180013A6B
$, xrefs: 0000000180013C6D
lbzZ, xrefs: 0000000180013863
kO, xrefs: 000000018001387E
tro, xrefs: 00000001800139A0
"`2, xrefs: 00000001800139CE

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PT, xrefs: 000000018001038A
EX., xrefs: 000000018001032D
2f, xrefs: 000000018001051C
)#?, xrefs: 0000000180010418
UbA, xrefs: 00000001800103C4

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?F, xrefs: 0000000180020023
QP|m, xrefs: 000000018001FCBC
qjf, xrefs: 000000018001FD57
tZp, xrefs: 000000018001FFAF
$T, xrefs: 000000018001FF09

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

t, xrefs: 0000000180017275
v, xrefs: 00000001800170BE
k&(, xrefs: 0000000180017125
JQ, xrefs: 0000000180016D72
x\J, xrefs: 00000001800171C3

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

V, xrefs: 0000000180007053
)H8, xrefs: 000000018000709E
R, xrefs: 00000001800070D3
L==, xrefs: 0000000180007159
?rIc, xrefs: 000000018000710E

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

Qq, xrefs: 0000000180011A84
bt, xrefs: 0000000180011A1E
vird, xrefs: 00000001800119C2
S, xrefs: 0000000180011A92
+, xrefs: 00000001800119DA

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

P9, xrefs: 0000000180011DC0
@, xrefs: 0000000180011F6B
V, xrefs: 0000000180011B81
^_", xrefs: 0000000180011D6E

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

=_, xrefs: 00000001800136EB
syG, xrefs: 000000018001339D
b/, xrefs: 000000018001347F
F)k, xrefs: 000000018001336C

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

vG, xrefs: 000000018000316F
#X, xrefs: 0000000180002E74
iJ6, xrefs: 0000000180003091
'Xsa, xrefs: 0000000180002EA2

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

MIC, xrefs: 0000000180009BF0
]2, xrefs: 0000000180009CC2
*i^, xrefs: 0000000180009A7A
-Z, xrefs: 0000000180009D06

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

B, xrefs: 0000000180010AEC
QsF, xrefs: 0000000180010894
_, xrefs: 0000000180010A56
EG, xrefs: 000000018001082C

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

Z`35, xrefs: 00000001800205D3
., xrefs: 00000001800206DC
-`G, xrefs: 00000001800206A2
5B.Y, xrefs: 000000018002045A

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

#o, xrefs: 000000018000EFD8
\O, xrefs: 000000018000F046
*+_, xrefs: 000000018000EF25
WSh, xrefs: 000000018000EEF0

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

.B, xrefs: 0000000180025032
O, xrefs: 0000000180024F9B
\<, xrefs: 0000000180024E9B
M*K, xrefs: 0000000180024E36

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

xVO, xrefs: 000000018002A587
~O, xrefs: 000000018002A626
$, xrefs: 000000018002A477
$, xrefs: 000000018002A454

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

,IW, xrefs: 0000000180002565
JMg, xrefs: 000000018000252F
G, xrefs: 0000000180002557
l, xrefs: 0000000180002548

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

i`}G, xrefs: 0000000180018BFA
2S=, xrefs: 0000000180018BF3
,, xrefs: 0000000180018B66
,, xrefs: 0000000180018C14

Memory Dump Source

Source File: 00000004.00000002.354904578.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$,$2S=$i`}G
API String ID: 0-4285990414
Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 6228, Parent PID: 6608COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5%
Total number of Nodes:	80
Total number of Limit Nodes:	9

Executed Functions

Function 010D0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 010D0450
GetNativeSystemInfo.KERNELBASE ref: 010D0539
VirtualAlloc.KERNELBASE ref: 010D0580
VirtualProtect.KERNELBASE ref: 010D09E9
RtlAddFunctionTable.KERNEL32 ref: 010D0A79

Strings

Size, xrefs: 010D0311
Flus, xrefs: 010D0113
Reso, xrefs: 010D02FC
GetN, xrefs: 010D0136
ofRe, xrefs: 010D0318
ativ, xrefs: 010D013D
tion, xrefs: 010D0128
ddFu, xrefs: 010D0163
Load, xrefs: 010D02F4
Free, xrefs: 010D034D
ualP, xrefs: 010D00FF
Slee, xrefs: 010D00B7
eSys, xrefs: 010D0144
urce, xrefs: 010D0304
RtlA, xrefs: 010D015C
urce, xrefs: 010D0340
Load, xrefs: 010D00C8
Reso, xrefs: 010D0338
temI, xrefs: 010D014B
onTa, xrefs: 010D0171
Reso, xrefs: 010D0355
rote, xrefs: 010D0106
hIns, xrefs: 010D011A
Cach, xrefs: 010D012F
Libr, xrefs: 010D00D0
urce, xrefs: 010D035D
Virt, xrefs: 010D00E0
truc, xrefs: 010D0121
ualA, xrefs: 010D00E8
Lock, xrefs: 010D0330
lloc, xrefs: 010D00F0
aryA, xrefs: 010D00D8
urce, xrefs: 010D02E7
sour, xrefs: 010D031F
Find, xrefs: 010D02D0
Reso, xrefs: 010D02DB
ncti, xrefs: 010D016A
Virt, xrefs: 010D00F8

Memory Dump Source

Source File: 00000005.00000002.869384187.00000000010D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10d0000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 9d1aea7f5223fe3a609c84f3161ebcc848f6a3e0bd7850c02ab070a1bfdd8f36
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 1672E430618B488BDB69DF28C8856BAB7E1FB98305F14462DF8CEC7215DB34D542CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#X, xrefs: 000000018000D803
Ec;, xrefs: 000000018000D485
n, xrefs: 000000018000D64B
J, xrefs: 000000018000D653
^c, xrefs: 000000018000D7F1
^c, xrefs: 000000018000D2F5

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$Ec;$J$^c$^c$n
API String ID: 0-2929744921
Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b/, xrefs: 000000018001347F
=_, xrefs: 00000001800136EB
F)k, xrefs: 000000018001336C
syG, xrefs: 000000018001339D

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

5IF, xrefs: 0000000180004890
P)#, xrefs: 0000000180004995

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5IF$P)#
API String ID: 0-1025399686
Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectW.WININET ref: 000000018001D008

Strings

C, xrefs: 000000018001CFA7
:G?, xrefs: 000000018001CF7D

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: :G?$C
API String ID: 3050416762-1225920220
Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 000000018000FC2F

Strings

gF\, xrefs: 000000018000FBA2

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: gF\
API String ID: 823142352-1982329323
Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestW.WININET ref: 000000018000A612

Strings

:G?, xrefs: 000000018000A59A

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: :G?
API String ID: 1984915467-1508054202
Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 0000000180012C0A

Strings

:G?, xrefs: 0000000180012BAF

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: :G?
API String ID: 2038078732-1508054202
Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0000000180015F50

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 0000000180019B4B

Memory Dump Source

Source File: 00000005.00000002.869948171.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report x4ByCNJqst

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
x4ByCNJqst

Function 00D00000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551
COMMON

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Function 00007FF8CAA83EEC Relevance: 15.1, APIs: 10, Instructions: 121
COMMON