Edit tour

Windows Analysis Report
r0hiaXHscs.dll

Overview

General Information

Sample Name:	r0hiaXHscs.dll
Analysis ID:	626489
MD5:	28fd92e0ce7538516dcea70e239fb177
SHA1:	483d573cd7d464b01c880998e0321970a635e8d0
SHA256:	198a1b06c69382d00cf775aa56d2172f6d0412f31753bda078620107ee998283
Tags:	exetrojan
Infos:

Detection

Emotet

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Program does not show much activity (idle)

IP address seen in connection with other malware

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Registers a DLL

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7072 cmdline: loaddll64.exe "C:\Users\user\Desktop\r0hiaXHscs.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 7092 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 7148 cmdline: rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

regsvr32.exe (PID: 7136 cmdline: regsvr32.exe /s C:\Users\user\Desktop\r0hiaXHscs.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6392 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FxQLsR\ONbDjBVKT.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 3504 cmdline: rundll32.exe C:\Users\user\Desktop\r0hiaXHscs.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3980 cmdline: rundll32.exe C:\Users\user\Desktop\r0hiaXHscs.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)

svchost.exe (PID: 3272 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2332 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5740 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6148 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6092 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.775504614.0000000002C40000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.399182634.0000013444F90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.395798586.000002165C820000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.401159904.00000000005A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.rundll32.exe.13444f90000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2165c820000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.5a0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.2c40000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.13444f90000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.2c40000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2165c820000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.5a0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: r0hiaXHscs.dll

Virustotal: Detection: 35%

Perma Link

Antivirus detection for URL or domain

Source: https://23.239.0.12/aw

Avira URL Cloud: Label: malware

Source: unknown

HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49772 version: TLS 1.2

Source: r0hiaXHscs.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.775197896.0000000000FB5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.775197896.0000000000FB5000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

6_2_000000018000D26C

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.239.0.12 443

Jump to behavior

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Cookie: Gg=8GHy3N4Xm4BasGI7yF4aqbYZ+UfwCGyAbOlBL+16WxGiVKGpNRlXTVpgGtiVDv4o6m2fAcCSHbC7mYMUPTjqe4US1mRyANHQJL7kUXdkMIV97NOv6NlFY6ItHTPKLQm3cab3RqaCCTHdeUJgOXpfGnYvQigwPZkv1S1NderwBdUbUrQpVsTBxEAdf7eBMQneqNUwyO1NGdrv9JdDXBeFHpBIJABa3NfDOXQ+k98+uc8fHA==Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 23.239.0.12 23.239.0.12

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12

Source: regsvr32.exe, 00000006.00000003.467034320.0000000001439000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.775460304.0000000001439000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.766280874.000001F25DB00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000017.00000002.766213350.000001F25D2ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000017.00000003.736113156.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.735828686.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000E.00000002.548646295.000001A6FB27B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft
Source: regsvr32.exe, 00000006.00000003.467319252.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.775356330.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.467211849.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/
Source: regsvr32.exe, 00000006.00000003.467319252.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.775356330.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.467211849.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/aw
Source: svchost.exe, 00000017.00000003.736113156.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.735828686.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000017.00000003.729809833.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729965849.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729933938.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729828603.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729850048.000001F25E002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.730030081.000001F25E019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729874316.000001F25E003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000017.00000003.736113156.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.735828686.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000017.00000003.736113156.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.735828686.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000017.00000003.729809833.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729965849.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729933938.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729828603.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729850048.000001F25E002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.730030081.000001F25E019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729874316.000001F25E003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000017.00000003.729809833.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729965849.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729933938.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729828603.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729850048.000001F25E002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.730030081.000001F25E019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729874316.000001F25E003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000017.00000003.745516041.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 00000017.00000003.745558940.000001F25E002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.745533948.000001F25DB9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.745516041.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.745479650.000001F25DBB5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.745454811.000001F25DBB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,

6_2_00000001800132F0

Source: global traffic

Source: unknown

HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49772 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 4.2.rundll32.exe.13444f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2165c820000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.2c40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.13444f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.2c40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2165c820000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.775504614.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.399182634.0000013444F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.395798586.000002165C820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.401159904.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\FxQLsR\ONbDjBVKT.dll:Zone.Identifier

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\FxQLsR\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBAA0C	2_2_00007FFF21BBAA0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBB5CC	2_2_00007FFF21BBB5CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BB5944	2_2_00007FFF21BB5944
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BB895C	2_2_00007FFF21BB895C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBFCA0	2_2_00007FFF21BBFCA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBFB6C	2_2_00007FFF21BBFB6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBEB60	2_2_00007FFF21BBEB60
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBA77C	2_2_00007FFF21BBA77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBAF70	2_2_00007FFF21BBAF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BB6F0C	2_2_00007FFF21BB6F0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBE6C0	2_2_00007FFF21BBE6C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00560000	2_2_00560000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010FF4	2_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028C20	2_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C058	2_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009100	2_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007958	2_2_0000000180007958
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C608	2_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021618	2_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013E28	2_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E3AC	2_2_000000018001E3AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DBE8	2_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001FC0C	2_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000580C	2_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022010	2_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001481C	2_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A42C	2_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011834	2_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023831	2_2_0000000180023831
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021C3C	2_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000703C	2_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000AC48	2_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000FC48	2_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006458	2_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C05C	2_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A460	2_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029888	2_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D49C	2_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008CA0	2_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800248A8	2_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015CB0	2_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800124B4	2_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C4B4	2_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800288B8	2_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800024B8	2_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D8C4	2_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800250CC	2_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800190D4	2_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017CE4	2_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800264F0	2_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800014F8	2_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020CFC	2_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C904	2_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017908	2_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021510	2_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F917	2_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000551C	2_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F128	2_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CD38	2_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016D3C	2_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F944	2_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018148	2_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D950	2_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013150	2_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001ED50	2_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E960	2_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019D60	2_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C964	2_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001D68	2_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001496C	2_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002D70	2_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002178	2_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024D80	2_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018598	2_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003598	2_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A9A8	2_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800119A8	2_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025DAC	2_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018DAC	2_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800269B0	2_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800059B8	2_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800029BC	2_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800141C0	2_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800125C4	2_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800121CC	2_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800075D4	2_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800095DC	2_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F9E8	2_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002610	2_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019618	2_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001FA38	2_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A270	2_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019E78	2_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DA80	2_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024698	2_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000EE98	2_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800176B8	2_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AAB8	2_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011AD0	2_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008AD8	2_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800296EC	2_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A6EC	2_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800132F0	2_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019300	2_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BB04	2_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002870C	2_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026B10	2_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000131C	2_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000671C	2_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029B28	2_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012F28	2_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BB28	2_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001EB30	2_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020334	2_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010758	2_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001435C	2_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009F5C	2_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029368	2_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020768	2_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017378	2_2_0000000180017378
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013780	2_2_0000000180013780
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015388	2_2_0000000180015388
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000338C	2_2_000000018000338C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000738C	2_2_000000018000738C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002790	2_2_0000000180002790
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180027F9C	2_2_0000000180027F9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800197A0	2_2_00000001800197A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C7B4	2_2_000000018002C7B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DFB4	2_2_000000018001DFB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F7C0	2_2_000000018001F7C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800097C0	2_2_00000001800097C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800157D8	2_2_00000001800157D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019FDC	2_2_0000000180019FDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017BDC	2_2_0000000180017BDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F7E0	2_2_000000018000F7E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001FE0	2_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010FF4	3_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180028C20	3_2_0000000180028C20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C058	3_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009100	3_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C964	3_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C608	3_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021618	3_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E3AC	3_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DBE8	3_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FC0C	3_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000580C	3_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022010	3_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001481C	3_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A42C	3_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011834	3_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180023831	3_2_0000000180023831
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021C3C	3_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000703C	3_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000AC48	3_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000FC48	3_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180006458	3_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C05C	3_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001A460	3_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029888	3_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D49C	3_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008CA0	3_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800248A8	3_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015CB0	3_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800124B4	3_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C4B4	3_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800288B8	3_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800024B8	3_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000D8C4	3_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800250CC	3_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800190D4	3_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017CE4	3_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800264F0	3_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800014F8	3_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020CFC	3_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C904	3_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017908	3_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021510	3_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F917	3_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000551C	3_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F128	3_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CD38	3_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180016D3C	3_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F944	3_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018148	3_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001ED50	3_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013150	3_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D950	3_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E960	3_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019D60	3_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180001D68	3_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001496C	3_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002D70	3_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002178	3_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024D80	3_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018598	3_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180003598	3_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A9A8	3_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800119A8	3_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180025DAC	3_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018DAC	3_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800269B0	3_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800059B8	3_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800029BC	3_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800141C0	3_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800125C4	3_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800121CC	3_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000BDD0	3_2_000000018000BDD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800075D4	3_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800095DC	3_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F9E8	3_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002610	3_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019618	3_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013E28	3_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FA38	3_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A270	3_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019E78	3_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DA80	3_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024698	3_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000EE98	3_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800176B8	3_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AAB8	3_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011AD0	3_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008AD8	3_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800296EC	3_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A6EC	3_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800132F0	3_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019300	3_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BB04	3_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002870C	3_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180026B10	3_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000131C	3_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000671C	3_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029B28	3_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180012F28	3_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000BB28	3_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EB30	3_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020334	3_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010758	3_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001435C	3_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009F5C	3_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029368	3_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020768	3_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017378	3_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013780	3_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015388	3_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000338C	3_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000738C	3_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002790	3_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180027F9C	3_2_0000000180027F9C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800197A0	3_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C7B4	3_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DFB4	3_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F7C0	3_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800097C0	3_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800157D8	3_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019FDC	3_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017BDC	3_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F7E0	3_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180001FE0	3_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002165C710000	3_2_000002165C710000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010FF4	4_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C058	4_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009100	4_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C608	4_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021618	4_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E3AC	4_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DBE8	4_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FC0C	4_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000580C	4_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180022010	4_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001481C	4_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A42C	4_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011834	4_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021C3C	4_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000703C	4_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000AC48	4_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000FC48	4_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180006458	4_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C05C	4_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A460	4_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029888	4_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001D49C	4_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008CA0	4_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800248A8	4_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015CB0	4_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800124B4	4_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C4B4	4_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800288B8	4_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800024B8	4_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000D8C4	4_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800250CC	4_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800190D4	4_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017CE4	4_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800264F0	4_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800014F8	4_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020CFC	4_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C904	4_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017908	4_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021510	4_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F917	4_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000551C	4_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F128	4_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001CD38	4_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180016D3C	4_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F944	4_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018148	4_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001ED50	4_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013150	4_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001D950	4_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E960	4_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019D60	4_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C964	4_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001D68	4_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001496C	4_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002D70	4_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002178	4_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024D80	4_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018598	4_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003598	4_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A9A8	4_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800119A8	4_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025DAC	4_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018DAC	4_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800269B0	4_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800059B8	4_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800029BC	4_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800141C0	4_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800125C4	4_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800121CC	4_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800075D4	4_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800095DC	4_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F9E8	4_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002610	4_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019618	4_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013E28	4_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FA38	4_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A270	4_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019E78	4_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DA80	4_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024698	4_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000EE98	4_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800176B8	4_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AAB8	4_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011AD0	4_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008AD8	4_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800296EC	4_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A6EC	4_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800132F0	4_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019300	4_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BB04	4_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002870C	4_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180026B10	4_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000131C	4_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000671C	4_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029B28	4_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180012F28	4_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000BB28	4_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001EB30	4_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020334	4_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010758	4_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001435C	4_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009F5C	4_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029368	4_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020768	4_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017378	4_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013780	4_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015388	4_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000338C	4_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000738C	4_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002790	4_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800197A0	4_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C7B4	4_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DFB4	4_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F7C0	4_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800097C0	4_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800157D8	4_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019FDC	4_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017BDC	4_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F7E0	4_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001FE0	4_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000013444F80000	4_2_0000013444F80000
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_01380000	6_2_01380000
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180010FF4	6_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180028C20	6_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002C058	6_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001ACA4	6_2_000000018001ACA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000551C	6_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018148	6_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001496C	6_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000E1E0	6_2_000000018000E1E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000C608	6_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021618	6_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180013E28	6_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002AE44	6_2_000000018002AE44
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000D26C	6_2_000000018000D26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180025278	6_2_0000000180025278
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000EE98	6_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800046A8	6_2_00000001800046A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180004ACA	6_2_0000000180004ACA
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800132F0	6_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180026B10	6_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001DBE8	6_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001FC0C	6_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000580C	6_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180022010	6_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001481C	6_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002A42C	6_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180011834	6_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021C3C	6_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000703C	6_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000AC48	6_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000FC48	6_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024458	6_2_0000000180024458
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180006458	6_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C05C	6_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001A460	6_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029888	6_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001D49C	6_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180008CA0	6_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800248A8	6_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180015CB0	6_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800124B4	6_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000C4B4	6_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800288B8	6_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800024B8	6_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000D8C4	6_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800250CC	6_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800190D4	6_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180017CE4	6_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800264F0	6_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800014F8	6_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020CFC	6_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180009100	6_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002C904	6_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180017908	6_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021510	6_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F917	6_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F128	6_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001CD38	6_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180016D3C	6_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001F944	6_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001D950	6_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180013150	6_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001ED50	6_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001E960	6_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019D60	6_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C964	6_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C568	6_2_000000018001C568
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180001D68	6_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002D70	6_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024574	6_2_0000000180024574
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002178	6_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024D80	6_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018598	6_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180003598	6_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001F1A4	6_2_000000018001F1A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002A9A8	6_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800119A8	6_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180025DAC	6_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018DAC	6_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800269B0	6_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800059B8	6_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800029BC	6_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800141C0	6_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800125C4	6_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800121CC	6_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000BDD0	6_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800075D4	6_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800095DC	6_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F9E8	6_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002610	6_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019618	6_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001FA38	6_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000A270	6_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019E78	6_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001DA80	6_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024698	6_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800176B8	6_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001AAB8	6_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002CAD0	6_2_000000018002CAD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180011AD0	6_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180008AD8	6_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800296EC	6_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000A6EC	6_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019300	6_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001BB04	6_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002870C	6_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000131C	6_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000671C	6_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029B28	6_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180012F28	6_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000BB28	6_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001EB30	6_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020334	6_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180010758	6_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001435C	6_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180009F5C	6_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029368	6_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020768	6_2_0000000180020768

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Source: r0hiaXHscs.dll

Virustotal: Detection: 35%

Source: r0hiaXHscs.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\r0hiaXHscs.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\r0hiaXHscs.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r0hiaXHscs.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r0hiaXHscs.dll,DllUnregisterServer
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FxQLsR\ONbDjBVKT.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\r0hiaXHscs.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r0hiaXHscs.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\r0hiaXHscs.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FxQLsR\ONbDjBVKT.dll"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@19/0@0/1

Source: C:\Windows\System32\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00000001800046A8 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,

6_2_00000001800046A8

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: r0hiaXHscs.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: r0hiaXHscs.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.775197896.0000000000FB5000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.775197896.0000000000FB5000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AFFD push ebp; retf	2_2_000000018001AFFE
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800051D1 push ebp; iretd	2_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BA32 push ebp; retf	2_2_000000018001BA33
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004E83 push es; ret	2_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B694 push es; ret	2_2_000000018001B6E9
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BADD push ebp; iretd	2_2_000000018001BADE
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B717 push ebp; iretd	2_2_000000018001B718
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AF4E push ebp; retf	2_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AFFD push ebp; retf	3_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800051D1 push ebp; iretd	3_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BA32 push ebp; retf	3_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180004E83 push es; ret	3_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B694 push es; ret	3_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BADD push ebp; iretd	3_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B717 push ebp; iretd	3_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180007B3F push esp; retf	3_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AF4E push ebp; retf	3_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AFFD push ebp; retf	4_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800051D1 push ebp; iretd	4_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BA32 push ebp; retf	4_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180004E83 push es; ret	4_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B694 push es; ret	4_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BADD push ebp; iretd	4_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B717 push ebp; iretd	4_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007B3F push esp; retf	4_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AF4E push ebp; retf	4_2_000000018001AF4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800051D1 push ebp; iretd	6_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180004E83 push es; ret	6_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180007B3F push esp; retf	6_2_0000000180007B40

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF21BBD0B8 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_00007FFF21BBD0B8

Source: r0hiaXHscs.dll

Static PE information: real checksum: 0x85ab6 should be: 0x8a681

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\r0hiaXHscs.dll

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\FxQLsR\ONbDjBVKT.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\FxQLsR\ONbDjBVKT.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\ZBoJvStPyVWgD\wZOvGUm.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\NuCIihAKPg\VLCtEbrCMLj.dll:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6040

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_2-10019

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

6_2_000000018000D26C

Source: C:\Windows\System32\regsvr32.exe

API call chain: ExitProcess graph end node

graph_2-10021

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: rundll32.exe, 00000003.00000002.395701658.000002165C728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: regsvr32.exe, 00000006.00000003.467319252.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.775356330.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.467252605.000000000141C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.467211849.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.775407790.000000000141C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.766213350.000001F25D2ED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.766049645.000001F25D270000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000A.00000002.775524670.000001E32AE02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: regsvr32.exe, 00000006.00000003.467252605.000000000141C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.775407790.000000000141C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"
Source: svchost.exe, 0000000A.00000002.775557625.000001E32AE28000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF21BB6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_00007FFF21BB6550

Source: C:\Windows\System32\regsvr32.exe

2_2_00007FFF21BBD0B8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BB6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFF21BB6550
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BB20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFF21BB20E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF21BBD318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFF21BBD318

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.239.0.12 443

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_00007FFF21BBE1E8
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_00007FFF21BBC16C
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	2_2_00007FFF21BBC934
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FFF21BBC8C8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FFF21BBC834
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	2_2_00007FFF21BBC450
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FFF21BBC7F4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	2_2_00007FFF21BBDF98
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_00007FFF21BBC39C
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FFF21BBDF20
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FFF21BBDF3C
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	2_2_00007FFF21BBC6E4
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	2_2_00007FFF21BBC2B4

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF21BB4558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00007FFF21BB4558

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF21BBE6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00007FFF21BBE6C0

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 4.2.rundll32.exe.13444f90000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2165c820000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.2c40000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.13444f90000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.2c40000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2165c820000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.775504614.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.399182634.0000013444F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.395798586.000002165C820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.401159904.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	111 Process Injection	2 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
r0hiaXHscs.dll	35%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.regsvr32.exe.2c40000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
3.2.rundll32.exe.2165c820000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
2.2.regsvr32.exe.5a0000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
4.2.rundll32.exe.13444f90000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
https://23.239.0.12/aw	100%	Avira URL Cloud	malware
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://23.239.0.12/	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
http://schemas.microsoft	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.239.0.12/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000017.00000003.736113156.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.735828686.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000017.00000003.736113156.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.735828686.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.hotspotshield.com/terms/	svchost.exe, 00000017.00000003.729809833.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729965849.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729933938.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729828603.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729850048.000001F25E002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.730030081.000001F25E019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729874316.000001F25E003000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 00000017.00000003.729809833.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729965849.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729933938.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729828603.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729850048.000001F25E002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.730030081.000001F25E019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729874316.000001F25E003000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000017.00000003.736113156.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.735828686.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://23.239.0.12/aw	regsvr32.exe, 00000006.00000003.467319252.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.775356330.00000000013E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.467211849.00000000013E1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.ver)	svchost.exe, 00000017.00000002.766213350.000001F25D2ED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.tiktok.com/legal/report	svchost.exe, 00000017.00000003.745516041.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000017.00000003.745558940.000001F25E002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.745533948.000001F25DB9F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.745516041.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.745479650.000001F25DBB5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.745454811.000001F25DBB5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000017.00000003.736113156.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.735828686.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.hotspotshield.com/	svchost.exe, 00000017.00000003.729809833.000001F25DBA0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729965849.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729933938.000001F25DB8E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729828603.000001F25DBB0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729850048.000001F25E002000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.730030081.000001F25E019000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000017.00000003.729874316.000001F25E003000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.microsoft	svchost.exe, 0000000E.00000002.548646295.000001A6FB27B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.239.0.12	unknown	United States		63949	LINODE-APLinodeLLCUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626489
Start date and time: 14/05/202204:55:57	2022-05-14 04:55:57 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	r0hiaXHscs.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@19/0@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 50 Number of non-executed functions: 214
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.223.24.244
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
23.239.0.12	Plt3z2W7KQ.dll	Get hash	malicious	Browse
	2V7zjcga5L.dll	Get hash	malicious	Browse
	RuqTBW6t32.dll	Get hash	malicious	Browse
	yj81rxDZIp.dll	Get hash	malicious	Browse
	3j6e3XaMWM.dll	Get hash	malicious	Browse
	wgJ5YjI2QO.dll	Get hash	malicious	Browse
	r0hiaXHscs.dll	Get hash	malicious	Browse
	TSvDnT6fkE.dll	Get hash	malicious	Browse
	x4ByCNJqst.dll	Get hash	malicious	Browse
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse
	RuqTBW6t32.dll	Get hash	malicious	Browse
	yj81rxDZIp.dll	Get hash	malicious	Browse
	x4ByCNJqst.dll	Get hash	malicious	Browse
	lc4KFeS296.dll	Get hash	malicious	Browse
	36yjawe0S4.dll	Get hash	malicious	Browse
	Ns2al4764F.dll	Get hash	malicious	Browse
	cX9TLU9gnx.dll	Get hash	malicious	Browse
	56vvRzZVQI.dll	Get hash	malicious	Browse
	8PnsJpuSdb.dll	Get hash	malicious	Browse
	yaEOuyT3Sg.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	Plt3z2W7KQ.dll	Get hash	malicious	Browse	23.239.0.12
	2V7zjcga5L.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	3j6e3XaMWM.dll	Get hash	malicious	Browse	23.239.0.12
	wgJ5YjI2QO.dll	Get hash	malicious	Browse	23.239.0.12
	r0hiaXHscs.dll	Get hash	malicious	Browse	23.239.0.12
	TSvDnT6fkE.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	lc4KFeS296.dll	Get hash	malicious	Browse	23.239.0.12
	36yjawe0S4.dll	Get hash	malicious	Browse	23.239.0.12
	Ns2al4764F.dll	Get hash	malicious	Browse	23.239.0.12
	cX9TLU9gnx.dll	Get hash	malicious	Browse	23.239.0.12
	56vvRzZVQI.dll	Get hash	malicious	Browse	23.239.0.12
	8PnsJpuSdb.dll	Get hash	malicious	Browse	23.239.0.12
	yaEOuyT3Sg.dll	Get hash	malicious	Browse	23.239.0.12

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	Plt3z2W7KQ.dll	Get hash	malicious	Browse	23.239.0.12
	2V7zjcga5L.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	3j6e3XaMWM.dll	Get hash	malicious	Browse	23.239.0.12
	wgJ5YjI2QO.dll	Get hash	malicious	Browse	23.239.0.12
	r0hiaXHscs.dll	Get hash	malicious	Browse	23.239.0.12
	TSvDnT6fkE.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	lc4KFeS296.dll	Get hash	malicious	Browse	23.239.0.12
	36yjawe0S4.dll	Get hash	malicious	Browse	23.239.0.12
	Ns2al4764F.dll	Get hash	malicious	Browse	23.239.0.12
	cX9TLU9gnx.dll	Get hash	malicious	Browse	23.239.0.12
	56vvRzZVQI.dll	Get hash	malicious	Browse	23.239.0.12
	8PnsJpuSdb.dll	Get hash	malicious	Browse	23.239.0.12
	yaEOuyT3Sg.dll	Get hash	malicious	Browse	23.239.0.12

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.4820900629981555
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	r0hiaXHscs.dll
File size:	545280
MD5:	28fd92e0ce7538516dcea70e239fb177
SHA1:	483d573cd7d464b01c880998e0321970a635e8d0
SHA256:	198a1b06c69382d00cf775aa56d2172f6d0412f31753bda078620107ee998283
SHA512:	aa78a2ce9c6118faa00b9a3d8adcc2603c607ddd3816a106155f1cac91a1a6c3aaab1d51954563af7a10477b8046e78adf509d2f5527f7fea65aa25ca1a3b402
SSDEEP:	12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZfHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVv
TLSH:	22C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1800423a8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627D8598 [Thu May 12 22:09:28 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b268dbaa2e6eb6acd16e04d482356598

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FB74CBB1BC7h
call 00007FB74CBB3D54h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FB74CBB1A70h
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00014D05h]
call dword ptr [0000FC7Fh]
dec esp
mov ebx, dword ptr [00014DF0h]
dec esp
mov dword ptr [esp+58h], ebx
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+60h]
dec eax
mov ecx, dword ptr [esp+58h]
call 00007FB74CBC074Ah
dec eax
mov dword ptr [esp+50h], eax
dec eax
cmp dword ptr [esp+50h], 00000000h
je 00007FB74CBB1C03h
dec eax
mov dword ptr [esp+38h], 00000000h
dec eax
lea eax, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], eax
dec eax
lea eax, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
lea eax, dword ptr [00014CB0h]
dec eax
mov dword ptr [esp+20h], eax
dec esp
mov ecx, dword ptr [esp+50h]
dec esp
mov eax, dword ptr [esp+58h]
dec eax
mov edx, dword ptr [esp+60h]
xor ecx, ecx
call 00007FB74CBC06F8h
jmp 00007FB74CBB1BE4h
dec eax
mov eax, dword ptr [eax+eax+00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x55cf0	0x6f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5544c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x2dffc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x59000	0xe1c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0x1d8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52000	0x288	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x504ca	0x50600	False	0.389081940124	zlib compressed data	5.26882252971	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x52000	0x3d5f	0x3e00	False	0.355405745968	data	5.39330874285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x56000	0x20d8	0x1200	False	0.180772569444	data	2.18161586025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x59000	0xe1c	0x1000	False	0.44580078125	data	4.98556265168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x2dffc	0x2e000	False	0.839408542799	data	7.73448363752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0x6f8	0x800	False	0.1796875	data	1.81179169858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x5a0a0	0x2de00	data	English	United States
RT_MANIFEST	0x87ea0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

ExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA

ole32.dll

CoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180042050
DllUnregisterServer	2	0x180042080

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 04:57:53.988490105 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:53.988554955 CEST	443	49772	23.239.0.12	192.168.2.6
May 14, 2022 04:57:53.988698006 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:54.029891014 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:54.029942989 CEST	443	49772	23.239.0.12	192.168.2.6
May 14, 2022 04:57:54.571053982 CEST	443	49772	23.239.0.12	192.168.2.6
May 14, 2022 04:57:54.571193933 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:55.201952934 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:55.202007055 CEST	443	49772	23.239.0.12	192.168.2.6
May 14, 2022 04:57:55.202414036 CEST	443	49772	23.239.0.12	192.168.2.6
May 14, 2022 04:57:55.202596903 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:55.216537952 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:55.260504007 CEST	443	49772	23.239.0.12	192.168.2.6
May 14, 2022 04:57:56.068161011 CEST	443	49772	23.239.0.12	192.168.2.6
May 14, 2022 04:57:56.068233013 CEST	443	49772	23.239.0.12	192.168.2.6
May 14, 2022 04:57:56.068325996 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:56.068365097 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:56.069004059 CEST	49772	443	192.168.2.6	23.239.0.12
May 14, 2022 04:57:56.069027901 CEST	443	49772	23.239.0.12	192.168.2.6

HTTP Request Dependency Graph

23.239.0.12

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49772	23.239.0.12	443	C:\Windows\System32\regsvr32.exe

Timestamp	Direction	Data
2022-05-14 02:57:55 UTC	OUT	GET / HTTP/1.1 Cookie: Gg=8GHy3N4Xm4BasGI7yF4aqbYZ+UfwCGyAbOlBL+16WxGiVKGpNRlXTVpgGtiVDv4o6m2fAcCSHbC7mYMUPTjqe4US1mRyANHQJL7kUXdkMIV97NOv6NlFY6ItHTPKLQm3cab3RqaCCTHdeUJgOXpfGnYvQigwPZkv1S1NderwBdUbUrQpVsTBxEAdf7eBMQneqNUwyO1NGdrv9JdDXBeFHpBIJABa3NfDOXQ+k98+uc8fHA== Host: 23.239.0.12 Connection: Keep-Alive Cache-Control: no-cache
2022-05-14 02:57:56 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 May 2022 02:57:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-05-14 02:57:56 UTC	IN	Data Raw: 32 35 31 0d 0a e5 09 5c cb b4 0b 45 71 b9 0d 63 89 8a a1 4c 32 be a8 03 f1 d7 47 67 c4 00 8c dc 92 a3 71 49 d9 f3 c4 aa 67 b2 f3 4a a7 39 d0 87 67 0c 1d 78 75 44 8f 06 3c 82 76 22 91 49 52 6a 51 c7 50 6d a1 5a 9c 4a 21 ce 14 80 13 bb ac c0 f6 1d 68 a8 6a 13 a8 b5 6b ac 0c 26 eb ac ad ef 44 3e 68 6d 50 00 78 73 57 23 ba a1 63 c6 22 53 bd 0b 82 cc be 87 0f a3 e3 19 88 af 18 45 fa aa 8c 4f f1 14 51 9f 6d f5 5e 7c 7b b1 43 3d c3 01 e3 b6 4d 6b b7 e9 1a 97 73 e8 f0 79 45 77 bb 09 fb e3 4a 3e aa db cd b6 0e 2a 4f b6 a9 4e be 93 05 66 f6 f8 57 18 ba d9 6d 5d b2 1b 02 3e 53 44 06 d0 b6 91 a4 ee 56 da 75 9c 51 af ac 14 f2 94 9e aa 37 77 66 b9 60 51 e7 01 19 bf 3a 91 01 85 f8 1f 99 0d 1d fb b3 f5 a3 ae 40 7e 75 8e fb bc d1 25 6c 23 89 58 3c bd 69 db f7 3d eb bf b9 Data Ascii: 251\EqcL2GgqIgJ9gxuD<v"IRjQPmZJ!hjk&D>hmPxsW#c"SEOQm^\|{C=MksyEwJ>*ONfWm]>SDVuQ7wf`Q:@~u%l#X<i=

Target ID:	0
Start time:	04:57:14
Start date:	14/05/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\r0hiaXHscs.dll"
Imagebase:	0x7ff7fbfc0000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	04:57:15
Start date:	14/05/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	04:57:16
Start date:	14/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\r0hiaXHscs.dll
Imagebase:	0x7ff655080000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.401159904.00000000005A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	04:57:16
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\r0hiaXHscs.dll",#1
Imagebase:	0x7ff71b1e0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.395798586.000002165C820000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	04:57:17
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\r0hiaXHscs.dll,DllRegisterServer
Imagebase:	0x7ff71b1e0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.399182634.0000013444F90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	04:57:21
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\r0hiaXHscs.dll,DllUnregisterServer
Imagebase:	0x7ff71b1e0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	04:57:22
Start date:	14/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FxQLsR\ONbDjBVKT.dll"
Imagebase:	0x7ff655080000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.775504614.0000000002C40000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	04:57:54
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	14
Start time:	04:58:27
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	19
Start time:	04:59:00
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	20
Start time:	04:59:09
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	21
Start time:	04:59:28
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	23
Start time:	04:59:46
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	16.2%
Total number of Nodes:	684
Total number of Limit Nodes:	6

Executed Functions

Function 00560000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00560450
GetNativeSystemInfo.KERNELBASE ref: 00560539
VirtualAlloc.KERNELBASE ref: 00560580
VirtualProtect.KERNELBASE ref: 005609E9
RtlAddFunctionTable.KERNEL32 ref: 00560A79

Strings

Libr, xrefs: 005600D0
hIns, xrefs: 0056011A
Reso, xrefs: 005602DB
Free, xrefs: 0056034D
Slee, xrefs: 005600B7
lloc, xrefs: 005600F0
sour, xrefs: 0056031F
ofRe, xrefs: 00560318
Reso, xrefs: 005602FC
ualA, xrefs: 005600E8
Reso, xrefs: 00560355
onTa, xrefs: 00560171
temI, xrefs: 0056014B
ativ, xrefs: 0056013D
eSys, xrefs: 00560144
urce, xrefs: 00560304
Flus, xrefs: 00560113
Find, xrefs: 005602D0
ddFu, xrefs: 00560163
Load, xrefs: 005600C8
truc, xrefs: 00560121
urce, xrefs: 005602E7
Cach, xrefs: 0056012F
Reso, xrefs: 00560338
rote, xrefs: 00560106
ualP, xrefs: 005600FF
RtlA, xrefs: 0056015C
Size, xrefs: 00560311
GetN, xrefs: 00560136
Virt, xrefs: 005600E0
urce, xrefs: 00560340
tion, xrefs: 00560128
Lock, xrefs: 00560330
ncti, xrefs: 0056016A
Virt, xrefs: 005600F8
aryA, xrefs: 005600D8
Load, xrefs: 005602F4
urce, xrefs: 0056035D

Memory Dump Source

Source File: 00000002.00000002.400993388.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_560000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: ec91f80fdcff5eeff2f5e540fcd54e47381eb81e866dd697016cc476dff86391
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 6C72D630618B488FDB29DF18C8856BABBE1FB98305F10562DE8CBD7251DB34D946CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#C, xrefs: 000000018002C55D
l, xrefs: 000000018002C347
Ekf, xrefs: 000000018002C0CA
<W, xrefs: 000000018002C1D0
-:, xrefs: 000000018002C100
(I, xrefs: 000000018002C62C
Z, xrefs: 000000018002C36B
l, xrefs: 000000018002C1F5

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9i&, xrefs: 0000000180007F21
IS_, xrefs: 0000000180007E52
J, xrefs: 0000000180007DB2
0n)G, xrefs: 00000001800080D5
oh, xrefs: 0000000180007F68
c)K, xrefs: 0000000180007D79
oh, xrefs: 0000000180007F5E

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0n)G$9i&$IS_$c)K$oh$oh$J
API String ID: 0-4168131144
Opcode ID: 30d22681d77451a804741155910a8214494d75842a214bfc255a7dbc84502ded
Instruction ID: 1745985c1503e7a5a98bbeacef01b65c9f03634c62e3202666f04ad1fcc3199d
Opcode Fuzzy Hash: 30d22681d77451a804741155910a8214494d75842a214bfc255a7dbc84502ded
Instruction Fuzzy Hash: 69423870A0470CABCB58DF68C58AADEBBF1FB44304F40C169EC4AAB250D7759B19CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)|x, xrefs: 000000018001168C
\, xrefs: 0000000180011205
/v|, xrefs: 00000001800113E2
lA, xrefs: 0000000180011819
OV4T, xrefs: 0000000180011307
/Zb, xrefs: 000000018001119F

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F>9, xrefs: 0000000180021937
.pN, xrefs: 0000000180021AE0
t(/, xrefs: 0000000180021ABB
)O, xrefs: 000000018002164B
, xrefs: 00000001800219DA
&.+, xrefs: 000000018002180B

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

yy8x, xrefs: 0000000180028D19
Mh, xrefs: 0000000180029055
:G, xrefs: 0000000180028C4C
Q27, xrefs: 0000000180028EC2, 0000000180029040, 0000000180028CC6, 0000000180028F82, 0000000180028F2F, 000000018002907C, 0000000180029134, 00000001800290DD, 0000000180028FD5, 0000000180028DCC, 0000000180028FEB, 0000000180028E8F, 0000000180029047
_5, xrefs: 00000001800290F7

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :G$Q27$_5$yy8x$Mh
API String ID: 0-3587547327
Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+#;), xrefs: 000000018000CBDA
w\H, xrefs: 000000018000C959
K', xrefs: 000000018000CAC7
sf, xrefs: 000000018000CE95

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<w., xrefs: 000000018001E582
<4P, xrefs: 000000018001E690
<8, xrefs: 000000018001E63C

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

%'#, xrefs: 0000000180013EFA
'1O", xrefs: 0000000180013F6E

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %'#$'1O"
API String ID: 0-3508158491
Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB3EEC Relevance: 15.1, APIs: 10, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB3F1B
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB3F35
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB3F5B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB3FB0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB3FEC
free.LIBCMT ref: 00007FFF21BB3FFA
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB4005
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB401D
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB405E
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB407A

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
Instruction ID: 73ead8789ef2f1ee3193b8ab5648861776a22f4fa9d1bf87aeaeeca8d9fc2257
Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
Instruction Fuzzy Hash: 1A415C21E0935686EB64AB12AD6403E67F1BF98B90F542434DE8E87F74CE3CE591C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB2154 Relevance: 10.6, APIs: 7, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFF21BB4110: HeapCreate.KERNELBASE(?,?,?,?,00007FFF21BB2169), ref: 00007FFF21BB4122
Part of subcall function 00007FFF21BB4110: HeapSetInformation.KERNEL32 ref: 00007FFF21BB414C

_RTC_Initialize.LIBCMT ref: 00007FFF21BB2184
GetCommandLineA.KERNEL32 ref: 00007FFF21BB2189

Part of subcall function 00007FFF21BB3EEC: GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB3F1B
Part of subcall function 00007FFF21BB3EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB219B), ref: 00007FFF21BB3F5B

Part of subcall function 00007FFF21BB3758: GetStartupInfoA.KERNEL32 ref: 00007FFF21BB377D

__setargv.LIBCMT ref: 00007FFF21BB21B2
_cinit.LIBCMT ref: 00007FFF21BB21C6

Part of subcall function 00007FFF21BB2C94: FlsFree.KERNEL32(?,?,?,?,00007FFF21BB2217), ref: 00007FFF21BB2CA3
Part of subcall function 00007FFF21BB2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BB2217), ref: 00007FFF21BB6A32
Part of subcall function 00007FFF21BB2C94: free.LIBCMT ref: 00007FFF21BB6A3B
Part of subcall function 00007FFF21BB2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BB2217), ref: 00007FFF21BB6A5B

Part of subcall function 00007FFF21BB3A48: free.LIBCMT ref: 00007FFF21BB3A8F

Part of subcall function 00007FFF21BB3108: Sleep.KERNEL32(?,?,0000000A,00007FFF21BB2DA3,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB314D

FlsSetValue.KERNEL32 ref: 00007FFF21BB224C
GetCurrentThreadId.KERNEL32 ref: 00007FFF21BB2260
free.LIBCMT ref: 00007FFF21BB226F

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
String ID:
API String ID: 1549890855-0
Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
Instruction ID: 992076fb645f9cb69a7edd2f8008995ffd8d2fe5f43481c442013f9e4d17f47f
Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
Instruction Fuzzy Hash: 3731C024E0D20346FB7567A29D222BE11F57F59750F1061B4DE1EC5AF2EE2CF640421A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB4CD4 Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getptd.LIBCMT ref: 00007FFF21BB4CF3

Part of subcall function 00007FFF21BB48C0: _getptd.LIBCMT ref: 00007FFF21BB48CA

Part of subcall function 00007FFF21BB497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FFF21BB4D0E,?,?,?,?,?,00007FFF21BB4EE3), ref: 00007FFF21BB49A6

Part of subcall function 00007FFF21BB309C: Sleep.KERNEL32(?,?,00000000,00007FFF21BB6B19,?,?,00000000,00007FFF21BB6BC3,?,?,?,?,?,?,00000000,00007FFF21BB2DC8), ref: 00007FFF21BB30D2

free.LIBCMT ref: 00007FFF21BB4D7F

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

_lock.LIBCMT ref: 00007FFF21BB4DB7
free.LIBCMT ref: 00007FFF21BB4E67
free.LIBCMT ref: 00007FFF21BB4E97
_errno.LIBCMT ref: 00007FFF21BB4E9C

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
String ID:
API String ID: 1264244385-0
Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
Instruction ID: 3c7ee8a9df6acadae2dde35f65b7d0b9d2fca3553326f6b1b70c652872af0335
Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
Instruction Fuzzy Hash: FE51AC21D08A4286E7649B25AC6027DB7F1FF94B54F146236DA5E83BB5CF3CEA05C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB6C34 Relevance: 7.5, APIs: 5, Instructions: 47
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FFF21BB6C64
RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF21BB30C0,?,?,00000000,00007FFF21BB6B19,?,?,00000000,00007FFF21BB6BC3), ref: 00007FFF21BB6C89
_errno.LIBCMT ref: 00007FFF21BB6CAD
_errno.LIBCMT ref: 00007FFF21BB6CB8
_errno.LIBCMT ref: 00007FFF21BB6CCD

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeap
String ID:
API String ID: 502529563-0
Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
Instruction ID: 21ecbc1d259896a404e0de222cf8d729961601b5a98e0f195ae2fca719304c7f
Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
Instruction Fuzzy Hash: E1111F25E1964285FB646B72EC2127D22F0FF84B90F046131ED1DC6FE6DE6CE9408759

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB1EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00007FFF21BB1F24
RtlDeleteBoundaryDescriptor.NTDLL ref: 00007FFF21BB1F56

Strings

vb4vcW2kAW3Twaz?30, xrefs: 00007FFF21BB1F6C

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: AllocateBoundaryDeleteDescriptorHeap
String ID: vb4vcW2kAW3Twaz?30
API String ID: 254689257-4179232793
Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
Instruction ID: b639f804a2aad9284c5c74ec30d6caf79157f3156cae416e7fdfca029c2062f1
Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
Instruction Fuzzy Hash: C2210732A0DE828AE730CB14E8543AA77F9FB88744F405535CACD87B65DF7DA6018B08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB2FA0 Relevance: 4.5, APIs: 3, Instructions: 35
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFF21BB36F0: _initp_misc_winsig.LIBCMT ref: 00007FFF21BB3729
Part of subcall function 00007FFF21BB36F0: EncodePointer.KERNEL32(?,?,?,00007FFF21BB2FAB,?,?,?,00007FFF21BB2179), ref: 00007FFF21BB3745

FlsAlloc.KERNEL32(?,?,?,00007FFF21BB2179), ref: 00007FFF21BB2FBB

Part of subcall function 00007FFF21BB3108: Sleep.KERNEL32(?,?,0000000A,00007FFF21BB2DA3,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB314D

FlsSetValue.KERNEL32(?,?,?,00007FFF21BB2179), ref: 00007FFF21BB2FEC

Part of subcall function 00007FFF21BB2CBC: _lock.LIBCMT ref: 00007FFF21BB2D0C
Part of subcall function 00007FFF21BB2CBC: _lock.LIBCMT ref: 00007FFF21BB2D2C

GetCurrentThreadId.KERNEL32 ref: 00007FFF21BB3000

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
String ID:
API String ID: 54287522-0
Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
Instruction ID: 9b7684a6bd8a086bd4852b97d18d162fb750039e7a6564433e895ac852057931
Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
Instruction Fuzzy Hash: 9C016220E0990345FB34AB719C6527E22F17F08720F442234DD2DC66F1EF2CB685D269

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000000180001D4C

Strings

:}, xrefs: 0000000180001C92

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: :}
API String ID: 963392458-2902022129
Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB2050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00007FFF21BB2075

Strings

JKvDDasqwOPvGXZdqW, xrefs: 00007FFF21BB205D

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: JKvDDasqwOPvGXZdqW
API String ID: 621844428-4059861069
Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
Instruction ID: 3005d8ff707ac7d06b1a1675a895459ffcd54ab2ee9c88dfddc59c85fbf9e913
Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
Instruction Fuzzy Hash: 09D09222E19A8282DB20AB11EC1539E63F4FB89348F801230D5CC86638DF7CD25ACB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB6CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF21BB6D0F

Part of subcall function 00007FFF21BB66D8: DecodePointer.KERNEL32 ref: 00007FFF21BB66FF

RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FFF21BB313B,?,?,0000000A,00007FFF21BB2DA3,?,?,?,00007FFF21BB2DFF), ref: 00007FFF21BB6D58

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: AllocateDecodeHeapPointer_errno
String ID:
API String ID: 15861996-0
Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
Instruction ID: 88970badedbf16b72f45fbce3722c588b6d4c2490853938a4e6e7d5e9e896883
Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
Instruction Fuzzy Hash: C411C825F0914246FB245F35EE2437D62F1BF407D4F046934CE1D87EE4DE6CAA804648

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB36F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 00007FFF21BB3729

Part of subcall function 00007FFF21BB755C: EncodePointer.KERNEL32(?,?,?,?,00007FFF21BB373E,?,?,?,00007FFF21BB2FAB,?,?,?,00007FFF21BB2179), ref: 00007FFF21BB7567

EncodePointer.KERNEL32(?,?,?,00007FFF21BB2FAB,?,?,?,00007FFF21BB2179), ref: 00007FFF21BB3745

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: EncodePointer$_initp_misc_winsig
String ID:
API String ID: 190222155-0
Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
Instruction ID: 9fdf3c5115cc0caa00dbf05d078f7b8c2f2248f52f6be64096d4d0934211bfc4
Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
Instruction Fuzzy Hash: 62F01F00E8964744EA29BB626C725BC12A46F96B80B883070AC1F9AFF3DD2CE6554758

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB4110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,?,?,00007FFF21BB2169), ref: 00007FFF21BB4122
HeapSetInformation.KERNEL32 ref: 00007FFF21BB414C

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
Instruction ID: f69c12c82018d1cfc2fb1953185c0f787333fa733c941ea381585bb13fd020f3
Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
Instruction Fuzzy Hash: 88E0D874F1674147E7589B12DC0976922A0FB88740F406039DA4E42B64DF3CC0458A00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB73F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,?,00007FFF21BB34AF,?,?,?,00007FFF21BB21CB), ref: 00007FFF21BB740D

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
Instruction ID: d9a7592d79838c289d4993485e9edba06a0fd2ab8d051b7ffd158b311d45e8db
Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
Instruction Fuzzy Hash: 13D05B32F5854191DB208B61F99116D23F4FB84794F589031DA5C47B55DD3CD556C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB3108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFF21BB6CEC: _errno.LIBCMT ref: 00007FFF21BB6D0F

Sleep.KERNEL32(?,?,0000000A,00007FFF21BB2DA3,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB314D

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
Instruction ID: bde814ce2ac7620d14331c99935594c799e40e01276ce221dcb89bdb8c60d82c
Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
Instruction Fuzzy Hash: 46016222E25B8186EB549B169C5002EB6F5FB98FD0F092131DE5D87F61DF38E991C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFF21BB6C34: _FF_MSGBANNER.LIBCMT ref: 00007FFF21BB6C64
Part of subcall function 00007FFF21BB6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF21BB30C0,?,?,00000000,00007FFF21BB6B19,?,?,00000000,00007FFF21BB6BC3), ref: 00007FFF21BB6C89
Part of subcall function 00007FFF21BB6C34: _errno.LIBCMT ref: 00007FFF21BB6CAD
Part of subcall function 00007FFF21BB6C34: _errno.LIBCMT ref: 00007FFF21BB6CB8

Sleep.KERNEL32(?,?,00000000,00007FFF21BB6B19,?,?,00000000,00007FFF21BB6BC3,?,?,?,?,?,?,00000000,00007FFF21BB2DC8), ref: 00007FFF21BB30D2

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeapSleep
String ID:
API String ID: 4153772858-0
Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
Instruction ID: d29d61e031ed47b989406fa2adefd2f7b47939c646008ffcfc686abe70b3176a
Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
Instruction Fuzzy Hash: 3DF0C232E0978586EB609F16A85012E72F1FB98B90F841134EE5D83B75DF3DE9928704

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFF21BBD0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD0F5
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD111
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD139
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD142
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD158
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD161
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD177
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD180
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD19E
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD1A7
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD1D9
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD1E8
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD240
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD260
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF21BB70D4,?,?,?,?,?,00007FFF21BB7194), ref: 00007FFF21BBD279

Strings

USER32.DLL, xrefs: 00007FFF21BBD0EE
GetProcessWindowStation, xrefs: 00007FFF21BBD194
GetUserObjectInformationA, xrefs: 00007FFF21BBD166
GetActiveWindow, xrefs: 00007FFF21BBD128
MessageBoxA, xrefs: 00007FFF21BBD107
GetLastActivePopup, xrefs: 00007FFF21BBD147

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
Instruction ID: 2b5772b223da507dcdfd87bc9163837ebf4df50b7f437fbda2c1ad6672955423
Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
Instruction Fuzzy Hash: 7751E461E0AB4284EF65DB52AC6417C22F07F89B94F442475DC4E87BB5EE3DE6458208

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB895C Relevance: 24.4, APIs: 16, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,00007FFF21BB3E11,?,?,?,?,?,00007FFF21BB21B7), ref: 00007FFF21BB89CE
GetLastError.KERNEL32(?,00007FFF21BB3E11,?,?,?,?,?,00007FFF21BB21B7), ref: 00007FFF21BB89E4
MultiByteToWideChar.KERNEL32 ref: 00007FFF21BB8A8E
MultiByteToWideChar.KERNEL32 ref: 00007FFF21BB8B36
LCMapStringW.KERNEL32 ref: 00007FFF21BB8B5B
LCMapStringW.KERNEL32 ref: 00007FFF21BB8BAB
LCMapStringW.KERNEL32 ref: 00007FFF21BB8C38
WideCharToMultiByte.KERNEL32 ref: 00007FFF21BB8C7B
free.LIBCMT ref: 00007FFF21BB8C8C
free.LIBCMT ref: 00007FFF21BB8C9A
LCMapStringA.KERNEL32(?,00007FFF21BB3E11,?,?,?,?,?,00007FFF21BB21B7), ref: 00007FFF21BB8D29
LCMapStringA.KERNEL32(?,00007FFF21BB3E11,?,?,?,?,?,00007FFF21BB21B7), ref: 00007FFF21BB8DE0
free.LIBCMT ref: 00007FFF21BB8E28
LCMapStringA.KERNEL32(?,00007FFF21BB3E11,?,?,?,?,?,00007FFF21BB21B7), ref: 00007FFF21BB8E48
free.LIBCMT ref: 00007FFF21BB8E5A
free.LIBCMT ref: 00007FFF21BB8E6C

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: String$free$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1446610345-0
Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
Instruction ID: c87ca70d4cd26f0e9d6865145bcf65c77cbe846e6f465a55d4fdcb8026773668
Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
Instruction Fuzzy Hash: BFF1A072E096818AEB308F25D8501AD76F1FB44B98B546235EE5D97FA4CF3CEA408708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF21BBC956
GetUserDefaultLCID.KERNEL32 ref: 00007FFF21BBCA56
IsValidCodePage.KERNEL32 ref: 00007FFF21BBCAA7
IsValidLocale.KERNEL32 ref: 00007FFF21BBCABD
GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBCB38
GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBCB55
_itow_s.LIBCMT ref: 00007FFF21BBCB73

Strings

Norwegian-Nynorsk, xrefs: 00007FFF21BBCAF8

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
Instruction ID: c7c36cfb66e72a8c1c15a82ee7f7b631c8be430ac2e12182407b69510f4c1b38
Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
Instruction Fuzzy Hash: 51615E22E0864A46FB75DF21982037D22F0BB44B45F186036CE4DC6AE5DF7CEA42D318

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBB5CC Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BBB35C), ref: 00007FFF21BBB6BC
GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BBB35C), ref: 00007FFF21BBB751
free.LIBCMT ref: 00007FFF21BBB78E
__ascii_stricmp.LIBCMT ref: 00007FFF21BBB825

Strings

a/p, xrefs: 00007FFF21BBB87D
am/pm, xrefs: 00007FFF21BBB81B

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: FormatTime$__ascii_stricmpfree
String ID: a/p$am/pm
API String ID: 2252689280-3206640213
Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
Instruction ID: 041bb239e6c54b0eb2fa7b1c1bf41363898e0bfb1d96a13891d5f9b87d9ff8bb
Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
Instruction Fuzzy Hash: A5F1C122D18A9285E7748F258E6017C67F1FB05784F58A036EE8DC7EA5DE3CEA45C309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB6F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF21BB7194,?,?,?,?,00007FFF21BB6C69,?,?,00000000,00007FFF21BB30C0), ref: 00007FFF21BB6FCF
GetStdHandle.KERNEL32(?,?,?,?,?,00007FFF21BB7194,?,?,?,?,00007FFF21BB6C69,?,?,00000000,00007FFF21BB30C0), ref: 00007FFF21BB70DB
WriteFile.KERNEL32 ref: 00007FFF21BB7115

Strings

<program name unknown>, xrefs: 00007FFF21BB6FD9
..., xrefs: 00007FFF21BB7032
Microsoft Visual C++ Runtime Library, xrefs: 00007FFF21BB70BF
Runtime Error!Program: , xrefs: 00007FFF21BB6F8E

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
Instruction ID: 186f1c52965061582cc3f3e719ea1cde985f2b085ecd24383bf4c3ceec704784
Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
Instruction Fuzzy Hash: 58518B25E1864341FB349B25ED667BE22F1BF88794F806136DD0DC6EF6CE2CE6058218

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB20E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFF21BB23FB
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFF21BB241A
RtlVirtualUnwind.KERNEL32 ref: 00007FFF21BB2466
IsDebuggerPresent.KERNEL32 ref: 00007FFF21BB24D8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB24F0
UnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB24FD
GetCurrentProcess.KERNEL32 ref: 00007FFF21BB2516
TerminateProcess.KERNEL32 ref: 00007FFF21BB2524

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
Instruction ID: 2ea2cd81de21c41a7a0aabef6d1edb6030e33a4f94b14859184c8a7ade18a578
Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
Instruction Fuzzy Hash: D431AF35D0AB4289EB509B51EC903AD63B1FB88744F502076DA8E82B75DF7CE588C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBE6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF21BBE6EB

Part of subcall function 00007FFF21BBE550: _errno.LIBCMT ref: 00007FFF21BBE559

free.LIBCMT ref: 00007FFF21BBE7E2

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

Part of subcall function 00007FFF21BB7FBC: _errno.LIBCMT ref: 00007FFF21BB7FD4

___lc_codepage_func.LIBCMT ref: 00007FFF21BBE76B

Part of subcall function 00007FFF21BB6550: RtlCaptureContext.KERNEL32 ref: 00007FFF21BB658F
Part of subcall function 00007FFF21BB6550: IsDebuggerPresent.KERNEL32 ref: 00007FFF21BB662D
Part of subcall function 00007FFF21BB6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB6637
Part of subcall function 00007FFF21BB6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB6642
Part of subcall function 00007FFF21BB6550: GetCurrentProcess.KERNEL32 ref: 00007FFF21BB6658
Part of subcall function 00007FFF21BB6550: TerminateProcess.KERNEL32 ref: 00007FFF21BB6666

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
String ID:
API String ID: 178205154-0
Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
Instruction ID: 03def5a60722e2167ff286733b59a3dff406bb2c9b180552bdbf2e7576d94f48
Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
Instruction Fuzzy Hash: 1CD1A326E0868249E7309F25DCA067DA6F5BB85740F506135DE8DD3EB5CF3CE9518B08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBDF98 Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF21BBE1C2), ref: 00007FFF21BBDFF2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF21BBE1C2), ref: 00007FFF21BBE004
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF21BBE1C2), ref: 00007FFF21BBE04F
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF21BBE1C2), ref: 00007FFF21BBE0E1
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF21BBE1C2), ref: 00007FFF21BBE11B
free.LIBCMT ref: 00007FFF21BBE12F

Part of subcall function 00007FFF21BB6C34: _FF_MSGBANNER.LIBCMT ref: 00007FFF21BB6C64
Part of subcall function 00007FFF21BB6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF21BB30C0,?,?,00000000,00007FFF21BB6B19,?,?,00000000,00007FFF21BB6BC3), ref: 00007FFF21BB6C89
Part of subcall function 00007FFF21BB6C34: _errno.LIBCMT ref: 00007FFF21BB6CAD
Part of subcall function 00007FFF21BB6C34: _errno.LIBCMT ref: 00007FFF21BB6CB8

GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF21BBE1C2), ref: 00007FFF21BBE145

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
String ID:
API String ID: 2309262205-0
Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
Instruction ID: 561e29b9b6525a0bb42ad3c47d33913cb854cb506bbdd8ddcdb0e856bc501fb8
Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
Instruction Fuzzy Hash: 8C519436E096428AE7609F219C6156DA3F2FB487A4F646535DE1E83FB4CF7CEA408304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBFCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF21BBFCC3
_errno.LIBCMT ref: 00007FFF21BBFCD5

Part of subcall function 00007FFF21BB66D8: DecodePointer.KERNEL32 ref: 00007FFF21BB66FF

_errno.LIBCMT ref: 00007FFF21BBFD14

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
Instruction ID: 9e8d3ff00518fe304c6961d55fc46701702a5ff9d7b671ed157b47df545b7789
Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
Instruction Fuzzy Hash: ED318222F0865242FB35AA75986677E61E1BF44780F04A438DF0D8BFA6DF2CD9118748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB6550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFF21BB658F
IsDebuggerPresent.KERNEL32 ref: 00007FFF21BB662D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB6637
UnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB6642
GetCurrentProcess.KERNEL32 ref: 00007FFF21BB6658
TerminateProcess.KERNEL32 ref: 00007FFF21BB6666

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
Instruction ID: ebd1713a3c03c209a5842e2fac382c13a2eb231c14c078b387844728b3a71ccd
Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
Instruction Fuzzy Hash: D5313E72E09B8686DB249B64E8503AEB3B0FB88744F401136DA8D83A69DF3CD549CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON

Download Yara Rule

Strings

"+H, xrefs: 000000018002236A
M8;, xrefs: 0000000180022338
1l7., xrefs: 00000001800220AF
]k, xrefs: 000000018002232E
94, xrefs: 0000000180022371
]$d, xrefs: 00000001800220D6
]k, xrefs: 0000000180022069

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBC1C7
GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBC209
GetACP.KERNEL32 ref: 00007FFF21BBC22C

Strings

ACP, xrefs: 00007FFF21BBC195
OCP, xrefs: 00007FFF21BBC1A5

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
Instruction ID: ce5279e30d5305a28d80c848bbdb13c7060f24b6debda5c8de4e9c617ee32220
Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
Instruction Fuzzy Hash: 9D212F21E0854B85FB70DB21ED602BD63F1BF48785F846131DE4D969B5EE2CE646C708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON

Download Yara Rule

Strings

I-, xrefs: 0000000180004227
1h, xrefs: 0000000180004545
li7, xrefs: 0000000180003802
IY, xrefs: 0000000180003ECF
o, xrefs: 0000000180003CAE
QL&, xrefs: 0000000180003C57

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1h$I-$IY$QL&$li7$o
API String ID: 0-890095520
Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON

Download Yara Rule

Strings

Rku, xrefs: 000000018000B40E
i, xrefs: 000000018000B672
1, xrefs: 000000018000AD5C
{,, xrefs: 000000018000AD2C
", xrefs: 000000018000B539
$-%, xrefs: 000000018000B3AF

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$ {,$"$$-%$Rku$ i
API String ID: 0-1845893065
Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON

Download Yara Rule

Strings

@, xrefs: 0000000180029B80
EX, xrefs: 000000018002A39C
VUS/, xrefs: 000000018002A254
OX, xrefs: 000000018002A0D4
p, xrefs: 000000018002A15A
YV~, xrefs: 000000018002A301

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: VUS/$YV~$p$@$EX$OX
API String ID: 0-2743166816
Opcode ID: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
Opcode Fuzzy Hash: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON

Download Yara Rule

Strings

t:v, xrefs: 0000000180005E76
ru, xrefs: 000000018000623C
-!zt, xrefs: 0000000180005BD7
Mv`b, xrefs: 0000000180005D4E
d}9J, xrefs: 0000000180006179
R3T, xrefs: 0000000180005C59

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON

Download Yara Rule

Strings

tro, xrefs: 00000001800139A0
lmq, xrefs: 0000000180013A6B
$, xrefs: 0000000180013C6D
kO, xrefs: 000000018001387E
"`2, xrefs: 00000001800139CE
lbzZ, xrefs: 0000000180013863

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB4558 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFF21BB458F
GetCurrentProcessId.KERNEL32 ref: 00007FFF21BB459A
GetCurrentThreadId.KERNEL32 ref: 00007FFF21BB45A6
GetTickCount.KERNEL32 ref: 00007FFF21BB45B2
QueryPerformanceCounter.KERNEL32 ref: 00007FFF21BB45C3

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
Instruction ID: b0873fb35405d9ee90271018676898050d4d43bdbdca2ae9cef836e3680ef931
Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
Instruction Fuzzy Hash: B7016125E2AA0189EB508F21FC9026D63B0FB49F90F447630EE5E877B0DE3CD9958344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

EX., xrefs: 000000018001032D
2f, xrefs: 000000018001051C
UbA, xrefs: 00000001800103C4
)#?, xrefs: 0000000180010418
PT, xrefs: 000000018001038A

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

$T, xrefs: 000000018001FF09
QP|m, xrefs: 000000018001FCBC
qjf, xrefs: 000000018001FD57
?F, xrefs: 0000000180020023
tZp, xrefs: 000000018001FFAF

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

JQ, xrefs: 0000000180016D72
v, xrefs: 00000001800170BE
k&(, xrefs: 0000000180017125
t, xrefs: 0000000180017275
x\J, xrefs: 00000001800171C3

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

V, xrefs: 0000000180007053
L==, xrefs: 0000000180007159
R, xrefs: 00000001800070D3
?rIc, xrefs: 000000018000710E
)H8, xrefs: 000000018000709E

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

S, xrefs: 0000000180011A92
vird, xrefs: 00000001800119C2
Qq, xrefs: 0000000180011A84
+, xrefs: 00000001800119DA
bt, xrefs: 0000000180011A1E

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC450 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF21BBC477
GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBC4AC
GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBC504
GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBC5F8

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
Instruction ID: e583748a0c543795a71909a3c43749ae03a05d87640418671699eaca0d579f45
Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
Instruction Fuzzy Hash: DD613A72F0898A96DB78DA60DD556ED73A1FB88306F402136DA1DC7AA0CF3CE6658704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

P9, xrefs: 0000000180011DC0
^_", xrefs: 0000000180011D6E
@, xrefs: 0000000180011F6B
V, xrefs: 0000000180011B81

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

F)k, xrefs: 000000018001336C
b/, xrefs: 000000018001347F
syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

vG, xrefs: 000000018000316F
#X, xrefs: 0000000180002E74
iJ6, xrefs: 0000000180003091
'Xsa, xrefs: 0000000180002EA2

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

*i^, xrefs: 0000000180009A7A
]2, xrefs: 0000000180009CC2
MIC, xrefs: 0000000180009BF0
-Z, xrefs: 0000000180009D06

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

Strings

LsRW, xrefs: 000000018002820A
>97", xrefs: 0000000180028161
~x, xrefs: 0000000180028423
?, xrefs: 0000000180027FC1

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >97"$?$LsRW$~x
API String ID: 0-2554301858
Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

B, xrefs: 0000000180010AEC
_, xrefs: 0000000180010A56
EG, xrefs: 000000018001082C
QsF, xrefs: 0000000180010894

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

., xrefs: 00000001800206DC
-`G, xrefs: 00000001800206A2
5B.Y, xrefs: 000000018002045A
Z`35, xrefs: 00000001800205D3

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

WSh, xrefs: 000000018000EEF0
*+_, xrefs: 000000018000EF25
\O, xrefs: 000000018000F046
#o, xrefs: 000000018000EFD8

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

.B, xrefs: 0000000180025032
\<, xrefs: 0000000180024E9B
O, xrefs: 0000000180024F9B
M*K, xrefs: 0000000180024E36

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

$, xrefs: 000000018002A454
$, xrefs: 000000018002A477
xVO, xrefs: 000000018002A587
~O, xrefs: 000000018002A626

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

G, xrefs: 0000000180002557
JMg, xrefs: 000000018000252F
,IW, xrefs: 0000000180002565
l, xrefs: 0000000180002548

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBAF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF21BBB009
_errno.LIBCMT ref: 00007FFF21BBB293
__tzset.LIBCMT ref: 00007FFF21BBB489

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$__tzset
String ID:
API String ID: 3587134695-0
Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
Instruction ID: c0e707daf3fcad7cd5100c4ef86336e01c64458e9539cb793898d8a01283e237
Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
Instruction Fuzzy Hash: 57027332E09646C6E7788F2999B013D37F1FB44741FA4603ADF4E86EA1CE78D6448705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBFB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF21BBFB92
_errno.LIBCMT ref: 00007FFF21BBFBA4

Part of subcall function 00007FFF21BB66D8: DecodePointer.KERNEL32 ref: 00007FFF21BB66FF

_errno.LIBCMT ref: 00007FFF21BBFBF0

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
Instruction ID: 0320b909110b66eb599eb7ecff3c091cf1edac56ee1ea1c36ceb6f805b0d97a3
Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
Instruction Fuzzy Hash: 9931AE21F0C75342FB759A659D7937E61E1BF54384F046438EE4DC6EA6EE2CEA408308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBD318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFF21BBD357
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BBD39D
UnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BBD3A8

Part of subcall function 00007FFF21BB6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF21BB7194,?,?,?,?,00007FFF21BB6C69,?,?,00000000,00007FFF21BB30C0), ref: 00007FFF21BB6FCF

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
Instruction ID: 00701e499a1f84a9d84c2628647928b903278210beab326bf5d73b5f851e14f9
Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
Instruction Fuzzy Hash: B1116025E29A4646E7349B20EC507AE63F1FF85304F442136E98D82FB5DF2DE504CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON

Download Yara Rule

Strings

5F, xrefs: 0000000180014AA5
S^r, xrefs: 0000000180014FB9
*4, xrefs: 0000000180014A1B

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *4$5F$S^r
API String ID: 0-3556444313
Opcode ID: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
Opcode Fuzzy Hash: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON

Download Yara Rule

Strings

<x<, xrefs: 000000018001BED4
'~W, xrefs: 000000018001BEA8
&lz2, xrefs: 000000018001BE19

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &lz2$'~W$<x<
API String ID: 0-2268522332
Opcode ID: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
Opcode Fuzzy Hash: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON

Download Yara Rule

Strings

ba^2, xrefs: 0000000180020A27
T]0, xrefs: 00000001800209FC
$, xrefs: 0000000180020AED

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$T]0$ba^2
API String ID: 0-1276948933
Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

EDO, xrefs: 000000018001D752
V , xrefs: 000000018001D544
6w5*, xrefs: 000000018001D7AF

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6w5*$EDO$V
API String ID: 0-1640223502
Opcode ID: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
Opcode Fuzzy Hash: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

|Y, xrefs: 000000018000AB17
Y(), xrefs: 000000018000A773
i_"o, xrefs: 000000018000AB62

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y()$i_"o$|Y
API String ID: 0-942011364
Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

O), xrefs: 0000000180017436
,G, xrefs: 000000018001749E
-, xrefs: 00000001800174FF

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: O)$,G$-
API String ID: 0-23008916
Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

L, xrefs: 000000018000A3C5
Q#, xrefs: 000000018000A498
;U[, xrefs: 000000018000A476

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;U[$L$Q#
API String ID: 0-2933747092
Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

Strings

5(, xrefs: 000000018001E16D
<:*, xrefs: 000000018001E0BA
qwX, xrefs: 000000018001E11A

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5($<:*$qwX
API String ID: 0-3944236288
Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

s`~, xrefs: 000000018001C1CE
79&, xrefs: 000000018001C10D
v;, xrefs: 000000018001C13F

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 79&$s`~$v;
API String ID: 0-3844292866
Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

1_, xrefs: 000000018000579C
ac, xrefs: 0000000180005543
wQ_, xrefs: 000000018000561A

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wQ_$1_$ac
API String ID: 0-1037425278
Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON

Download Yara Rule

Strings

)K, xrefs: 000000018002390F
U|, xrefs: 0000000180023A9A
|1-, xrefs: 00000001800238AE

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )K$U|$|1-
API String ID: 0-2543966960
Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

6`d, xrefs: 0000000180029414
6|, xrefs: 0000000180029474
H~z, xrefs: 00000001800294EE

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6|$6`d$H~z
API String ID: 0-1702722476
Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON

Download Yara Rule

Strings

`5, xrefs: 0000000180019696
d~, xrefs: 0000000180019780
t>, xrefs: 0000000180019652

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: d~$`5$t>
API String ID: 0-1282322184
Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

JYr, xrefs: 000000018000BB50
#St, xrefs: 000000018000BC5D
hmn, xrefs: 000000018000BC20

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #St$JYr$hmn
API String ID: 0-1556749129
Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON

Download Yara Rule

Strings

K, xrefs: 000000018000261C
W}, xrefs: 0000000180002698
TGA, xrefs: 00000001800026C3

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: TGA$K$W}
API String ID: 0-588348707
Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

@H, xrefs: 00000001800074B7
{C=, xrefs: 0000000180007424
:1,, xrefs: 0000000180007470

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :1,$@H${C=
API String ID: 0-2737386091
Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON

Download Yara Rule

Strings

prP, xrefs: 00000001800148D3
q<C, xrefs: 000000018001491B
uL , xrefs: 00000001800148B7

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: prP$q<C$uL
API String ID: 0-1414207395
Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON

Download Yara Rule

Strings

:00D, xrefs: 00000001800064D2
Kl, xrefs: 0000000180006524
(R', xrefs: 00000001800064CE

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :00D$Kl$(R'
API String ID: 0-3661897330
Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB5944 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF21BB597E

Part of subcall function 00007FFF21BB7FBC: _errno.LIBCMT ref: 00007FFF21BB7FD4

Part of subcall function 00007FFF21BB6550: RtlCaptureContext.KERNEL32 ref: 00007FFF21BB658F
Part of subcall function 00007FFF21BB6550: IsDebuggerPresent.KERNEL32 ref: 00007FFF21BB662D
Part of subcall function 00007FFF21BB6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB6637
Part of subcall function 00007FFF21BB6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB6642
Part of subcall function 00007FFF21BB6550: GetCurrentProcess.KERNEL32 ref: 00007FFF21BB6658
Part of subcall function 00007FFF21BB6550: TerminateProcess.KERNEL32 ref: 00007FFF21BB6666

Strings

C, xrefs: 00007FFF21BB59CC

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
String ID: C
API String ID: 1583075380-1037565863
Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
Instruction ID: aaeb9348c23040fdc13d089a57c3f7dd5518ce114a12e00bb3fa4af5be8eb3f1
Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
Instruction Fuzzy Hash: 64518122E1868641EB709A21AD717BE52F0FB84B80F44A031EE4DD7EA9DE3DD605C709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC6E4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF21BBC706
GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBC73B

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
Instruction ID: 62e81bb8ab09b120a50ce045b9105859f35d3463d8144adec7951b8e60ccb274
Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
Instruction Fuzzy Hash: 2A218B32F0868696EB28DA26DD543EE63E0FB88746F001035CA1DC7AA5DF3CE6658604

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC2B4 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF21BBC2DB
GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBC310

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
Instruction ID: 157669f750e7ce41c7dcc6f1b7c180ca48bb8340de86947b42ba7c1982f7b2c2
Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
Instruction Fuzzy Hash: 01219A32E08A8596EB28CB20E8953AD73B1FB88B81F805135DA5D87B64CF3CE655C704

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

$, xrefs: 000000018002686D
Y}, xrefs: 00000001800265BF

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$Y}
API String ID: 0-941771097
Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

?C, xrefs: 000000018001823C
7;}~, xrefs: 000000018001830E

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 7;}~$?C
API String ID: 0-2633536567
Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON

Download Yara Rule

Strings

5"*, xrefs: 0000000180025E9D
Wu, xrefs: 0000000180026174

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5"*$Wu
API String ID: 0-3407213400
Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

F/|, xrefs: 0000000180026ECB
]M, xrefs: 0000000180026CA3

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F/|$]M
API String ID: 0-4182351379
Opcode ID: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
Opcode Fuzzy Hash: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

nK, xrefs: 0000000180021D5B
;SH, xrefs: 0000000180021D77

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;SH$nK
API String ID: 0-1681473137
Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

z, xrefs: 000000018000150B
,, xrefs: 0000000180001690

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$z
API String ID: 0-3532108746
Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

~l;, xrefs: 000000018001A543
g/?, xrefs: 000000018001A61B

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g/?$~l;
API String ID: 0-1448562259
Opcode ID: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
Opcode Fuzzy Hash: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

JM, xrefs: 000000018000F3F0
S, xrefs: 000000018000F363

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JM$S
API String ID: 0-422059844
Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

sT>, xrefs: 000000018000694E
\4t, xrefs: 000000018000678D

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \4t$sT>
API String ID: 0-514966222
Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

lh, xrefs: 0000000180007774
6 zT, xrefs: 000000018000776A

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6 zT$lh
API String ID: 0-3667112246
Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

t<p, xrefs: 00000001800249FD
2Q', xrefs: 0000000180024A93

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2Q'$t<p
API String ID: 0-2959822804
Opcode ID: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
Opcode Fuzzy Hash: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

\`s, xrefs: 000000018001308C
95s, xrefs: 00000001800130A8

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 95s$\`s
API String ID: 0-3495284040
Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

3*, xrefs: 000000018001AB25
qMu, xrefs: 000000018001AB45

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3*$qMu
API String ID: 0-4093015089
Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

"n&E, xrefs: 000000018002C9F6
#X, xrefs: 000000018002C99B

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$"n&E
API String ID: 0-1188898577
Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

Bw~, xrefs: 0000000180017803
fy, xrefs: 00000001800176C4

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Bw~$fy
API String ID: 0-1663007907
Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

/0, xrefs: 00000001800131B1
XyLe, xrefs: 0000000180013245

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /0$XyLe
API String ID: 0-3562702181
Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

>I, xrefs: 000000018001910D
>I, xrefs: 00000001800191E1

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >I$>I
API String ID: 0-3948471910
Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

{H2}, xrefs: 000000018001DB0E
}i#c, xrefs: 000000018001DB7A

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {H2}$}i#c
API String ID: 0-1724349491
Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

so, xrefs: 0000000180026A7A
4V, xrefs: 0000000180026AB2

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4V$so
API String ID: 0-1060102820
Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

O$, xrefs: 000000018002973D
F+', xrefs: 000000018002985C

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F+'$O$
API String ID: 0-4064122715
Opcode ID: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
Opcode Fuzzy Hash: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

bO6, xrefs: 000000018001228D
1, xrefs: 00000001800121E3

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$bO6
API String ID: 0-3242911120
Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

)j-J, xrefs: 0000000180019DA5
\rba, xrefs: 0000000180019D7E

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )j-J$\rba
API String ID: 0-105394296
Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

7c, xrefs: 000000018002471E
5T, xrefs: 00000001800246BF

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5T$7c
API String ID: 0-2666566123
Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

",)x, xrefs: 0000000180017C8A
PX, xrefs: 0000000180017C43

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ",)x$PX
API String ID: 0-926260526
Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC39C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBC3DD

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
Instruction ID: 179045921a3e795d8b99b85ba89488ef4779379f00992c0d526fa5f223b84187
Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
Instruction Fuzzy Hash: 5D119B32E0858745EB709B64ECA13BD12F0FB44785F446031DE8DCAA91CE2CE7478718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FFF21BBC884

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
Instruction ID: 8be5e7dce2cdbf42148020a6a26a2a5c3bbf5c7b2fe0784ffda55e219f6e3532
Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
Instruction Fuzzy Hash: 31115172E0860987FB28CB31CC2537D26F1FB54B1AF145435CA0D856E5CFBCD6958688

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFF21BB5A8C), ref: 00007FFF21BBC8FD

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
Instruction ID: a4f218c840971137fcd48afa83f43bcc3d9280c2c16020e2c4150fdb10a4c0e3
Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
Instruction Fuzzy Hash: 5CF08662E0850A46FB25CA31C8253BD22F1BB94B46F18A031CA4DC66A6CF6CD6928248

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBDF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFF21BB2534: _getptd.LIBCMT ref: 00007FFF21BB254A

GetLocaleInfoW.KERNEL32 ref: 00007FFF21BBDF6C

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
Instruction ID: c1b75bab6d5b63e6ae1f8bd9bce4043226e68a01ea1558c356b36e1a0a59df95
Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
Instruction Fuzzy Hash: 29F05E22E186C083D7118B1AF44415EA7A1FBC8BE4F584221EA9E57BA9CE2CD956CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBE1E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FFF21BBE210

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
Instruction ID: da70b58c9e5302ec8dd9e575bb29f46f13582ca1f4e17608de492dfbb195381e
Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
Instruction Fuzzy Hash: DEE06525E0C58185F7309720EC613AE67F1FF98758F901231DA9D86AB5DE2CE3058B05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBC7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FFF21BBC81E

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
Instruction ID: 62048a5ec4c9fcf47e1fd8a38b4c7099cd1fec1979acd244b1cc4ff31e26f939
Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
Instruction Fuzzy Hash: 91E04F66E0560543EB18CB61D85437C62A1EB98B0AF089035CA0C851A58F7CC6968644

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

cYte, xrefs: 00000001800128D1

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: cYte
API String ID: 0-489798635
Opcode ID: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
Opcode Fuzzy Hash: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

Pc, xrefs: 000000018002AC68

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Pc
API String ID: 0-2609325410
Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

xDC, xrefs: 000000018001CAFA

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: xDC
API String ID: 0-90241050
Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

g >, xrefs: 000000018001EF27

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g >
API String ID: 0-3862707646
Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

2, xrefs: 0000000180018DDB

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2
API String ID: 0-2012265552
Opcode ID: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
Opcode Fuzzy Hash: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

Wcl, xrefs: 0000000180028B98

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Wcl
API String ID: 0-2623992880
Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

ws8, xrefs: 00000001800299E0

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ws8
API String ID: 0-2196714860
Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

p/g, xrefs: 0000000180017A5F

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: p/g
API String ID: 0-1786412500
Opcode ID: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
Opcode Fuzzy Hash: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

%, xrefs: 0000000180001481

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %
API String ID: 0-3714942587
Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

A.}, xrefs: 000000018000DA2D

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A.}
API String ID: 0-2880059976
Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

0#, xrefs: 0000000180001DF0

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0#
API String ID: 0-456275806
Opcode ID: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
Opcode Fuzzy Hash: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

n), xrefs: 0000000180008DD6

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n)
API String ID: 0-1227437150
Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

H&0, xrefs: 000000018001EBA0

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H&0
API String ID: 0-1691334370
Opcode ID: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
Opcode Fuzzy Hash: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

<+o, xrefs: 000000018002884F

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <+o
API String ID: 0-2035106886
Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

2d, xrefs: 0000000180015418

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2d
API String ID: 0-3866551247
Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

ZF{;, xrefs: 0000000180025218

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ZF{;
API String ID: 0-2351138993
Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

o^, xrefs: 00000001800118C1

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o^
API String ID: 0-3380573087
Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

8N, xrefs: 0000000180017DB3

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8N
API String ID: 0-1657423088
Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

J3n, xrefs: 00000001800021BA

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: J3n
API String ID: 0-3694000235
Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

c&A, xrefs: 000000018001F817

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c&A
API String ID: 0-649646960
Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

(3, xrefs: 0000000180002ABA

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (3
API String ID: 0-2570504824
Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

[r\^, xrefs: 000000018002C8A4

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [r\^
API String ID: 0-4041245994
Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018001A072

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

[[x, xrefs: 00000001800028BE

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [[x
API String ID: 0-2553898450
Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

g\&, xrefs: 000000018001E9C1

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g\&
API String ID: 0-1994035986
Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

#X, xrefs: 0000000180003431

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

GfMu, xrefs: 0000000180009601

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GfMu
API String ID: 0-241548529
Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

k|, xrefs: 000000018000FABD

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: k|
API String ID: 0-998972391
Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

wz_, xrefs: 000000018001D9E9

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wz_
API String ID: 0-2163964638
Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

{?Q, xrefs: 00000001800058F9

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {?Q
API String ID: 0-927583641
Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

|}6\, xrefs: 00000001800215C8

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |}6\
API String ID: 0-3074799505
Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

3&a, xrefs: 000000018001FB09

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3&a
API String ID: 0-537350193
Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

o0:X, xrefs: 000000018001438E

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o0:X
API String ID: 0-645126758
Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

D4}, xrefs: 0000000180020DB4

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D4}
API String ID: 0-491520632
Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBAA0C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
String ID:
API String ID: 1583075380-0
Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
Instruction ID: 837737e7a23196a94d1ec805671ff5fe8d19e583ca88f3514c8cd26c1f9d7872
Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
Instruction Fuzzy Hash: 39A19432F1858141DB749F359A257AEA2A2BB85BC4F489135DE4D97F95CE3CE1118304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBEB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
Instruction ID: f4ad761ee9f27d0995070b147e332bdf7fc68385d690035b47a8aa45d70d9cfc
Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
Instruction Fuzzy Hash: 8171C576F181464BD36C8B28DD6167CA6E6F7E4304F58A135D90ACABB4EE39FA008744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018598 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019300 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
Opcode Fuzzy Hash: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F917 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBA77C Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
Instruction ID: 10f7ed8437342b922bf61d679db088ff69bf528cf122ab7763bfe339a6fa4a8a
Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
Instruction Fuzzy Hash: 62319222E1868141EB649B3AD8253AE66B1FB85BC0F585135EE4E47BA5DE3CD501C708

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F944 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401404502.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBDF20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
Instruction ID: a9fada880666985ce08a18f9a1f547edd74f8eac46501c11455bf7efca8cad68
Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
Instruction Fuzzy Hash: EEB09B25F0D754454765470758045195593B79CFD460450359D0D53B64D93C96404740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB98A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF21BB98B9

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

free.LIBCMT ref: 00007FFF21BB98C2
free.LIBCMT ref: 00007FFF21BB98CB
free.LIBCMT ref: 00007FFF21BB98D4
free.LIBCMT ref: 00007FFF21BB98DD
free.LIBCMT ref: 00007FFF21BB98E6
free.LIBCMT ref: 00007FFF21BB98EE
free.LIBCMT ref: 00007FFF21BB98F7
free.LIBCMT ref: 00007FFF21BB9900
free.LIBCMT ref: 00007FFF21BB9909
free.LIBCMT ref: 00007FFF21BB9912
free.LIBCMT ref: 00007FFF21BB991B
free.LIBCMT ref: 00007FFF21BB9924
free.LIBCMT ref: 00007FFF21BB992D
free.LIBCMT ref: 00007FFF21BB9936
free.LIBCMT ref: 00007FFF21BB993F
free.LIBCMT ref: 00007FFF21BB994B
free.LIBCMT ref: 00007FFF21BB9957
free.LIBCMT ref: 00007FFF21BB9963
free.LIBCMT ref: 00007FFF21BB996F
free.LIBCMT ref: 00007FFF21BB997B
free.LIBCMT ref: 00007FFF21BB9987
free.LIBCMT ref: 00007FFF21BB9993
free.LIBCMT ref: 00007FFF21BB999F
free.LIBCMT ref: 00007FFF21BB99AB
free.LIBCMT ref: 00007FFF21BB99B7
free.LIBCMT ref: 00007FFF21BB99C3
free.LIBCMT ref: 00007FFF21BB99CF
free.LIBCMT ref: 00007FFF21BB99DB
free.LIBCMT ref: 00007FFF21BB99E7
free.LIBCMT ref: 00007FFF21BB99F3
free.LIBCMT ref: 00007FFF21BB99FF
free.LIBCMT ref: 00007FFF21BB9A0B
free.LIBCMT ref: 00007FFF21BB9A17
free.LIBCMT ref: 00007FFF21BB9A23
free.LIBCMT ref: 00007FFF21BB9A2F
free.LIBCMT ref: 00007FFF21BB9A3B
free.LIBCMT ref: 00007FFF21BB9A47
free.LIBCMT ref: 00007FFF21BB9A53
free.LIBCMT ref: 00007FFF21BB9A5F
free.LIBCMT ref: 00007FFF21BB9A6B
free.LIBCMT ref: 00007FFF21BB9A77
free.LIBCMT ref: 00007FFF21BB9A83

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
Instruction ID: 7d9f93f2a6759918aa09a2ccfbcef3b34c79bc1c291ab9376ad735e6d498ffe5
Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
Instruction Fuzzy Hash: 9A418322E5588281EB76EA21DCA23BD52B0BF88B44F447131EE4D8AAB6CE15D945C354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB7BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FFF21BB7C06
_errno.LIBCMT ref: 00007FFF21BB7C13

Part of subcall function 00007FFF21BB66D8: DecodePointer.KERNEL32 ref: 00007FFF21BB66FF

LoadLibraryA.KERNEL32 ref: 00007FFF21BB7C4F
GetProcAddress.KERNEL32 ref: 00007FFF21BB7C67
_errno.LIBCMT ref: 00007FFF21BB7C75
GetLastError.KERNEL32 ref: 00007FFF21BB7C7D
GetLastError.KERNEL32 ref: 00007FFF21BB7CA0

Strings

ADVAPI32.DLL, xrefs: 00007FFF21BB7C48
SystemFunction036, xrefs: 00007FFF21BB7C5D

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
String ID: ADVAPI32.DLL$SystemFunction036
API String ID: 1558914745-1064046199
Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
Instruction ID: ca9a033f050ce10914911ac3fbfdf44463ae18092c043f36ccd1b4df420a3941
Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
Instruction Fuzzy Hash: 0A314325E0964246FB20AB65EC2527D23F1BF44B80F446438DE0DC7FA5EE3CE6458648

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BC028C Relevance: 21.3, APIs: 14, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BC07CE), ref: 00007FFF21BC02F9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BC07CE), ref: 00007FFF21BC030D
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BC07CE), ref: 00007FFF21BC0410

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
Instruction ID: 081010462dfbb6269fe50bd62f8e962295e204aa161dd044e710915fe881dcd6
Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
Instruction Fuzzy Hash: 9DE18226E0A2828FEB308F11989467E77F2FB84794F546535DA5D87BE4CE3CA944C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB76A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF21BB77F1
SetConsoleCtrlHandler.KERNEL32 ref: 00007FFF21BB7816
__doserrno.LIBCMT ref: 00007FFF21BB7829
GetLastError.KERNEL32 ref: 00007FFF21BB7831
DecodePointer.KERNEL32 ref: 00007FFF21BB786F
EncodePointer.KERNEL32 ref: 00007FFF21BB7884
DecodePointer.KERNEL32 ref: 00007FFF21BB7899
EncodePointer.KERNEL32 ref: 00007FFF21BB78AA
DecodePointer.KERNEL32 ref: 00007FFF21BB78BF
EncodePointer.KERNEL32 ref: 00007FFF21BB78D0
DecodePointer.KERNEL32 ref: 00007FFF21BB78E5
EncodePointer.KERNEL32 ref: 00007FFF21BB78F6
_errno.LIBCMT ref: 00007FFF21BB792C

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
String ID:
API String ID: 3466867069-0
Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
Instruction ID: 6c3edc731cd92c34e595549b9fadbb530592dfc77480808da0abff7037dda5bb
Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
Instruction Fuzzy Hash: 20719921E0960255FB7A971ADC7627D22F1BF81780F182536CD9EC6EF1DE2CEA41C249

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB2E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF21BB2E37

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

free.LIBCMT ref: 00007FFF21BB2E45
free.LIBCMT ref: 00007FFF21BB2E53
free.LIBCMT ref: 00007FFF21BB2E61
free.LIBCMT ref: 00007FFF21BB2E6F
free.LIBCMT ref: 00007FFF21BB2E7D
free.LIBCMT ref: 00007FFF21BB2E8E
free.LIBCMT ref: 00007FFF21BB2EA6
_lock.LIBCMT ref: 00007FFF21BB2EB0
free.LIBCMT ref: 00007FFF21BB2EDE
_lock.LIBCMT ref: 00007FFF21BB2EF3
free.LIBCMT ref: 00007FFF21BB2F3D

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
Instruction ID: f5640126ab113db89a3dce02a55df39e126d97883aef986debf5e9160aa74603
Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
Instruction Fuzzy Hash: 3231F611E0A54285FF79EA629CB137D62F0BF84B44F443575EE0E86AB6CE1CBA408359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BC0A34 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF21BC0A5C

Part of subcall function 00007FFF21BB66D8: DecodePointer.KERNEL32 ref: 00007FFF21BB66FF

__wtomb_environ.LIBCMT ref: 00007FFF21BC0B55
_errno.LIBCMT ref: 00007FFF21BC0B5F
free.LIBCMT ref: 00007FFF21BC0C51
SetEnvironmentVariableA.KERNEL32 ref: 00007FFF21BC0D9C
_errno.LIBCMT ref: 00007FFF21BC0DAA
free.LIBCMT ref: 00007FFF21BC0DB8
free.LIBCMT ref: 00007FFF21BC0DC5
free.LIBCMT ref: 00007FFF21BC0DD7

Strings

@CW, xrefs: 00007FFF21BC0AB7, 00007FFF21BC0BC9, 00007FFF21BC0C23, 00007FFF21BC0C95, 00007FFF21BC0CAE

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID: @CW
API String ID: 3451773520-2709556291
Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
Instruction ID: a9cedf31461e26252f2753ab871bfb2a96ed5dec6894bb9746f90a78b2057f66
Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
Instruction Fuzzy Hash: 3CA1A229E0B64249EB20AB15ED1027E62F1FF40798F14A635DE5DC7BF5DE3CA4958308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBA250 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FFF21BBA377

Part of subcall function 00007FFF21BB7D10: GetLastError.KERNEL32 ref: 00007FFF21BB7D79
Part of subcall function 00007FFF21BB7D10: free.LIBCMT ref: 00007FFF21BB7E05

free.LIBCMT ref: 00007FFF21BBA540
free.LIBCMT ref: 00007FFF21BBA550
free.LIBCMT ref: 00007FFF21BBA560
free.LIBCMT ref: 00007FFF21BBA56C
free.LIBCMT ref: 00007FFF21BBA5C1
free.LIBCMT ref: 00007FFF21BBA5C9
free.LIBCMT ref: 00007FFF21BBA5D1
free.LIBCMT ref: 00007FFF21BBA5D9
free.LIBCMT ref: 00007FFF21BBA5E3

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
Instruction ID: f72d10344d22f65206ec499cea91a85fd4da24720d325289b6c8058be0c0c4d4
Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
Instruction Fuzzy Hash: 0DB1BF32E0969186DB20CF25A8A02AD77E4FB49744F845136EF5C87BA1DF3DD641C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB4F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF21BB4F50

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

Part of subcall function 00007FFF21BB9DF8: free.LIBCMT ref: 00007FFF21BB9E16
Part of subcall function 00007FFF21BB9DF8: free.LIBCMT ref: 00007FFF21BB9E28
Part of subcall function 00007FFF21BB9DF8: free.LIBCMT ref: 00007FFF21BB9E3A
Part of subcall function 00007FFF21BB9DF8: free.LIBCMT ref: 00007FFF21BB9E4C
Part of subcall function 00007FFF21BB9DF8: free.LIBCMT ref: 00007FFF21BB9E5E
Part of subcall function 00007FFF21BB9DF8: free.LIBCMT ref: 00007FFF21BB9E70
Part of subcall function 00007FFF21BB9DF8: free.LIBCMT ref: 00007FFF21BB9E82

free.LIBCMT ref: 00007FFF21BB4F72
free.LIBCMT ref: 00007FFF21BB4F8A
free.LIBCMT ref: 00007FFF21BB4F96
free.LIBCMT ref: 00007FFF21BB4FBA
free.LIBCMT ref: 00007FFF21BB4FCE
free.LIBCMT ref: 00007FFF21BB4FDD
free.LIBCMT ref: 00007FFF21BB4FE9
free.LIBCMT ref: 00007FFF21BB5016
free.LIBCMT ref: 00007FFF21BB503E
free.LIBCMT ref: 00007FFF21BB5058

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
Instruction ID: 41d7e3cd3ee11226bbe0ece04fa4e42121eab9901ca0d0b88f6b4a550c67def1
Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
Instruction Fuzzy Hash: C441ED32E0994684EF759E21DDA43BD23F0BF98B44F442031DE0E8AAB5CE2DE691C355

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBE23C Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE292
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE2B1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE356
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE3B5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE3F0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE42C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE46C
free.LIBCMT ref: 00007FFF21BBE47A
free.LIBCMT ref: 00007FFF21BBE49C

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree
String ID:
API String ID: 1638741495-0
Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
Instruction ID: 69bac9f08dd908a5e223d274bb1ad8ec3b92db1afb26a315db96bc146885e380
Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
Instruction Fuzzy Hash: EE61B436E096818AE7348B219C9016DA6F5FF84BA8F646A35DE1D87FF4DF3CD6418204

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF21BB3555
DecodePointer.KERNEL32 ref: 00007FFF21BB3588
DecodePointer.KERNEL32 ref: 00007FFF21BB35A5
DecodePointer.KERNEL32 ref: 00007FFF21BB35E4
DecodePointer.KERNEL32 ref: 00007FFF21BB35FD
DecodePointer.KERNEL32 ref: 00007FFF21BB360C
_initterm.LIBCMT ref: 00007FFF21BB364B
_initterm.LIBCMT ref: 00007FFF21BB365E
ExitProcess.KERNEL32 ref: 00007FFF21BB3697

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
Instruction ID: e41a51c56fc99a5c492d71ff887704b20468cc4d1a04efb62211f7defe6c385b
Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
Instruction Fuzzy Hash: DF414A21E0E64285EB609B15EC6017E62F5BB88B84F442135EE4E87BB5DE3CE6558708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB8F34 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF21BB9206), ref: 00007FFF21BB8F94
GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF21BB9206), ref: 00007FFF21BB8FA6
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF21BB9206), ref: 00007FFF21BB9006
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF21BB9206), ref: 00007FFF21BB90BC
GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF21BB9206), ref: 00007FFF21BB90D3
free.LIBCMT ref: 00007FFF21BB90E4
GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF21BB9206), ref: 00007FFF21BB9161
free.LIBCMT ref: 00007FFF21BB9171

Part of subcall function 00007FFF21BBE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE292
Part of subcall function 00007FFF21BBE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE2B1
Part of subcall function 00007FFF21BBE23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE3B5
Part of subcall function 00007FFF21BBE23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF21BBE3F0

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
String ID:
API String ID: 3535580693-0
Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
Instruction ID: 79b1646b7fc17adcc1454ade5135998a4ab135790fe440c79bcef4a023dc8fcf
Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
Instruction Fuzzy Hash: A5618172E046829AEB309F21DC5446D67F2FB48BE4B542635DE1D97FA4CE3CEA418344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB3758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 00007FFF21BB377D

Part of subcall function 00007FFF21BB3108: Sleep.KERNEL32(?,?,0000000A,00007FFF21BB2DA3,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB314D

GetFileType.KERNEL32 ref: 00007FFF21BB38FA

Strings

@, xrefs: 00007FFF21BB39F5

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
Instruction ID: 05add1aff70289e91d553e454e1b5bf90471ee227e8a9e3d420dd5637cb2b669
Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
Instruction Fuzzy Hash: 8891A122E1868285E7208B28CC5422D2AF9FB05774F656735CABE82BF0DF7CE941C315

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB25F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFF21BB2534: _getptd.LIBCMT ref: 00007FFF21BB254A

_errno.LIBCMT ref: 00007FFF21BB2638
_errno.LIBCMT ref: 00007FFF21BB27F2

Strings

+, xrefs: 00007FFF21BB26D5
-, xrefs: 00007FFF21BB26CA
0, xrefs: 00007FFF21BB2731
0, xrefs: 00007FFF21BB2703

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
Instruction ID: cb47d1e7b1a66cd012005700a694cb3682c0ab7c9a5fd9ae0f4f28c0d7420b3c
Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
Instruction Fuzzy Hash: 9771D022D1C68281FBB64626CC2537E26F1BF44754F1561B6EE5A82AF0DF6CFA408309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB6AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FFF21BB6ADF

Part of subcall function 00007FFF21BB6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF21BB7194,?,?,?,?,00007FFF21BB6C69,?,?,00000000,00007FFF21BB30C0), ref: 00007FFF21BB6FCF

Part of subcall function 00007FFF21BB334C: ExitProcess.KERNEL32 ref: 00007FFF21BB335B

Part of subcall function 00007FFF21BB309C: Sleep.KERNEL32(?,?,00000000,00007FFF21BB6B19,?,?,00000000,00007FFF21BB6BC3,?,?,?,?,?,?,00000000,00007FFF21BB2DC8), ref: 00007FFF21BB30D2

_errno.LIBCMT ref: 00007FFF21BB6B21
_lock.LIBCMT ref: 00007FFF21BB6B35
free.LIBCMT ref: 00007FFF21BB6B57
_errno.LIBCMT ref: 00007FFF21BB6B5C
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FFF21BB6BC3,?,?,?,?,?,?,00000000,00007FFF21BB2DC8,?,?,?,00007FFF21BB2DFF), ref: 00007FFF21BB6B82

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
String ID:
API String ID: 1354249094-0
Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
Instruction ID: a144e48e21daadbce5e997aa7d4837adad98e8f9eb3669beee17728960089a16
Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
Instruction Fuzzy Hash: E0215E20E1960286F774AB219C6537E62F4FF84780F446131ED4EC6AE2CF3CE9408798

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB2D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB2D7A
FlsGetValue.KERNEL32(?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB2D88
SetLastError.KERNEL32(?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB2DE0

Part of subcall function 00007FFF21BB3108: Sleep.KERNEL32(?,?,0000000A,00007FFF21BB2DA3,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB314D

FlsSetValue.KERNEL32(?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB2DB4
free.LIBCMT ref: 00007FFF21BB2DD7

Part of subcall function 00007FFF21BB2CBC: _lock.LIBCMT ref: 00007FFF21BB2D0C
Part of subcall function 00007FFF21BB2CBC: _lock.LIBCMT ref: 00007FFF21BB2D2C

GetCurrentThreadId.KERNEL32 ref: 00007FFF21BB2DC8

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
Instruction ID: d1c06e076111dcbf6d989850515072b952868cbf1a5fa36eddf1b9b22407b10b
Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
Instruction Fuzzy Hash: ED017524E0AB428AFB245B659C5413C22F3BF4CB90B446274CD2D827F1DE3CF545C218

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB9DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF21BB9E16

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

free.LIBCMT ref: 00007FFF21BB9E28
free.LIBCMT ref: 00007FFF21BB9E3A
free.LIBCMT ref: 00007FFF21BB9E4C
free.LIBCMT ref: 00007FFF21BB9E5E
free.LIBCMT ref: 00007FFF21BB9E70
free.LIBCMT ref: 00007FFF21BB9E82

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
Instruction ID: 79cdcd09c2f5a41b7c74e888ebd66730569efcd93aa59e8e94d0c02478f6c32d
Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
Instruction Fuzzy Hash: C301E852E0980295EF75DB61DCB147D23F1BF88B00F443032DA0EC69B2CE6DF9858268

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB9E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF21BB9F10
free.LIBCMT ref: 00007FFF21BB9F37
free.LIBCMT ref: 00007FFF21BBA208
free.LIBCMT ref: 00007FFF21BBA214

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
Instruction ID: 0f881b23e490a3c96f368de2173cd4114a21fbc433a63b5b9f8538936a3bf52f
Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
Instruction Fuzzy Hash: B8B14E32F18B4185EB60DB62E8516AE67E0FB89784F406531EE8D83FA5DF3CD2058744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB60B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF21BB60F3
free.LIBCMT ref: 00007FFF21BB6133
free.LIBCMT ref: 00007FFF21BB6153
free.LIBCMT ref: 00007FFF21BB61B0
free.LIBCMT ref: 00007FFF21BB61C8

Part of subcall function 00007FFF21BB3108: Sleep.KERNEL32(?,?,0000000A,00007FFF21BB2DA3,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB314D

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$Sleep_errno
String ID:
API String ID: 2081351063-0
Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
Instruction ID: fdb499924a3b3e81de8e2ca6e78eed89d8c3091dd01a2d2850ab9e62adb7ed23
Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
Instruction Fuzzy Hash: C5311E21E0964285EB659B22CC7127D66F1BF44FC4F44A035DE0D87BB6DE3CEA018388

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB72D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FFF21BB73E5,?,?,?,?,00007FFF21BB34D2,?,?,?,00007FFF21BB21CB), ref: 00007FFF21BB72FD
DecodePointer.KERNEL32(?,?,?,00007FFF21BB73E5,?,?,?,?,00007FFF21BB34D2,?,?,?,00007FFF21BB21CB), ref: 00007FFF21BB730C

Part of subcall function 00007FFF21BBD070: _errno.LIBCMT ref: 00007FFF21BBD079

EncodePointer.KERNEL32(?,?,?,00007FFF21BB73E5,?,?,?,?,00007FFF21BB34D2,?,?,?,00007FFF21BB21CB), ref: 00007FFF21BB7389

Part of subcall function 00007FFF21BB318C: realloc.LIBCMT ref: 00007FFF21BB31B7
Part of subcall function 00007FFF21BB318C: Sleep.KERNEL32(?,?,00000000,00007FFF21BB7379,?,?,?,00007FFF21BB73E5,?,?,?,?,00007FFF21BB34D2), ref: 00007FFF21BB31D3

EncodePointer.KERNEL32(?,?,?,00007FFF21BB73E5,?,?,?,?,00007FFF21BB34D2,?,?,?,00007FFF21BB21CB), ref: 00007FFF21BB7398
EncodePointer.KERNEL32(?,?,?,00007FFF21BB73E5,?,?,?,?,00007FFF21BB34D2,?,?,?,00007FFF21BB21CB), ref: 00007FFF21BB73A4

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
Instruction ID: fe67fc2485bdd2326a3df0b70384b185628db72535f94a71777611c72e710425
Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
Instruction Fuzzy Hash: 69214111F0A64255EF209B61EDA60BEA2F1BB45BC0F446835DD0D87FB5DE7CE6868308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB71A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FFF21BB71C6
DecodePointer.KERNEL32 ref: 00007FFF21BB71D5

Part of subcall function 00007FFF21BBD070: _errno.LIBCMT ref: 00007FFF21BBD079

EncodePointer.KERNEL32 ref: 00007FFF21BB7248

Part of subcall function 00007FFF21BB318C: realloc.LIBCMT ref: 00007FFF21BB31B7
Part of subcall function 00007FFF21BB318C: Sleep.KERNEL32(?,?,00000000,00007FFF21BB7379,?,?,?,00007FFF21BB73E5,?,?,?,?,00007FFF21BB34D2), ref: 00007FFF21BB31D3

EncodePointer.KERNEL32 ref: 00007FFF21BB7257
EncodePointer.KERNEL32 ref: 00007FFF21BB7263

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
Instruction ID: bc5a55926578d8887da5e3c9ff6e488a8947eb2903448dfa633dea355672ee68
Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
Instruction Fuzzy Hash: 63219010F0A68244EF20EB51E96517DA2F1BB457C0F482435ED4D87FB5DE3CE6458308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB3AEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__initmbctable.LIBCMT ref: 00007FFF21BB3B09
free.LIBCMT ref: 00007FFF21BB3BD0
free.LIBCMT ref: 00007FFF21BB3C09

Strings

@CW, xrefs: 00007FFF21BB3C02

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$__initmbctable
String ID: @CW
API String ID: 2804101511-2709556291
Opcode ID: 62b67f3d166044e4c3a65fa2a8f4440ca774743433b5403a5dc793ed1f544cce
Instruction ID: e3c1dacf055b1e3defac24d3f7b7717544473b72972a8de24399a6404672ecf3
Opcode Fuzzy Hash: 62b67f3d166044e4c3a65fa2a8f4440ca774743433b5403a5dc793ed1f544cce
Instruction Fuzzy Hash: EF315E21E0964249FB709B21AC6137E66F0BF55B80F586535DE4CC6ABADF3CE5448308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB3310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FFF21BB3359,?,?,00000028,00007FFF21BB6C7D,?,?,00000000,00007FFF21BB30C0,?,?,00000000,00007FFF21BB6B19), ref: 00007FFF21BB331F
GetProcAddress.KERNEL32(?,?,000000FF,00007FFF21BB3359,?,?,00000028,00007FFF21BB6C7D,?,?,00000000,00007FFF21BB30C0,?,?,00000000,00007FFF21BB6B19), ref: 00007FFF21BB3334

Strings

CorExitProcess, xrefs: 00007FFF21BB332A
mscoree.dll, xrefs: 00007FFF21BB3318

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
Instruction ID: 243b4f12e4b252912d6201ec7de211cb9902198b5a432bdb0bc25b5770a963dc
Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
Instruction Fuzzy Hash: 5AE0EC50F1B60245EF595B50ACD413D12F16F98F11B487479C85F863B0DE6CA698C218

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFF21BB309C: Sleep.KERNEL32(?,?,00000000,00007FFF21BB6B19,?,?,00000000,00007FFF21BB6BC3,?,?,?,?,?,?,00000000,00007FFF21BB2DC8), ref: 00007FFF21BB30D2

Part of subcall function 00007FFF21BBBDF4: _errno.LIBCMT ref: 00007FFF21BBBE0F

free.LIBCMT ref: 00007FFF21BB58A5
free.LIBCMT ref: 00007FFF21BB58C1

Part of subcall function 00007FFF21BB6550: RtlCaptureContext.KERNEL32 ref: 00007FFF21BB658F
Part of subcall function 00007FFF21BB6550: IsDebuggerPresent.KERNEL32 ref: 00007FFF21BB662D
Part of subcall function 00007FFF21BB6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB6637
Part of subcall function 00007FFF21BB6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF21BB6642
Part of subcall function 00007FFF21BB6550: GetCurrentProcess.KERNEL32 ref: 00007FFF21BB6658
Part of subcall function 00007FFF21BB6550: TerminateProcess.KERNEL32 ref: 00007FFF21BB6666

free.LIBCMT ref: 00007FFF21BB58D6

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

free.LIBCMT ref: 00007FFF21BB58F5
free.LIBCMT ref: 00007FFF21BB5911

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
String ID:
API String ID: 2294642566-0
Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
Instruction ID: afbbcaf143b8e1911a49c236c0b23111ba87fdeef6fd51d531f8acd7ed786b15
Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
Instruction Fuzzy Hash: F451B132E04A8586EB219F29EC6016E63F5FB84B98F485035DE4D87BA4DE3CDA46C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB5B84 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF21BB5BB6

Part of subcall function 00007FFF21BB5944: _getptd.LIBCMT ref: 00007FFF21BB597E

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
Instruction ID: 64f6bbf3ccdee6205e0379350f0c55e5408171d35490ca32eb8ea946f432b035
Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
Instruction Fuzzy Hash: CD819B72A0968696DB24DB25E9946AEB3F0FB48784F505135DF8D83BA4EF38E101CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB61F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF21BB6217

Part of subcall function 00007FFF21BB66D8: DecodePointer.KERNEL32 ref: 00007FFF21BB66FF

_getptd.LIBCMT ref: 00007FFF21BB623D
_lock.LIBCMT ref: 00007FFF21BB6276
_lock.LIBCMT ref: 00007FFF21BB6309

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
Instruction ID: d15dbb2967dd54c7eb34a61c7c1751eb5a55e6efb1b76d3a16a61abfbe29e32d
Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
Instruction Fuzzy Hash: 67512B21E0A6428AFB649B26EC61BBE22F1FF44784F106035DD4D87BA1DE7DE9408748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBF9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF21BBFA07

Part of subcall function 00007FFF21BB66D8: DecodePointer.KERNEL32 ref: 00007FFF21BB66FF

calloc.LIBCMT ref: 00007FFF21BBFA65
_errno.LIBCMT ref: 00007FFF21BBFA72
_errno.LIBCMT ref: 00007FFF21BBFA7D

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointercalloc
String ID:
API String ID: 1531210114-0
Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
Instruction ID: f4c14d76761715905c9e27f152d2285fb2f87322bfe92a8b42dad1a36735b202
Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
Instruction Fuzzy Hash: 72216262E0964245FB289A65982537E62F0BF547C0F449138DF4D87F96DF3CE9108648

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF21BB53B2
free.LIBCMT ref: 00007FFF21BB53D7

Part of subcall function 00007FFF21BB3024: HeapFree.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB303A
Part of subcall function 00007FFF21BB3024: _errno.LIBCMT ref: 00007FFF21BB3044
Part of subcall function 00007FFF21BB3024: GetLastError.KERNEL32(?,?,00000000,00007FFF21BB2DDC,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB304C

_lock.LIBCMT ref: 00007FFF21BB53F2
free.LIBCMT ref: 00007FFF21BB5438

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _lockfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 3188102813-0
Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
Instruction ID: e8593829526bd53c069391ce21bccb0a32a471cdf1cfb467de63eb51792c3360
Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
Instruction Fuzzy Hash: DE111821E0B50285FF75AA71DC7177C22F0BF84704F446135DA1EC6AE5DE6CAA41826A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB2C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FFF21BB2217), ref: 00007FFF21BB2CA3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BB2217), ref: 00007FFF21BB6A32
free.LIBCMT ref: 00007FFF21BB6A3B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF21BB2217), ref: 00007FFF21BB6A5B

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
Instruction ID: b556d29f8aff9cda908ba7a6f66ca8aa5f05bb7ba79fe192626aedb1f75f20f3
Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
Instruction Fuzzy Hash: E6116331E099428AFB248B26EC6423C73F0FB44B50F586531DA6D82AB5CF3CE9918748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF21BB5456

Part of subcall function 00007FFF21BB3108: Sleep.KERNEL32(?,?,0000000A,00007FFF21BB2DA3,?,?,?,00007FFF21BB2DFF,?,?,?,00007FFF21BB254F,?,?,?,00007FFF21BB262A), ref: 00007FFF21BB314D

_errno.LIBCMT ref: 00007FFF21BB5473
_lock.LIBCMT ref: 00007FFF21BB54A6
_lock.LIBCMT ref: 00007FFF21BB54C4

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _lock$Sleep_errno_getptd
String ID:
API String ID: 2111406555-0
Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
Instruction ID: a29cc2baa000817c8d68149fdc4decf6f2e88f8fac90863401ebe55802ba13db
Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
Instruction Fuzzy Hash: E1019221E0924286FB646B71DC627AD62B0FF44784F40A034DE0DC77E6CE2CAD50835A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BBBB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFF21BB2534: _getptd.LIBCMT ref: 00007FFF21BB254A

_errno.LIBCMT ref: 00007FFF21BBBCD8
_errno.LIBCMT ref: 00007FFF21BBBD12

Strings

#, xrefs: 00007FFF21BBBC70

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd
String ID: #
API String ID: 3432092939-1885708031
Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
Instruction ID: 6b25ef8338f5646920431b9ddbafcdbd9d017fbf6f7f51223973ca0bdf1a8fd9
Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
Instruction Fuzzy Hash: E0519F22E0CA8585E7308B25E9602BEABF0F781B80F585131DE8D93B65CE3DD941CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF21BB9BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF21BB9C43
free.LIBCMT ref: 00007FFF21BB9CDB
free.LIBCMT ref: 00007FFF21BB9D76
free.LIBCMT ref: 00007FFF21BB9D82

Memory Dump Source

Source File: 00000002.00000002.401488657.00007FFF21B71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF21B70000, based on PE: true

Associated: 00000002.00000002.401480666.00007FFF21B70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401578857.00007FFF21BC2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401587665.00007FFF21BC6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.401628360.00007FFF21BC9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff21b70000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
Instruction ID: 1664a91b561dcdbcda72d8fbdae55c45588bda4322fabfcbd2dd2ff52c9d8e47
Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
Instruction Fuzzy Hash: C8519372E096868AEB709F16E8602BD67F0BB49B80F546531DF5D87BA1CE3CE641C304

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7148, Parent PID: 7092COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 000002165C710000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002165C710450
GetNativeSystemInfo.KERNELBASE ref: 000002165C710539
VirtualAlloc.KERNELBASE ref: 000002165C710580
VirtualProtect.KERNELBASE ref: 000002165C7109E9
RtlAddFunctionTable.KERNEL32 ref: 000002165C710A79

Strings

urce, xrefs: 000002165C710304
Reso, xrefs: 000002165C710355
truc, xrefs: 000002165C710121
lloc, xrefs: 000002165C7100F0
Slee, xrefs: 000002165C7100B7
Cach, xrefs: 000002165C71012F
ualP, xrefs: 000002165C7100FF
onTa, xrefs: 000002165C710171
Load, xrefs: 000002165C7102F4
eSys, xrefs: 000002165C710144
ualA, xrefs: 000002165C7100E8
Flus, xrefs: 000002165C710113
ddFu, xrefs: 000002165C710163
aryA, xrefs: 000002165C7100D8
Libr, xrefs: 000002165C7100D0
urce, xrefs: 000002165C710340
tion, xrefs: 000002165C710128
sour, xrefs: 000002165C71031F
Reso, xrefs: 000002165C7102DB
hIns, xrefs: 000002165C71011A
Free, xrefs: 000002165C71034D
GetN, xrefs: 000002165C710136
Load, xrefs: 000002165C7100C8
Reso, xrefs: 000002165C710338
ncti, xrefs: 000002165C71016A
rote, xrefs: 000002165C710106
Reso, xrefs: 000002165C7102FC
temI, xrefs: 000002165C71014B
Find, xrefs: 000002165C7102D0
ativ, xrefs: 000002165C71013D
Size, xrefs: 000002165C710311
ofRe, xrefs: 000002165C710318
Lock, xrefs: 000002165C710330
urce, xrefs: 000002165C7102E7
urce, xrefs: 000002165C71035D
RtlA, xrefs: 000002165C71015C
Virt, xrefs: 000002165C7100E0
Virt, xrefs: 000002165C7100F8

Memory Dump Source

Source File: 00000003.00000002.395575537.000002165C710000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002165C710000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2165c710000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 36287d5f2f6e27699df48300912d74b03639d4201edccb98f99f2cfef45d867f
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 0772F430618A4C8BDB69DF18C8997FDBBE6FBA4304F50462DE88AC3651DB34D542CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-:, xrefs: 000000018002C100
Ekf, xrefs: 000000018002C0CA
Z, xrefs: 000000018002C36B
l, xrefs: 000000018002C347
#C, xrefs: 000000018002C55D
(I, xrefs: 000000018002C62C
l, xrefs: 000000018002C1F5
<W, xrefs: 000000018002C1D0

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 0000000180011205
OV4T, xrefs: 0000000180011307
)|x, xrefs: 000000018001168C
lA, xrefs: 0000000180011819
/Zb, xrefs: 000000018001119F
/v|, xrefs: 00000001800113E2

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)O, xrefs: 000000018002164B
t(/, xrefs: 0000000180021ABB
.pN, xrefs: 0000000180021AE0
, xrefs: 00000001800219DA
&.+, xrefs: 000000018002180B
F>9, xrefs: 0000000180021937

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_5, xrefs: 00000001800290F7
:G, xrefs: 0000000180028C4C
yy8x, xrefs: 0000000180028D19
Q27, xrefs: 0000000180028EC2, 0000000180028F82, 0000000180029134, 0000000180028E8F, 000000018002907C, 0000000180028FD5, 0000000180028F2F, 0000000180029040, 0000000180028CC6, 00000001800290DD, 0000000180028DCC, 0000000180028FEB, 0000000180029047
Mh, xrefs: 0000000180029055

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :G$Q27$_5$yy8x$Mh
API String ID: 0-3587547327
Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sf, xrefs: 000000018000CE95
+#;), xrefs: 000000018000CBDA
K', xrefs: 000000018000CAC7
w\H, xrefs: 000000018000C959

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<4P, xrefs: 000000018001E690
<w., xrefs: 000000018001E582
<8, xrefs: 000000018001E63C

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xDC, xrefs: 000000018001CAFA

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: xDC
API String ID: 0-90241050
Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]k, xrefs: 0000000180022069
]k, xrefs: 000000018002232E
]$d, xrefs: 00000001800220D6
1l7., xrefs: 00000001800220AF
94, xrefs: 0000000180022371
"+H, xrefs: 000000018002236A
M8;, xrefs: 0000000180022338

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t:v, xrefs: 0000000180005E76
Mv`b, xrefs: 0000000180005D4E
ru, xrefs: 000000018000623C
-!zt, xrefs: 0000000180005BD7
R3T, xrefs: 0000000180005C59
d}9J, xrefs: 0000000180006179

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kO, xrefs: 000000018001387E
tro, xrefs: 00000001800139A0
$, xrefs: 0000000180013C6D
"`2, xrefs: 00000001800139CE
lbzZ, xrefs: 0000000180013863
lmq, xrefs: 0000000180013A6B

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

PT, xrefs: 000000018001038A
EX., xrefs: 000000018001032D
UbA, xrefs: 00000001800103C4
)#?, xrefs: 0000000180010418
2f, xrefs: 000000018001051C

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

qjf, xrefs: 000000018001FD57
tZp, xrefs: 000000018001FFAF
$T, xrefs: 000000018001FF09
QP|m, xrefs: 000000018001FCBC
?F, xrefs: 0000000180020023

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

x\J, xrefs: 00000001800171C3
JQ, xrefs: 0000000180016D72
v, xrefs: 00000001800170BE
t, xrefs: 0000000180017275
k&(, xrefs: 0000000180017125

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

V, xrefs: 0000000180007053
R, xrefs: 00000001800070D3
?rIc, xrefs: 000000018000710E
)H8, xrefs: 000000018000709E
L==, xrefs: 0000000180007159

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

+, xrefs: 00000001800119DA
vird, xrefs: 00000001800119C2
S, xrefs: 0000000180011A92
Qq, xrefs: 0000000180011A84
bt, xrefs: 0000000180011A1E

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

^_", xrefs: 0000000180011D6E
P9, xrefs: 0000000180011DC0
@, xrefs: 0000000180011F6B
V, xrefs: 0000000180011B81

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

F)k, xrefs: 000000018001336C
syG, xrefs: 000000018001339D
b/, xrefs: 000000018001347F
=_, xrefs: 00000001800136EB

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

'Xsa, xrefs: 0000000180002EA2
vG, xrefs: 000000018000316F
iJ6, xrefs: 0000000180003091
#X, xrefs: 0000000180002E74

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

-Z, xrefs: 0000000180009D06
*i^, xrefs: 0000000180009A7A
MIC, xrefs: 0000000180009BF0
]2, xrefs: 0000000180009CC2

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

Strings

LsRW, xrefs: 000000018002820A
>97", xrefs: 0000000180028161
?, xrefs: 0000000180027FC1
~x, xrefs: 0000000180028423

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >97"$?$LsRW$~x
API String ID: 0-2554301858
Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

B, xrefs: 0000000180010AEC
EG, xrefs: 000000018001082C
QsF, xrefs: 0000000180010894
_, xrefs: 0000000180010A56

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

-`G, xrefs: 00000001800206A2
Z`35, xrefs: 00000001800205D3
., xrefs: 00000001800206DC
5B.Y, xrefs: 000000018002045A

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

*+_, xrefs: 000000018000EF25
WSh, xrefs: 000000018000EEF0
\O, xrefs: 000000018000F046
#o, xrefs: 000000018000EFD8

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

\<, xrefs: 0000000180024E9B
O, xrefs: 0000000180024F9B
.B, xrefs: 0000000180025032
M*K, xrefs: 0000000180024E36

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

~O, xrefs: 000000018002A626
$, xrefs: 000000018002A477
xVO, xrefs: 000000018002A587
$, xrefs: 000000018002A454

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

G, xrefs: 0000000180002557
,IW, xrefs: 0000000180002565
JMg, xrefs: 000000018000252F
l, xrefs: 0000000180002548

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

i`}G, xrefs: 0000000180018BFA
,, xrefs: 0000000180018B66
,, xrefs: 0000000180018C14
2S=, xrefs: 0000000180018BF3

Memory Dump Source

Source File: 00000003.00000002.395299440.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$,$2S=$i`}G
API String ID: 0-4285990414
Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 3504, Parent PID: 7072COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 0000013444F80000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000013444F80450
GetNativeSystemInfo.KERNELBASE ref: 0000013444F80539
VirtualAlloc.KERNELBASE ref: 0000013444F80580
VirtualProtect.KERNELBASE ref: 0000013444F809E9
RtlAddFunctionTable.KERNEL32 ref: 0000013444F80A79

Strings

Flus, xrefs: 0000013444F80113
Size, xrefs: 0000013444F80311
urce, xrefs: 0000013444F802E7
aryA, xrefs: 0000013444F800D8
Free, xrefs: 0000013444F8034D
truc, xrefs: 0000013444F80121
onTa, xrefs: 0000013444F80171
ualA, xrefs: 0000013444F800E8
RtlA, xrefs: 0000013444F8015C
Virt, xrefs: 0000013444F800F8
Slee, xrefs: 0000013444F800B7
Libr, xrefs: 0000013444F800D0
tion, xrefs: 0000013444F80128
rote, xrefs: 0000013444F80106
temI, xrefs: 0000013444F8014B
eSys, xrefs: 0000013444F80144
urce, xrefs: 0000013444F80304
Reso, xrefs: 0000013444F80338
Load, xrefs: 0000013444F802F4
Load, xrefs: 0000013444F800C8
hIns, xrefs: 0000013444F8011A
ualP, xrefs: 0000013444F800FF
Reso, xrefs: 0000013444F802FC
Find, xrefs: 0000013444F802D0
Virt, xrefs: 0000013444F800E0
Cach, xrefs: 0000013444F8012F
ativ, xrefs: 0000013444F8013D
Reso, xrefs: 0000013444F80355
ddFu, xrefs: 0000013444F80163
ofRe, xrefs: 0000013444F80318
Reso, xrefs: 0000013444F802DB
urce, xrefs: 0000013444F8035D
urce, xrefs: 0000013444F80340
Lock, xrefs: 0000013444F80330
ncti, xrefs: 0000013444F8016A
sour, xrefs: 0000013444F8031F
lloc, xrefs: 0000013444F800F0
GetN, xrefs: 0000013444F80136

Memory Dump Source

Source File: 00000004.00000002.398812249.0000013444F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000013444F80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13444f80000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 4f0b4efdf5e04b55533d5d0074668bd336050d681c6a6759f94a975c93b7d2b2
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 8E72C030618B488FDB69DF18C8857F9B7E0FB98314F51462DE88AD7251DB34E642CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-:, xrefs: 000000018002C100
#C, xrefs: 000000018002C55D
l, xrefs: 000000018002C1F5
Ekf, xrefs: 000000018002C0CA
Z, xrefs: 000000018002C36B
l, xrefs: 000000018002C347
(I, xrefs: 000000018002C62C
<W, xrefs: 000000018002C1D0

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)|x, xrefs: 000000018001168C
lA, xrefs: 0000000180011819
OV4T, xrefs: 0000000180011307
\, xrefs: 0000000180011205
/v|, xrefs: 00000001800113E2
/Zb, xrefs: 000000018001119F

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F>9, xrefs: 0000000180021937
)O, xrefs: 000000018002164B
.pN, xrefs: 0000000180021AE0
&.+, xrefs: 000000018002180B
t(/, xrefs: 0000000180021ABB
, xrefs: 00000001800219DA

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sf, xrefs: 000000018000CE95
+#;), xrefs: 000000018000CBDA
w\H, xrefs: 000000018000C959
K', xrefs: 000000018000CAC7

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<4P, xrefs: 000000018001E690
<w., xrefs: 000000018001E582
<8, xrefs: 000000018001E63C

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]k, xrefs: 0000000180022069
]k, xrefs: 000000018002232E
M8;, xrefs: 0000000180022338
1l7., xrefs: 00000001800220AF
"+H, xrefs: 000000018002236A
94, xrefs: 0000000180022371
]$d, xrefs: 00000001800220D6

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-!zt, xrefs: 0000000180005BD7
R3T, xrefs: 0000000180005C59
t:v, xrefs: 0000000180005E76
d}9J, xrefs: 0000000180006179
ru, xrefs: 000000018000623C
Mv`b, xrefs: 0000000180005D4E

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 0000000180013C6D
lmq, xrefs: 0000000180013A6B
kO, xrefs: 000000018001387E
tro, xrefs: 00000001800139A0
lbzZ, xrefs: 0000000180013863
"`2, xrefs: 00000001800139CE

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EX., xrefs: 000000018001032D
)#?, xrefs: 0000000180010418
UbA, xrefs: 00000001800103C4
PT, xrefs: 000000018001038A
2f, xrefs: 000000018001051C

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?F, xrefs: 0000000180020023
tZp, xrefs: 000000018001FFAF
QP|m, xrefs: 000000018001FCBC
$T, xrefs: 000000018001FF09
qjf, xrefs: 000000018001FD57

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

k&(, xrefs: 0000000180017125
JQ, xrefs: 0000000180016D72
v, xrefs: 00000001800170BE
x\J, xrefs: 00000001800171C3
t, xrefs: 0000000180017275

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

R, xrefs: 00000001800070D3
?rIc, xrefs: 000000018000710E
V, xrefs: 0000000180007053
)H8, xrefs: 000000018000709E
L==, xrefs: 0000000180007159

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

bt, xrefs: 0000000180011A1E
S, xrefs: 0000000180011A92
Qq, xrefs: 0000000180011A84
+, xrefs: 00000001800119DA
vird, xrefs: 00000001800119C2

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

^_", xrefs: 0000000180011D6E
@, xrefs: 0000000180011F6B
V, xrefs: 0000000180011B81
P9, xrefs: 0000000180011DC0

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

b/, xrefs: 000000018001347F
F)k, xrefs: 000000018001336C
syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

iJ6, xrefs: 0000000180003091
'Xsa, xrefs: 0000000180002EA2
#X, xrefs: 0000000180002E74
vG, xrefs: 000000018000316F

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

]2, xrefs: 0000000180009CC2
MIC, xrefs: 0000000180009BF0
-Z, xrefs: 0000000180009D06
*i^, xrefs: 0000000180009A7A

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

B, xrefs: 0000000180010AEC
_, xrefs: 0000000180010A56
EG, xrefs: 000000018001082C
QsF, xrefs: 0000000180010894

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

Z`35, xrefs: 00000001800205D3
5B.Y, xrefs: 000000018002045A
-`G, xrefs: 00000001800206A2
., xrefs: 00000001800206DC

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

\O, xrefs: 000000018000F046
*+_, xrefs: 000000018000EF25
WSh, xrefs: 000000018000EEF0
#o, xrefs: 000000018000EFD8

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

O, xrefs: 0000000180024F9B
M*K, xrefs: 0000000180024E36
\<, xrefs: 0000000180024E9B
.B, xrefs: 0000000180025032

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

~O, xrefs: 000000018002A626
xVO, xrefs: 000000018002A587
$, xrefs: 000000018002A454
$, xrefs: 000000018002A477

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

JMg, xrefs: 000000018000252F
l, xrefs: 0000000180002548
,IW, xrefs: 0000000180002565
G, xrefs: 0000000180002557

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

i`}G, xrefs: 0000000180018BFA
,, xrefs: 0000000180018B66
2S=, xrefs: 0000000180018BF3
,, xrefs: 0000000180018C14

Memory Dump Source

Source File: 00000004.00000002.398034910.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$,$2S=$i`}G
API String ID: 0-4285990414
Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 6392, Parent PID: 7136COMMON

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5%
Total number of Nodes:	80
Total number of Limit Nodes:	9

Executed Functions

Function 01380000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 01380450
GetNativeSystemInfo.KERNELBASE ref: 01380539
VirtualAlloc.KERNELBASE ref: 01380580
VirtualProtect.KERNELBASE ref: 013809E9
RtlAddFunctionTable.KERNEL32 ref: 01380A79

Strings

ddFu, xrefs: 01380163
Reso, xrefs: 013802FC
Size, xrefs: 01380311
Flus, xrefs: 01380113
Reso, xrefs: 013802DB
urce, xrefs: 01380304
rote, xrefs: 01380106
Slee, xrefs: 013800B7
urce, xrefs: 0138035D
Load, xrefs: 013802F4
aryA, xrefs: 013800D8
truc, xrefs: 01380121
temI, xrefs: 0138014B
onTa, xrefs: 01380171
Load, xrefs: 013800C8
ualA, xrefs: 013800E8
Cach, xrefs: 0138012F
urce, xrefs: 01380340
ativ, xrefs: 0138013D
ncti, xrefs: 0138016A
Reso, xrefs: 01380338
hIns, xrefs: 0138011A
GetN, xrefs: 01380136
ualP, xrefs: 013800FF
Virt, xrefs: 013800F8
RtlA, xrefs: 0138015C
tion, xrefs: 01380128
Libr, xrefs: 013800D0
lloc, xrefs: 013800F0
Find, xrefs: 013802D0
Virt, xrefs: 013800E0
urce, xrefs: 013802E7
ofRe, xrefs: 01380318
eSys, xrefs: 01380144
Free, xrefs: 0138034D
Reso, xrefs: 01380355
sour, xrefs: 0138031F
Lock, xrefs: 01380330

Memory Dump Source

Source File: 00000006.00000002.775291763.0000000001380000.00000040.00001000.00020000.00000000.sdmp, Offset: 01380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1380000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: b58542cac88ff7cf5ce3f3525afcab7f742f988836be07e1ecb94fcab51f9f8e
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: BC72C331618B488FDB2DEF18C8856B9B7E1FB98309F14462DE8CAD7211DB34D586CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

n, xrefs: 000000018000D64B
^c, xrefs: 000000018000D7F1
Ec;, xrefs: 000000018000D485
J, xrefs: 000000018000D653
#X, xrefs: 000000018000D803
^c, xrefs: 000000018000D2F5

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$Ec;$J$^c$^c$n
API String ID: 0-2929744921
Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b/, xrefs: 000000018001347F
syG, xrefs: 000000018001339D
F)k, xrefs: 000000018001336C
=_, xrefs: 00000001800136EB

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

5IF, xrefs: 0000000180004890
P)#, xrefs: 0000000180004995

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5IF$P)#
API String ID: 0-1025399686
Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectW.WININET ref: 000000018001D008

Strings

C, xrefs: 000000018001CFA7
:G?, xrefs: 000000018001CF7D

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: :G?$C
API String ID: 3050416762-1225920220
Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 000000018000FC2F

Strings

gF\, xrefs: 000000018000FBA2

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: gF\
API String ID: 823142352-1982329323
Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestW.WININET ref: 000000018000A612

Strings

:G?, xrefs: 000000018000A59A

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: :G?
API String ID: 1984915467-1508054202
Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 0000000180012C0A

Strings

:G?, xrefs: 0000000180012BAF

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: :G?
API String ID: 2038078732-1508054202
Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0000000180015F50

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 0000000180019B4B

Memory Dump Source

Source File: 00000006.00000002.776811676.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report r0hiaXHscs.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTPS Proxied Packets

Windows Analysis Report
r0hiaXHscs.dll

Function 00560000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551
COMMON

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Function 00007FFF21BB3EEC Relevance: 15.1, APIs: 10, Instructions: 121
COMMON