Edit tour

Windows Analysis Report
Plt3z2W7KQ

Overview

General Information

Sample Name:	Plt3z2W7KQ (renamed file extension from none to dll)
Analysis ID:	626494
MD5:	f77e32f4e155ed11655a17edab7374a6
SHA1:	b4594eba8d32eb1a5b0b872696ab8b7c82b14fae
SHA256:	51c5108c45b758fd3fc62828375123e13d75c4ec1367a5ba403d2dd1a0d07fc4
Tags:	exetrojan
Infos:

Detection

Emotet

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Program does not show much activity (idle)

IP address seen in connection with other malware

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6276 cmdline: loaddll64.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 4464 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6360 cmdline: rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

regsvr32.exe (PID: 5860 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Plt3z2W7KQ.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 4700 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XxAsGMCLqrlaY\QoxZfNcqe.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 1320 cmdline: rundll32.exe C:\Users\user\Desktop\Plt3z2W7KQ.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1448 cmdline: rundll32.exe C:\Users\user\Desktop\Plt3z2W7KQ.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)

svchost.exe (PID: 6792 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6704 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6728 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6444 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5032 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.385603318.000001C929DA0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.898395398.0000000000770000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.386425772.000001C271790000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.388596621.0000000000F10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.regsvr32.exe.770000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.f10000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.f10000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.1c929da0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.1c271790000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.770000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.1c929da0000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.1c271790000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Plt3z2W7KQ.dll

Virustotal: Detection: 36%

Perma Link

Antivirus detection for URL or domain

Source: https://23.239.0.12/ga	Avira URL Cloud: Label: malware
Source: https://23.239.0.12/dll90	Avira URL Cloud: Label: malware

Source: unknown

HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49770 version: TLS 1.2

Source: Plt3z2W7KQ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.898358710.00000000003C4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.898358710.00000000003C4000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

6_2_000000018000D26C

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.239.0.12 443

Jump to behavior

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Cookie: EcB=pD8WB48DlisEyTvFhsJOu5Hls9DBzbackWygs2Hocc2mQICNx9qKl8DmPcq5i0hECLYru1JFD/l0v0u75i59mceQ8LHGa573Enm7C2UBlvEZ6xHKWvr+8x/01fa+MY0fw0xKiV2iaRTPbpS/FCfeIl+iS/m+KKQ5rchF2CVUXhRurKnWNmZHtoR3FXknODTFzxzu6Grc9xpm6+EIwg4rm/WIAJV2w8fVuVVevrSUrKTs1DgywK/XBc33clwk6CBR1LNsEC1TrhYH3e36Jm4zOE2Ns2WXvcPIHost: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 23.239.0.12 23.239.0.12

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12

Source: svchost.exe, 00000015.00000003.604612892.00000233F7D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000015.00000003.604612892.00000233F7D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000015.00000003.604612892.00000233F7D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.604660217.00000233F7D7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000015.00000003.604612892.00000233F7D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.604660217.00000233F7D7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 00000006.00000003.442681891.000000000086D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.898564761.000000000086D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.648094332.00000233F7D0C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.638673104.00000233F7D0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000015.00000003.622308379.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622239006.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622226579.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: regsvr32.exe, 00000006.00000003.442781370.000000000083F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.442827171.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.898492192.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/
Source: regsvr32.exe, 00000006.00000003.442739682.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.442827171.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.898492192.0000000000811000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/dll90
Source: regsvr32.exe, 00000006.00000003.442739682.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.898527153.0000000000840000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.442781370.000000000083F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/ga
Source: svchost.exe, 00000015.00000003.622308379.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622239006.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622226579.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000015.00000003.618290782.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618526479.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618299256.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618400755.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618482162.00000233F8202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618414892.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618381839.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000015.00000003.622308379.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622239006.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622226579.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000015.00000003.622308379.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622239006.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622226579.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000015.00000003.618290782.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618526479.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618299256.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618400755.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618482162.00000233F8202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618414892.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618381839.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000015.00000003.618290782.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618526479.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618299256.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618400755.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618482162.00000233F8202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618414892.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618381839.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000015.00000003.627263890.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.627271518.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.627277839.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,

6_2_00000001800132F0

Source: global traffic

Source: unknown

HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.6:49770 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 6.2.regsvr32.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1c929da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1c271790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1c929da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1c271790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.385603318.000001C929DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.898395398.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.386425772.000001C271790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.388596621.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\XxAsGMCLqrlaY\QoxZfNcqe.dll:Zone.Identifier

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\XxAsGMCLqrlaY\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36EB60	2_2_00007FFF2F36EB60
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36FB6C	2_2_00007FFF2F36FB6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36AF70	2_2_00007FFF2F36AF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36A77C	2_2_00007FFF2F36A77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F366F0C	2_2_00007FFF2F366F0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36E6C0	2_2_00007FFF2F36E6C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F365944	2_2_00007FFF2F365944
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36895C	2_2_00007FFF2F36895C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36AA0C	2_2_00007FFF2F36AA0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36B5CC	2_2_00007FFF2F36B5CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36FCA0	2_2_00007FFF2F36FCA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00EF0000	2_2_00EF0000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010FF4	2_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028C20	2_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C058	2_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009100	2_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007958	2_2_0000000180007958
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800059B8	2_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C608	2_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021618	2_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013E28	2_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E3AC	2_2_000000018001E3AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DBE8	2_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001FC0C	2_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000580C	2_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022010	2_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001481C	2_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A42C	2_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011834	2_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023831	2_2_0000000180023831
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021C3C	2_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000703C	2_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000AC48	2_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000FC48	2_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006458	2_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C05C	2_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A460	2_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029888	2_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D49C	2_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008CA0	2_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800248A8	2_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015CB0	2_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800124B4	2_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C4B4	2_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800288B8	2_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800024B8	2_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D8C4	2_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800250CC	2_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800190D4	2_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017CE4	2_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800264F0	2_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800014F8	2_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020CFC	2_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C904	2_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017908	2_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021510	2_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F917	2_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000551C	2_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F128	2_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CD38	2_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016D3C	2_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F944	2_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018148	2_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D950	2_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013150	2_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001ED50	2_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E960	2_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019D60	2_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C964	2_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001D68	2_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001496C	2_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002D70	2_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002178	2_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024D80	2_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018598	2_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003598	2_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A9A8	2_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800119A8	2_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025DAC	2_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018DAC	2_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800269B0	2_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800029BC	2_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800141C0	2_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800125C4	2_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800121CC	2_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800075D4	2_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800095DC	2_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F9E8	2_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002610	2_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019618	2_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001FA38	2_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A270	2_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019E78	2_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DA80	2_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024698	2_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000EE98	2_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800176B8	2_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AAB8	2_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011AD0	2_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008AD8	2_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800296EC	2_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A6EC	2_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800132F0	2_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019300	2_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BB04	2_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002870C	2_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026B10	2_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000131C	2_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000671C	2_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029B28	2_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012F28	2_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BB28	2_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001EB30	2_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020334	2_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010758	2_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001435C	2_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009F5C	2_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029368	2_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020768	2_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017378	2_2_0000000180017378
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013780	2_2_0000000180013780
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015388	2_2_0000000180015388
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000338C	2_2_000000018000338C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000738C	2_2_000000018000738C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002790	2_2_0000000180002790
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180027F9C	2_2_0000000180027F9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800197A0	2_2_00000001800197A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C7B4	2_2_000000018002C7B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DFB4	2_2_000000018001DFB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F7C0	2_2_000000018001F7C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800097C0	2_2_00000001800097C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800157D8	2_2_00000001800157D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019FDC	2_2_0000000180019FDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017BDC	2_2_0000000180017BDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F7E0	2_2_000000018000F7E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001FE0	2_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010FF4	3_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C058	3_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009100	3_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C608	3_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021618	3_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E3AC	3_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DBE8	3_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FC0C	3_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000580C	3_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022010	3_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001481C	3_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A42C	3_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011834	3_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021C3C	3_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000703C	3_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000AC48	3_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000FC48	3_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180006458	3_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C05C	3_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001A460	3_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029888	3_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D49C	3_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008CA0	3_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800248A8	3_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015CB0	3_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800124B4	3_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C4B4	3_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800288B8	3_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800024B8	3_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000D8C4	3_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800250CC	3_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800190D4	3_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017CE4	3_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800264F0	3_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800014F8	3_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020CFC	3_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C904	3_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017908	3_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021510	3_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F917	3_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000551C	3_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F128	3_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CD38	3_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180016D3C	3_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F944	3_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018148	3_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001ED50	3_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013150	3_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D950	3_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E960	3_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019D60	3_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C964	3_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180001D68	3_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001496C	3_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002D70	3_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002178	3_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024D80	3_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018598	3_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180003598	3_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A9A8	3_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800119A8	3_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180025DAC	3_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018DAC	3_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800269B0	3_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800059B8	3_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800029BC	3_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800141C0	3_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800125C4	3_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800121CC	3_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800075D4	3_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800095DC	3_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F9E8	3_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002610	3_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019618	3_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013E28	3_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FA38	3_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A270	3_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019E78	3_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DA80	3_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024698	3_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000EE98	3_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800176B8	3_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AAB8	3_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011AD0	3_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008AD8	3_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800296EC	3_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A6EC	3_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800132F0	3_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019300	3_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BB04	3_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002870C	3_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180026B10	3_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000131C	3_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000671C	3_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029B28	3_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180012F28	3_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000BB28	3_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EB30	3_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020334	3_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010758	3_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001435C	3_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009F5C	3_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029368	3_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020768	3_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017378	3_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013780	3_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015388	3_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000338C	3_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000738C	3_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002790	3_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800197A0	3_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C7B4	3_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DFB4	3_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F7C0	3_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800097C0	3_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800157D8	3_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019FDC	3_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017BDC	3_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F7E0	3_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180001FE0	3_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000001C9284A0000	3_2_000001C9284A0000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010FF4	4_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180028C20	4_2_0000000180028C20
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C058	4_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009100	4_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C964	4_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C608	4_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021618	4_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E3AC	4_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DBE8	4_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FC0C	4_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000580C	4_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180022010	4_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001481C	4_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A42C	4_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011834	4_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180023831	4_2_0000000180023831
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021C3C	4_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000703C	4_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000AC48	4_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000FC48	4_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180006458	4_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C05C	4_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A460	4_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029888	4_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001D49C	4_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008CA0	4_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800248A8	4_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015CB0	4_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800124B4	4_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C4B4	4_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800288B8	4_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800024B8	4_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000D8C4	4_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800250CC	4_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800190D4	4_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017CE4	4_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800264F0	4_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800014F8	4_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020CFC	4_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C904	4_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017908	4_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021510	4_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F917	4_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000551C	4_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F128	4_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001CD38	4_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180016D3C	4_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F944	4_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018148	4_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001ED50	4_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013150	4_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001D950	4_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E960	4_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019D60	4_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001D68	4_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001496C	4_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002D70	4_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002178	4_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024D80	4_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018598	4_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003598	4_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A9A8	4_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800119A8	4_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025DAC	4_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018DAC	4_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800269B0	4_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800059B8	4_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800029BC	4_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800141C0	4_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800125C4	4_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800121CC	4_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000BDD0	4_2_000000018000BDD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800075D4	4_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800095DC	4_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F9E8	4_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002610	4_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019618	4_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013E28	4_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FA38	4_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A270	4_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019E78	4_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DA80	4_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024698	4_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000EE98	4_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800176B8	4_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AAB8	4_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011AD0	4_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008AD8	4_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800296EC	4_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A6EC	4_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800132F0	4_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019300	4_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BB04	4_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002870C	4_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180026B10	4_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000131C	4_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000671C	4_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029B28	4_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180012F28	4_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000BB28	4_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001EB30	4_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020334	4_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010758	4_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001435C	4_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009F5C	4_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029368	4_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020768	4_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017378	4_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013780	4_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015388	4_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000338C	4_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000738C	4_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002790	4_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180027F9C	4_2_0000000180027F9C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800197A0	4_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C7B4	4_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DFB4	4_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F7C0	4_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800097C0	4_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800157D8	4_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019FDC	4_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017BDC	4_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F7E0	4_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001FE0	4_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001C271780000	4_2_000001C271780000
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00760000	6_2_00760000
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180010FF4	6_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180028C20	6_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002C058	6_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001ACA4	6_2_000000018001ACA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000551C	6_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018148	6_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000E1E0	6_2_000000018000E1E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000C608	6_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021618	6_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180013E28	6_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002AE44	6_2_000000018002AE44
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000D26C	6_2_000000018000D26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180025278	6_2_0000000180025278
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000EE98	6_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800046A8	6_2_00000001800046A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001AAB8	6_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180004ACA	6_2_0000000180004ACA
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800132F0	6_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180026B10	6_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001DBE8	6_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001FC0C	6_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000580C	6_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180022010	6_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001481C	6_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002A42C	6_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180011834	6_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021C3C	6_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000703C	6_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000AC48	6_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000FC48	6_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024458	6_2_0000000180024458
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180006458	6_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C05C	6_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001A460	6_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029888	6_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001D49C	6_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180008CA0	6_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800248A8	6_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180015CB0	6_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800124B4	6_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000C4B4	6_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800288B8	6_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800024B8	6_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000D8C4	6_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800250CC	6_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800190D4	6_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180017CE4	6_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800264F0	6_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800014F8	6_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020CFC	6_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180009100	6_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002C904	6_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180017908	6_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021510	6_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F917	6_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F128	6_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001CD38	6_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180016D3C	6_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001F944	6_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001D950	6_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180013150	6_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001ED50	6_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001E960	6_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019D60	6_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C964	6_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C568	6_2_000000018001C568
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180001D68	6_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001496C	6_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002D70	6_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024574	6_2_0000000180024574
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002178	6_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024D80	6_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018598	6_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180003598	6_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001F1A4	6_2_000000018001F1A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002A9A8	6_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800119A8	6_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180025DAC	6_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018DAC	6_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800269B0	6_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800059B8	6_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800029BC	6_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800141C0	6_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800125C4	6_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800121CC	6_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000BDD0	6_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800075D4	6_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800095DC	6_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F9E8	6_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002610	6_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019618	6_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001FA38	6_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000A270	6_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019E78	6_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001DA80	6_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024698	6_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800176B8	6_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002CAD0	6_2_000000018002CAD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180011AD0	6_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180008AD8	6_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800296EC	6_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000A6EC	6_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019300	6_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001BB04	6_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002870C	6_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000131C	6_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000671C	6_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029B28	6_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180012F28	6_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000BB28	6_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001EB30	6_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020334	6_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180010758	6_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001435C	6_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180009F5C	6_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029368	6_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020768	6_2_0000000180020768

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll			Jump to behavior

Source: Plt3z2W7KQ.dll

Virustotal: Detection: 36%

Source: Plt3z2W7KQ.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Plt3z2W7KQ.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Plt3z2W7KQ.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Plt3z2W7KQ.dll,DllUnregisterServer
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XxAsGMCLqrlaY\QoxZfNcqe.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Plt3z2W7KQ.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Plt3z2W7KQ.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\Plt3z2W7KQ.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XxAsGMCLqrlaY\QoxZfNcqe.dll"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@18/0@0/2

Source: C:\Windows\System32\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00000001800046A8 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,

6_2_00000001800046A8

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Plt3z2W7KQ.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: Plt3z2W7KQ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.898358710.00000000003C4000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.898358710.00000000003C4000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AFFD push ebp; retf	2_2_000000018001AFFE
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800051D1 push ebp; iretd	2_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BA32 push ebp; retf	2_2_000000018001BA33
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004E83 push es; ret	2_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B694 push es; ret	2_2_000000018001B6E9
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BADD push ebp; iretd	2_2_000000018001BADE
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B717 push ebp; iretd	2_2_000000018001B718
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AF4E push ebp; retf	2_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AFFD push ebp; retf	3_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800051D1 push ebp; iretd	3_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BA32 push ebp; retf	3_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180004E83 push es; ret	3_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B694 push es; ret	3_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BADD push ebp; iretd	3_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B717 push ebp; iretd	3_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180007B3F push esp; retf	3_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AF4E push ebp; retf	3_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AFFD push ebp; retf	4_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800051D1 push ebp; iretd	4_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BA32 push ebp; retf	4_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180004E83 push es; ret	4_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B694 push es; ret	4_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BADD push ebp; iretd	4_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B717 push ebp; iretd	4_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007B3F push esp; retf	4_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AF4E push ebp; retf	4_2_000000018001AF4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800051D1 push ebp; iretd	6_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180004E83 push es; ret	6_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180007B3F push esp; retf	6_2_0000000180007B40

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF2F367BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,

2_2_00007FFF2F367BE8

Source: Plt3z2W7KQ.dll

Static PE information: real checksum: 0x85ab6 should be: 0x934a0

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Plt3z2W7KQ.dll

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\XxAsGMCLqrlaY\QoxZfNcqe.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\XxAsGMCLqrlaY\QoxZfNcqe.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\DOvWBdyxipqNGsor\glkXPfMMRZn.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\ZmdQWuMIn\HJbiZhOBGXFnRKL.dll:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6912

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_2-9996

Source: C:\Windows\System32\regsvr32.exe

Code function: EnumServicesStatusExW,

2_2_0000000180008738

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

6_2_000000018000D26C

Source: C:\Windows\System32\regsvr32.exe

API call chain: ExitProcess graph end node

graph_2-9997

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000015.00000003.615079905.00000233F72A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.647882343.00000233F7288000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0?/
Source: regsvr32.exe, 00000006.00000003.442739682.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.898527153.0000000000840000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.442781370.000000000083F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.442827171.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.898492192.0000000000811000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.647964524.00000233F72E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.898423578.0000016539602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000D.00000002.898453695.0000016539628000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF2F366550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_00007FFF2F366550

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF2F367BE8 DecodePointer,_errno,LoadLibraryA,GetProcAddress,_errno,GetLastError,GetLastError,EncodePointer,FreeLibrary,_errno,_errno,

2_2_00007FFF2F367BE8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F36D318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FFF2F36D318
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F366550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFF2F366550
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FFF2F3620E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FFF2F3620E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.239.0.12 443

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_00007FFF2F36C39C
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	2_2_00007FFF2F36DF98
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FFF2F36DF20
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FFF2F36DF3C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FFF2F36C7F4
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	2_2_00007FFF2F36C6E4
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	2_2_00007FFF2F36C2B4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_00007FFF2F36C16C
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	2_2_00007FFF2F36C934
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_00007FFF2F36E1E8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FFF2F36C834
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	2_2_00007FFF2F36C450
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FFF2F36C8C8

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF2F364558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00007FFF2F364558

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FFF2F36E6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00007FFF2F36E6C0

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 6.2.regsvr32.exe.770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1c929da0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1c271790000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1c929da0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1c271790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.385603318.000001C929DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.898395398.0000000000770000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.386425772.000001C271790000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.388596621.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	111 Process Injection	2 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	1 System Service Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	2 File and Directory Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	24 System Information Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Plt3z2W7KQ.dll	37%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.1c271790000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
6.2.regsvr32.exe.770000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
3.2.rundll32.exe.1c929da0000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
2.2.regsvr32.exe.f10000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://23.239.0.12/ga	100%	Avira URL Cloud	malware
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://23.239.0.12/	0%	URL Reputation	safe
https://23.239.0.12/dll90	100%	Avira URL Cloud	malware
http://help.disneyplus.com.	0%	URL Reputation	safe
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.239.0.12/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000015.00000003.622308379.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622239006.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622226579.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000015.00000003.622308379.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622239006.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622226579.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://23.239.0.12/ga	regsvr32.exe, 00000006.00000003.442739682.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.898527153.0000000000840000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.442781370.000000000083F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000015.00000003.627263890.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.627271518.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.627277839.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://23.239.0.12/dll90	regsvr32.exe, 00000006.00000003.442739682.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.442827171.0000000000811000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.898492192.0000000000811000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://help.disneyplus.com.	svchost.exe, 00000015.00000003.622308379.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622239006.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622226579.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.hotspotshield.com/	svchost.exe, 00000015.00000003.618290782.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618526479.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618299256.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618400755.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618482162.00000233F8202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618414892.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618381839.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hotspotshield.com/terms/	svchost.exe, 00000015.00000003.618290782.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618526479.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618299256.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618400755.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618482162.00000233F8202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618414892.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618381839.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 00000015.00000003.618290782.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618526479.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618299256.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618400755.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618482162.00000233F8202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618414892.00000233F821A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.618381839.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000015.00000003.622308379.00000233F7DAF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622239006.00000233F7D9E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.622226579.00000233F7D8D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.239.0.12	unknown	United States		63949	LINODE-APLinodeLLCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626494
Start date and time: 14/05/202204:49:40	2022-05-14 04:49:40 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Plt3z2W7KQ (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winDLL@18/0@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 52 Number of non-executed functions: 212
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 80.67.82.211, 80.67.82.235, 20.223.24.244
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:52:42	API Interceptor	8x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
23.239.0.12	RuqTBW6t32.dll	Get hash	malicious	Browse
	yj81rxDZIp.dll	Get hash	malicious	Browse
	3j6e3XaMWM.dll	Get hash	malicious	Browse
	wgJ5YjI2QO.dll	Get hash	malicious	Browse
	r0hiaXHscs.dll	Get hash	malicious	Browse
	TSvDnT6fkE.dll	Get hash	malicious	Browse
	x4ByCNJqst.dll	Get hash	malicious	Browse
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse
	RuqTBW6t32.dll	Get hash	malicious	Browse
	yj81rxDZIp.dll	Get hash	malicious	Browse
	x4ByCNJqst.dll	Get hash	malicious	Browse
	lc4KFeS296.dll	Get hash	malicious	Browse
	36yjawe0S4.dll	Get hash	malicious	Browse
	Ns2al4764F.dll	Get hash	malicious	Browse
	cX9TLU9gnx.dll	Get hash	malicious	Browse
	56vvRzZVQI.dll	Get hash	malicious	Browse
	8PnsJpuSdb.dll	Get hash	malicious	Browse
	yaEOuyT3Sg.dll	Get hash	malicious	Browse
	bsST3VDo8G.dll	Get hash	malicious	Browse
	wdxJNuEzAd.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	3j6e3XaMWM.dll	Get hash	malicious	Browse	23.239.0.12
	wgJ5YjI2QO.dll	Get hash	malicious	Browse	23.239.0.12
	r0hiaXHscs.dll	Get hash	malicious	Browse	23.239.0.12
	TSvDnT6fkE.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	lc4KFeS296.dll	Get hash	malicious	Browse	23.239.0.12
	36yjawe0S4.dll	Get hash	malicious	Browse	23.239.0.12
	Ns2al4764F.dll	Get hash	malicious	Browse	23.239.0.12
	cX9TLU9gnx.dll	Get hash	malicious	Browse	23.239.0.12
	56vvRzZVQI.dll	Get hash	malicious	Browse	23.239.0.12
	8PnsJpuSdb.dll	Get hash	malicious	Browse	23.239.0.12
	yaEOuyT3Sg.dll	Get hash	malicious	Browse	23.239.0.12
	bsST3VDo8G.dll	Get hash	malicious	Browse	23.239.0.12
	wdxJNuEzAd.dll	Get hash	malicious	Browse	23.239.0.12

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	3j6e3XaMWM.dll	Get hash	malicious	Browse	23.239.0.12
	wgJ5YjI2QO.dll	Get hash	malicious	Browse	23.239.0.12
	r0hiaXHscs.dll	Get hash	malicious	Browse	23.239.0.12
	TSvDnT6fkE.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	lc4KFeS296.dll	Get hash	malicious	Browse	23.239.0.12
	36yjawe0S4.dll	Get hash	malicious	Browse	23.239.0.12
	Ns2al4764F.dll	Get hash	malicious	Browse	23.239.0.12
	cX9TLU9gnx.dll	Get hash	malicious	Browse	23.239.0.12
	56vvRzZVQI.dll	Get hash	malicious	Browse	23.239.0.12
	8PnsJpuSdb.dll	Get hash	malicious	Browse	23.239.0.12
	yaEOuyT3Sg.dll	Get hash	malicious	Browse	23.239.0.12
	bsST3VDo8G.dll	Get hash	malicious	Browse	23.239.0.12
	wdxJNuEzAd.dll	Get hash	malicious	Browse	23.239.0.12

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.482097510408552
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	Plt3z2W7KQ.dll
File size:	545280
MD5:	f77e32f4e155ed11655a17edab7374a6
SHA1:	b4594eba8d32eb1a5b0b872696ab8b7c82b14fae
SHA256:	51c5108c45b758fd3fc62828375123e13d75c4ec1367a5ba403d2dd1a0d07fc4
SHA512:	dac9b594bc2c15879cca89d136ee4be3f75ef6a31c18ab4bf124f63a8bf6dc26b7765898335d64c6571a6a1605f7b62fd2cd8368a684658337a13c1a1359cfd4
SSDEEP:	12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZ5HxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVB
TLSH:	45C4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1800423a8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627D8598 [Thu May 12 22:09:28 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b268dbaa2e6eb6acd16e04d482356598

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F808CB0C6B7h
call 00007F808CB0E844h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F808CB0C560h
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00014D05h]
call dword ptr [0000FC7Fh]
dec esp
mov ebx, dword ptr [00014DF0h]
dec esp
mov dword ptr [esp+58h], ebx
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+60h]
dec eax
mov ecx, dword ptr [esp+58h]
call 00007F808CB1B23Ah
dec eax
mov dword ptr [esp+50h], eax
dec eax
cmp dword ptr [esp+50h], 00000000h
je 00007F808CB0C6F3h
dec eax
mov dword ptr [esp+38h], 00000000h
dec eax
lea eax, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], eax
dec eax
lea eax, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
lea eax, dword ptr [00014CB0h]
dec eax
mov dword ptr [esp+20h], eax
dec esp
mov ecx, dword ptr [esp+50h]
dec esp
mov eax, dword ptr [esp+58h]
dec eax
mov edx, dword ptr [esp+60h]
xor ecx, ecx
call 00007F808CB1B1E8h
jmp 00007F808CB0C6D4h
dec eax
mov eax, dword ptr [eax+eax+00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x55cf0	0x6f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5544c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x2dffc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x59000	0xe1c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0x1d8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52000	0x288	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x504ca	0x50600	False	0.389081940124	zlib compressed data	5.26882252971	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x52000	0x3d5f	0x3e00	False	0.355342741935	data	5.39329875307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x56000	0x20d8	0x1200	False	0.180772569444	data	2.18161586025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x59000	0xe1c	0x1000	False	0.44580078125	data	4.98556265168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x2dffc	0x2e000	False	0.839408542799	data	7.73448363752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0x6f8	0x800	False	0.1796875	data	1.81179169858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x5a0a0	0x2de00	data	English	United States
RT_MANIFEST	0x87ea0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

ExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA

ole32.dll

CoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180042050
DllUnregisterServer	2	0x180042080

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 04:51:24.682137966 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:24.682177067 CEST	443	49770	23.239.0.12	192.168.2.6
May 14, 2022 04:51:24.682284117 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:24.706954002 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:24.706985950 CEST	443	49770	23.239.0.12	192.168.2.6
May 14, 2022 04:51:25.241498947 CEST	443	49770	23.239.0.12	192.168.2.6
May 14, 2022 04:51:25.241668940 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:25.703838110 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:25.703903913 CEST	443	49770	23.239.0.12	192.168.2.6
May 14, 2022 04:51:25.704195023 CEST	443	49770	23.239.0.12	192.168.2.6
May 14, 2022 04:51:25.704286098 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:25.707566023 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:25.748502016 CEST	443	49770	23.239.0.12	192.168.2.6
May 14, 2022 04:51:26.545023918 CEST	443	49770	23.239.0.12	192.168.2.6
May 14, 2022 04:51:26.545105934 CEST	443	49770	23.239.0.12	192.168.2.6
May 14, 2022 04:51:26.545197964 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:26.545227051 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:26.545871973 CEST	49770	443	192.168.2.6	23.239.0.12
May 14, 2022 04:51:26.545893908 CEST	443	49770	23.239.0.12	192.168.2.6

HTTP Request Dependency Graph

23.239.0.12

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49770	23.239.0.12	443	C:\Windows\System32\regsvr32.exe

Timestamp	Direction	Data
2022-05-14 02:51:25 UTC	OUT	GET / HTTP/1.1 Cookie: EcB=pD8WB48DlisEyTvFhsJOu5Hls9DBzbackWygs2Hocc2mQICNx9qKl8DmPcq5i0hECLYru1JFD/l0v0u75i59mceQ8LHGa573Enm7C2UBlvEZ6xHKWvr+8x/01fa+MY0fw0xKiV2iaRTPbpS/FCfeIl+iS/m+KKQ5rchF2CVUXhRurKnWNmZHtoR3FXknODTFzxzu6Grc9xpm6+EIwg4rm/WIAJV2w8fVuVVevrSUrKTs1DgywK/XBc33clwk6CBR1LNsEC1TrhYH3e36Jm4zOE2Ns2WXvcPI Host: 23.239.0.12 Connection: Keep-Alive Cache-Control: no-cache
2022-05-14 02:51:26 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 May 2022 02:51:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-05-14 02:51:26 UTC	IN	Data Raw: 32 34 64 0d 0a c3 01 e3 f3 8c 23 fd 59 a9 17 a9 84 15 38 bf 2c 14 b5 45 18 6b e6 49 a1 32 74 3a 08 1f 20 df 6d 0b 68 a9 7d 7c c1 e0 72 5d df a0 e7 db be e9 1f 2c b6 a3 c3 44 f7 31 30 7c 9b 2d bf ce f8 a6 8e f1 a1 e9 4b bc 96 d4 a7 f8 87 f5 da e3 1e d4 ad 02 66 51 23 39 dd cb c5 e3 66 d5 88 7b 24 ce 34 b4 6a c3 26 cb 0e be c3 00 02 62 ea c5 5f fe c1 9b 65 4d c3 e5 60 e6 cf de e2 06 76 61 8d e5 be d3 e9 dd dc 51 9f 71 a4 81 e8 14 28 07 e1 92 ca c8 e8 2e 9f d8 b6 29 fd db 7c b7 e3 98 85 7d 52 ec b3 03 5e 77 75 4e 87 75 7e 43 af 2e 42 8a f2 4a 0a 02 a3 7c 76 30 2f 84 0e ce e2 93 df 8a b9 41 59 59 39 9e a4 7e 93 2b e2 9b 20 6e 49 80 8f 47 7f 9c e7 91 39 c2 05 b4 6e 53 70 96 63 c8 5b 09 d0 cb 2a 4a 5c f3 a9 08 a0 3c bf c9 db 84 1f 09 42 cf 69 af 24 2a fb 6b 97 Data Ascii: 24d#Y8,EkI2t: mh}\|r],D10\|-KfQ#9f{$4j&b_eM`vaQq(.)\|}R^wuNu~C.BJ\|v0/AYY9~+ nIG9nSpc[J\<Bi$k

Target ID:	0
Start time:	04:50:54
Start date:	14/05/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll"
Imagebase:	0x7ff79a150000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	04:50:54
Start date:	14/05/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	04:50:55
Start date:	14/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\Plt3z2W7KQ.dll
Imagebase:	0x7ff6df960000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.388596621.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	04:50:55
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\Plt3z2W7KQ.dll",#1
Imagebase:	0x7ff6b86b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.385603318.000001C929DA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	04:50:55
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Plt3z2W7KQ.dll,DllRegisterServer
Imagebase:	0x7ff6b86b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.386425772.000001C271790000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	04:50:59
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\Plt3z2W7KQ.dll,DllUnregisterServer
Imagebase:	0x7ff6b86b0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	04:51:00
Start date:	14/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XxAsGMCLqrlaY\QoxZfNcqe.dll"
Imagebase:	0x7ff6df960000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.898395398.0000000000770000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	04:51:34
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	13
Start time:	04:51:34
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	14
Start time:	04:51:40
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	17
Start time:	04:52:12
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	21
Start time:	04:52:37
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff726010000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	17.2%
Total number of Nodes:	693
Total number of Limit Nodes:	8

Executed Functions

Function 00EF0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00EF0450
GetNativeSystemInfo.KERNELBASE ref: 00EF0539
VirtualAlloc.KERNELBASE ref: 00EF0580
VirtualProtect.KERNELBASE ref: 00EF09E9
RtlAddFunctionTable.KERNEL32 ref: 00EF0A79

Strings

Reso, xrefs: 00EF02FC
Size, xrefs: 00EF0311
Slee, xrefs: 00EF00B7
Find, xrefs: 00EF02D0
Free, xrefs: 00EF034D
Reso, xrefs: 00EF02DB
Load, xrefs: 00EF00C8
tion, xrefs: 00EF0128
ncti, xrefs: 00EF016A
Flus, xrefs: 00EF0113
Cach, xrefs: 00EF012F
ofRe, xrefs: 00EF0318
ualA, xrefs: 00EF00E8
urce, xrefs: 00EF0304
Lock, xrefs: 00EF0330
ativ, xrefs: 00EF013D
Reso, xrefs: 00EF0355
ualP, xrefs: 00EF00FF
Load, xrefs: 00EF02F4
Virt, xrefs: 00EF00E0
RtlA, xrefs: 00EF015C
urce, xrefs: 00EF035D
aryA, xrefs: 00EF00D8
ddFu, xrefs: 00EF0163
truc, xrefs: 00EF0121
urce, xrefs: 00EF0340
GetN, xrefs: 00EF0136
temI, xrefs: 00EF014B
urce, xrefs: 00EF02E7
hIns, xrefs: 00EF011A
lloc, xrefs: 00EF00F0
rote, xrefs: 00EF0106
Virt, xrefs: 00EF00F8
Libr, xrefs: 00EF00D0
sour, xrefs: 00EF031F
onTa, xrefs: 00EF0171
eSys, xrefs: 00EF0144
Reso, xrefs: 00EF0338

Memory Dump Source

Source File: 00000002.00000002.388571897.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_ef0000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 671040c1acfd3ef780b0ba89229d805b103664a83113c64845c178968a2e5441
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 6F72D530618B4C8FDB29DF18C8856B9B7E1FB98305F10562DE98AD7212EB34D946CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ekf, xrefs: 000000018002C0CA
l, xrefs: 000000018002C347
<W, xrefs: 000000018002C1D0
Z, xrefs: 000000018002C36B
#C, xrefs: 000000018002C55D
l, xrefs: 000000018002C1F5
(I, xrefs: 000000018002C62C
-:, xrefs: 000000018002C100

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 0000000180007DB2
oh, xrefs: 0000000180007F5E
IS_, xrefs: 0000000180007E52
oh, xrefs: 0000000180007F68
c)K, xrefs: 0000000180007D79
0n)G, xrefs: 00000001800080D5
9i&, xrefs: 0000000180007F21

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0n)G$9i&$IS_$c)K$oh$oh$J
API String ID: 0-4168131144
Opcode ID: 30d22681d77451a804741155910a8214494d75842a214bfc255a7dbc84502ded
Instruction ID: 1745985c1503e7a5a98bbeacef01b65c9f03634c62e3202666f04ad1fcc3199d
Opcode Fuzzy Hash: 30d22681d77451a804741155910a8214494d75842a214bfc255a7dbc84502ded
Instruction Fuzzy Hash: 69423870A0470CABCB58DF68C58AADEBBF1FB44304F40C169EC4AAB250D7759B19CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ru, xrefs: 000000018000623C
t:v, xrefs: 0000000180005E76
-!zt, xrefs: 0000000180005BD7
d}9J, xrefs: 0000000180006179
Mv`b, xrefs: 0000000180005D4E
R3T, xrefs: 0000000180005C59

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)|x, xrefs: 000000018001168C
\, xrefs: 0000000180011205
/Zb, xrefs: 000000018001119F
lA, xrefs: 0000000180011819
OV4T, xrefs: 0000000180011307
/v|, xrefs: 00000001800113E2

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&.+, xrefs: 000000018002180B
)O, xrefs: 000000018002164B
F>9, xrefs: 0000000180021937
.pN, xrefs: 0000000180021AE0
, xrefs: 00000001800219DA
t(/, xrefs: 0000000180021ABB

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

yy8x, xrefs: 0000000180028D19
Q27, xrefs: 0000000180028EC2, 0000000180028F2F, 0000000180028CC6, 00000001800290DD, 0000000180029040, 0000000180029047, 0000000180028FEB, 0000000180028F82, 0000000180028E8F, 0000000180028DCC, 000000018002907C, 0000000180029134, 0000000180028FD5
_5, xrefs: 00000001800290F7
Mh, xrefs: 0000000180029055
:G, xrefs: 0000000180028C4C

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :G$Q27$_5$yy8x$Mh
API String ID: 0-3587547327
Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

w\H, xrefs: 000000018000C959
K', xrefs: 000000018000CAC7
sf, xrefs: 000000018000CE95
+#;), xrefs: 000000018000CBDA

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

<8, xrefs: 000000018001E63C
<w., xrefs: 000000018001E582
<4P, xrefs: 000000018001E690

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008738 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusExW.ADVAPI32 ref: 00000001800088CE

Strings

0, xrefs: 00000001800087A2

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus
String ID: 0
API String ID: 1175134041-4108050209
Opcode ID: db603bb2b8e98494aa5d103a55ff6880efe57e8bef9bc2761200f0953d48cc16
Instruction ID: 7ab319c63b8e5ac465867556a9bc77988854db4505af46021ca75d6279ec6770
Opcode Fuzzy Hash: db603bb2b8e98494aa5d103a55ff6880efe57e8bef9bc2761200f0953d48cc16
Instruction Fuzzy Hash: 2C41327091C7848FD7B8DF18D48579ABBE0FB88304F10496EE88DC7252DB70A985CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

%'#, xrefs: 0000000180013EFA
'1O", xrefs: 0000000180013F6E

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %'#$'1O"
API String ID: 0-3508158491
Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F363EEC Relevance: 15.1, APIs: 10, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F363F1B
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F363F35
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F363F5B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F363FB0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F363FEC
free.LIBCMT ref: 00007FFF2F363FFA
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F364005
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F36401D
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F36405E
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F36407A

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
Instruction ID: f80705de25d0dce85993eb45ca7c37965f56e47ba21ee3b52f11dd8567687282
Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
Instruction Fuzzy Hash: 48412C21F2929685FA649B11AD84039A7E5FB48BB0F144434DA5E2FBD9CE3CEC91C709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F362154 Relevance: 10.6, APIs: 7, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFF2F364110: HeapCreate.KERNELBASE(?,?,?,?,00007FFF2F362169), ref: 00007FFF2F364122
Part of subcall function 00007FFF2F364110: HeapSetInformation.KERNEL32 ref: 00007FFF2F36414C

_RTC_Initialize.LIBCMT ref: 00007FFF2F362184
GetCommandLineA.KERNEL32 ref: 00007FFF2F362189

Part of subcall function 00007FFF2F363EEC: GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F363F1B
Part of subcall function 00007FFF2F363EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FFF2F36219B), ref: 00007FFF2F363F5B

Part of subcall function 00007FFF2F363758: GetStartupInfoA.KERNEL32 ref: 00007FFF2F36377D

__setargv.LIBCMT ref: 00007FFF2F3621B2
_cinit.LIBCMT ref: 00007FFF2F3621C6

Part of subcall function 00007FFF2F362C94: FlsFree.KERNEL32(?,?,?,?,00007FFF2F362217), ref: 00007FFF2F362CA3
Part of subcall function 00007FFF2F362C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F362217), ref: 00007FFF2F366A32
Part of subcall function 00007FFF2F362C94: free.LIBCMT ref: 00007FFF2F366A3B
Part of subcall function 00007FFF2F362C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F362217), ref: 00007FFF2F366A5B

Part of subcall function 00007FFF2F363A48: free.LIBCMT ref: 00007FFF2F363A8F

Part of subcall function 00007FFF2F363108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F362DA3,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36314D

FlsSetValue.KERNEL32 ref: 00007FFF2F36224C
GetCurrentThreadId.KERNEL32 ref: 00007FFF2F362260
free.LIBCMT ref: 00007FFF2F36226F

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
String ID:
API String ID: 1549890855-0
Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
Instruction ID: b3a6d9fa617b9660b89a09a51aca6d935fbf1db3f380236cce7b810ae50a7158
Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
Instruction Fuzzy Hash: 6831D420F3C20341FEA867A19DC627911D57F55774F124534DA2EBD2C6EE2CFC54822A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F364CD4 Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getptd.LIBCMT ref: 00007FFF2F364CF3

Part of subcall function 00007FFF2F3648C0: _getptd.LIBCMT ref: 00007FFF2F3648CA

Part of subcall function 00007FFF2F36497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FFF2F364D0E,?,?,?,?,?,00007FFF2F364EE3), ref: 00007FFF2F3649A6

Part of subcall function 00007FFF2F36309C: Sleep.KERNEL32(?,?,00000000,00007FFF2F366B19,?,?,00000000,00007FFF2F366BC3,?,?,?,?,?,?,00000000,00007FFF2F362DC8), ref: 00007FFF2F3630D2

free.LIBCMT ref: 00007FFF2F364D7F

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

_lock.LIBCMT ref: 00007FFF2F364DB7
free.LIBCMT ref: 00007FFF2F364E67
free.LIBCMT ref: 00007FFF2F364E97
_errno.LIBCMT ref: 00007FFF2F364E9C

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
String ID:
API String ID: 1264244385-0
Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
Instruction ID: 05300ac3e973960f417704c21ccc87d49f850b7fe55d903f1b0a38accd0a5f6a
Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
Instruction Fuzzy Hash: 62519E21F2864286F7509B25ED80279B6D1FB84B74F144136EA5E5B3D9CF7CEC418718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F366C34 Relevance: 7.5, APIs: 5, Instructions: 47
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FFF2F366C64
RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF2F3630C0,?,?,00000000,00007FFF2F366B19,?,?,00000000,00007FFF2F366BC3), ref: 00007FFF2F366C89
_errno.LIBCMT ref: 00007FFF2F366CAD
_errno.LIBCMT ref: 00007FFF2F366CB8
_errno.LIBCMT ref: 00007FFF2F366CCD

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeap
String ID:
API String ID: 502529563-0
Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
Instruction ID: ecd511c66f8009f86de2a55ffcd1ee749f40b121ad4686093d29b29545b6cfc9
Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
Instruction Fuzzy Hash: 16112E24B39A4681FA546B61AC9167D36E0EF84BF0F044234E91D6F7C2CE2CEC508B19

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F361EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00007FFF2F361F24
RtlDeleteBoundaryDescriptor.NTDLL ref: 00007FFF2F361F56

Strings

vb4vcW2kAW3Twaz?30, xrefs: 00007FFF2F361F6C

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: AllocateBoundaryDeleteDescriptorHeap
String ID: vb4vcW2kAW3Twaz?30
API String ID: 254689257-4179232793
Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
Instruction ID: 266a3a37f4107340e8cbe554da4a5d972ebb0f4cef373a9d39829dd4d8fec42a
Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
Instruction Fuzzy Hash: 51212732A1CE8686E330CB14E8943A677E5FB88754F004135D68D9BBA5DF7CE9018B05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F362FA0 Relevance: 4.5, APIs: 3, Instructions: 35
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFF2F3636F0: _initp_misc_winsig.LIBCMT ref: 00007FFF2F363729
Part of subcall function 00007FFF2F3636F0: EncodePointer.KERNEL32(?,?,?,00007FFF2F362FAB,?,?,?,00007FFF2F362179), ref: 00007FFF2F363745

FlsAlloc.KERNEL32(?,?,?,00007FFF2F362179), ref: 00007FFF2F362FBB

Part of subcall function 00007FFF2F363108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F362DA3,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36314D

FlsSetValue.KERNEL32(?,?,?,00007FFF2F362179), ref: 00007FFF2F362FEC

Part of subcall function 00007FFF2F362CBC: _lock.LIBCMT ref: 00007FFF2F362D0C
Part of subcall function 00007FFF2F362CBC: _lock.LIBCMT ref: 00007FFF2F362D2C

GetCurrentThreadId.KERNEL32 ref: 00007FFF2F363000

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
String ID:
API String ID: 54287522-0
Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
Instruction ID: 0ef81ef9f178baae308bb33becfbc555f84a207c4ee623cb4dfa109203e73e83
Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
Instruction Fuzzy Hash: 1201FB60F2860381FB54ABB59CC527966E1BF44770F144234D53EAE3E2EE2CFC899625

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000000180001D4C

Strings

:}, xrefs: 0000000180001C92

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: :}
API String ID: 963392458-2902022129
Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F362050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00007FFF2F362075

Strings

JKvDDasqwOPvGXZdqW, xrefs: 00007FFF2F36205D

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: JKvDDasqwOPvGXZdqW
API String ID: 621844428-4059861069
Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
Instruction ID: d4ed0bc924abe54b1f01b40d3e88b24343288810b5145a539c8baf23769cf50f
Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
Instruction Fuzzy Hash: F4D0C721F28B81C1D620A710FC4535A63E0FB89364FC00130D5CC9A754DF7CD955C705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F366CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF2F366D0F

Part of subcall function 00007FFF2F3666D8: DecodePointer.KERNEL32 ref: 00007FFF2F3666FF

RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FFF2F36313B,?,?,0000000A,00007FFF2F362DA3,?,?,?,00007FFF2F362DFF), ref: 00007FFF2F366D58

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: AllocateDecodeHeapPointer_errno
String ID:
API String ID: 15861996-0
Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
Instruction ID: 3abb30dd4879921879f2d74af3656ee0f42a8f240191b80468b49219a280ca09
Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
Instruction Fuzzy Hash: 8711E721B2C24242FB145B24EE8437962D19F807F4F088A34CE1D6F6C4DE7CAC408A18

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3636F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 00007FFF2F363729

Part of subcall function 00007FFF2F36755C: EncodePointer.KERNEL32(?,?,?,?,00007FFF2F36373E,?,?,?,00007FFF2F362FAB,?,?,?,00007FFF2F362179), ref: 00007FFF2F367567

EncodePointer.KERNEL32(?,?,?,00007FFF2F362FAB,?,?,?,00007FFF2F362179), ref: 00007FFF2F363745

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: EncodePointer$_initp_misc_winsig
String ID:
API String ID: 190222155-0
Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
Instruction ID: b11a933e46ce85bf33b979525e2252d448b6dc2620aa594285366b243f499a7c
Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
Instruction Fuzzy Hash: 32F02210FA924B44FD19BB626CE20B822C01F96BA0B982170E91E3E3D3DD2CED554759

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F364110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,?,?,00007FFF2F362169), ref: 00007FFF2F364122
HeapSetInformation.KERNEL32 ref: 00007FFF2F36414C

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
Instruction ID: 2f7a19b535453a111ac19ed407fef8072d356cd0e7531f297dc226a9d76a24eb
Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
Instruction Fuzzy Hash: 63E04FB5F3578182F7989B21EC897696290FB88351F809039EA4D52BD4EF3CD445CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3673F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,?,00007FFF2F3634AF,?,?,?,00007FFF2F3621CB), ref: 00007FFF2F36740D

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
Instruction ID: 293964e5b71ff05ed67f787cc5937e2d6fb4749e1e4287e6addbcc42002e502b
Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
Instruction Fuzzy Hash: E5D01222F6454681EB118B21F9D016832E4EB847A4F588031D65C1A685DD2CC8668705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F363108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFF2F366CEC: _errno.LIBCMT ref: 00007FFF2F366D0F

Sleep.KERNEL32(?,?,0000000A,00007FFF2F362DA3,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36314D

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
Instruction ID: 369e478d8a6529f925a67ce80421e603d965b2af1876be1f476f7fb93d31c25b
Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
Instruction Fuzzy Hash: 05016722B34B4585FA549B169C8002976E5FB84FE0F191131DE6D1BB90DF38EC51C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFF2F366C34: _FF_MSGBANNER.LIBCMT ref: 00007FFF2F366C64
Part of subcall function 00007FFF2F366C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF2F3630C0,?,?,00000000,00007FFF2F366B19,?,?,00000000,00007FFF2F366BC3), ref: 00007FFF2F366C89
Part of subcall function 00007FFF2F366C34: _errno.LIBCMT ref: 00007FFF2F366CAD
Part of subcall function 00007FFF2F366C34: _errno.LIBCMT ref: 00007FFF2F366CB8

Sleep.KERNEL32(?,?,00000000,00007FFF2F366B19,?,?,00000000,00007FFF2F366BC3,?,?,?,?,?,?,00000000,00007FFF2F362DC8), ref: 00007FFF2F3630D2

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeapSleep
String ID:
API String ID: 4153772858-0
Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
Instruction ID: b5b2818206578dc6e491b31842fac11c5a26d17adfe11198777c2027b400a19c
Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
Instruction Fuzzy Hash: ADF0C832B2978582EA509F15A8C002D72E0FB84BB0F440134EA6E2B7D5DF3DEC958B05

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFF2F36895C Relevance: 24.4, APIs: 16, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,00007FFF2F363E11,?,?,?,?,?,00007FFF2F3621B7), ref: 00007FFF2F3689CE
GetLastError.KERNEL32(?,00007FFF2F363E11,?,?,?,?,?,00007FFF2F3621B7), ref: 00007FFF2F3689E4
MultiByteToWideChar.KERNEL32 ref: 00007FFF2F368A8E
MultiByteToWideChar.KERNEL32 ref: 00007FFF2F368B36
LCMapStringW.KERNEL32 ref: 00007FFF2F368B5B
LCMapStringW.KERNEL32 ref: 00007FFF2F368BAB
LCMapStringW.KERNEL32 ref: 00007FFF2F368C38
WideCharToMultiByte.KERNEL32 ref: 00007FFF2F368C7B
free.LIBCMT ref: 00007FFF2F368C8C
free.LIBCMT ref: 00007FFF2F368C9A
LCMapStringA.KERNEL32(?,00007FFF2F363E11,?,?,?,?,?,00007FFF2F3621B7), ref: 00007FFF2F368D29
LCMapStringA.KERNEL32(?,00007FFF2F363E11,?,?,?,?,?,00007FFF2F3621B7), ref: 00007FFF2F368DE0
free.LIBCMT ref: 00007FFF2F368E28
LCMapStringA.KERNEL32(?,00007FFF2F363E11,?,?,?,?,?,00007FFF2F3621B7), ref: 00007FFF2F368E48
free.LIBCMT ref: 00007FFF2F368E5A
free.LIBCMT ref: 00007FFF2F368E6C

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: String$free$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1446610345-0
Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
Instruction ID: e31e19078d217866341770723ee78f8fc81e32cd6ee77dc3f33c068e07eba1f0
Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
Instruction Fuzzy Hash: 37F1A132B196818AF7608F25D8809A977D1FF487A8F144235EA5D6BBD4DF3CED418B08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F367BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FFF2F367C06
_errno.LIBCMT ref: 00007FFF2F367C13

Part of subcall function 00007FFF2F3666D8: DecodePointer.KERNEL32 ref: 00007FFF2F3666FF

LoadLibraryA.KERNEL32 ref: 00007FFF2F367C4F
GetProcAddress.KERNEL32 ref: 00007FFF2F367C67
_errno.LIBCMT ref: 00007FFF2F367C75
GetLastError.KERNEL32 ref: 00007FFF2F367C7D
GetLastError.KERNEL32 ref: 00007FFF2F367CA0

Strings

SystemFunction036, xrefs: 00007FFF2F367C5D
ADVAPI32.DLL, xrefs: 00007FFF2F367C48

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
String ID: ADVAPI32.DLL$SystemFunction036
API String ID: 1558914745-1064046199
Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
Instruction ID: b50a68e0a14143bea4d126769533693da67fd064877701c804dfb71b69d74973
Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
Instruction Fuzzy Hash: AE315A21F2D64686FB10AF65AC9567D22D0AF84BA0F444434EE0D6F7D6EE3CEC158B09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF2F36C956
GetUserDefaultLCID.KERNEL32 ref: 00007FFF2F36CA56
IsValidCodePage.KERNEL32 ref: 00007FFF2F36CAA7
IsValidLocale.KERNEL32 ref: 00007FFF2F36CABD
GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36CB38
GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36CB55
_itow_s.LIBCMT ref: 00007FFF2F36CB73

Strings

Norwegian-Nynorsk, xrefs: 00007FFF2F36CAF8

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
Instruction ID: 59728efe087646537eaadb49747e29b3297733830b37ce8640a8cb75dca0f23a
Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
Instruction Fuzzy Hash: 01615A22B2824286FB649F21D8857B923E0EB45BA5F084136CE4D6B7D5DF3CED40C319

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36B5CC Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F36B35C), ref: 00007FFF2F36B6BC
GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F36B35C), ref: 00007FFF2F36B751
free.LIBCMT ref: 00007FFF2F36B78E
__ascii_stricmp.LIBCMT ref: 00007FFF2F36B825

Strings

a/p, xrefs: 00007FFF2F36B87D
am/pm, xrefs: 00007FFF2F36B81B

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: FormatTime$__ascii_stricmpfree
String ID: a/p$am/pm
API String ID: 2252689280-3206640213
Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
Instruction ID: a2a568108978febac5beab90a8350058aa8b85ef94f07ced91fc01c23112ca17
Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
Instruction Fuzzy Hash: 83F1BD22B3C69285F7648F2488D41FC67E1FB057A4F449132EA8D6BAC5DE3DAC45CB09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F366F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF2F367194,?,?,?,?,00007FFF2F366C69,?,?,00000000,00007FFF2F3630C0), ref: 00007FFF2F366FCF
GetStdHandle.KERNEL32(?,?,?,?,?,00007FFF2F367194,?,?,?,?,00007FFF2F366C69,?,?,00000000,00007FFF2F3630C0), ref: 00007FFF2F3670DB
WriteFile.KERNEL32 ref: 00007FFF2F367115

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00007FFF2F3670BF
Runtime Error!Program: , xrefs: 00007FFF2F366F8E
..., xrefs: 00007FFF2F367032
<program name unknown>, xrefs: 00007FFF2F366FD9

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
Instruction ID: 593e05b88bc1ef59b643a1ef4c435c8047be0418d6dd0dcc99f7b6df42a51b0d
Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
Instruction Fuzzy Hash: 0251E221B3864781FB24DB25ADD6BBA22D1BF443B4F800136DD0D6EAD6CF3CE8058A15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3620E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFF2F3623FB
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFF2F36241A
RtlVirtualUnwind.KERNEL32 ref: 00007FFF2F362466
IsDebuggerPresent.KERNEL32 ref: 00007FFF2F3624D8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3624F0
UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F3624FD
GetCurrentProcess.KERNEL32 ref: 00007FFF2F362516
TerminateProcess.KERNEL32 ref: 00007FFF2F362524

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
Instruction ID: 0cb0f3a7cefaf4fb05294cec89dd0c4ff44010eea93458ad1132439f9bd66578
Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
Instruction Fuzzy Hash: 8D31D635A2CB4A85EB509B51FC9436973E0FB84764F500035DA8D6A7E5DF7CE849CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36E6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF2F36E6EB

Part of subcall function 00007FFF2F36E550: _errno.LIBCMT ref: 00007FFF2F36E559

free.LIBCMT ref: 00007FFF2F36E7E2

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

Part of subcall function 00007FFF2F367FBC: _errno.LIBCMT ref: 00007FFF2F367FD4

___lc_codepage_func.LIBCMT ref: 00007FFF2F36E76B

Part of subcall function 00007FFF2F366550: RtlCaptureContext.KERNEL32 ref: 00007FFF2F36658F
Part of subcall function 00007FFF2F366550: IsDebuggerPresent.KERNEL32 ref: 00007FFF2F36662D
Part of subcall function 00007FFF2F366550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F366637
Part of subcall function 00007FFF2F366550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F366642
Part of subcall function 00007FFF2F366550: GetCurrentProcess.KERNEL32 ref: 00007FFF2F366658
Part of subcall function 00007FFF2F366550: TerminateProcess.KERNEL32 ref: 00007FFF2F366666

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
String ID:
API String ID: 178205154-0
Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
Instruction ID: 9accea24d6b2436b3150328dc1fd1c4cfb0cf9247d250d018c5501c2016a207a
Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
Instruction Fuzzy Hash: 0AD1AF22B2C28285F7209F24DCD167966D2BB85760F444131DA8D7BBD6DF3CEC958B09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36DF98 Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F36E1C2), ref: 00007FFF2F36DFF2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F36E1C2), ref: 00007FFF2F36E004
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F36E1C2), ref: 00007FFF2F36E04F
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F36E1C2), ref: 00007FFF2F36E0E1
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F36E1C2), ref: 00007FFF2F36E11B
free.LIBCMT ref: 00007FFF2F36E12F

Part of subcall function 00007FFF2F366C34: _FF_MSGBANNER.LIBCMT ref: 00007FFF2F366C64
Part of subcall function 00007FFF2F366C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FFF2F3630C0,?,?,00000000,00007FFF2F366B19,?,?,00000000,00007FFF2F366BC3), ref: 00007FFF2F366C89
Part of subcall function 00007FFF2F366C34: _errno.LIBCMT ref: 00007FFF2F366CAD
Part of subcall function 00007FFF2F366C34: _errno.LIBCMT ref: 00007FFF2F366CB8

GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFF2F36E1C2), ref: 00007FFF2F36E145

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
String ID:
API String ID: 2309262205-0
Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
Instruction ID: d22a959ee167f2565f6275d39b84e46cfe407feb534cb6e6e422b2f269d2411b
Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
Instruction Fuzzy Hash: 19518E32B2864286FB609F219CC456963D2BB44BB4F540635DA1E6BBD4CE7DEC898708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36FCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF2F36FCC3
_errno.LIBCMT ref: 00007FFF2F36FCD5

Part of subcall function 00007FFF2F3666D8: DecodePointer.KERNEL32 ref: 00007FFF2F3666FF

_errno.LIBCMT ref: 00007FFF2F36FD14

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
Instruction ID: 8799006549b5c3167ed894f8d52571b7ecd0a474cb98a7b7f2954798673f1f11
Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
Instruction Fuzzy Hash: 1531A262B2860242FB159B71989277E62D1AF44790F048534DF0CAFBCAEF3CEC118798

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F366550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFF2F36658F
IsDebuggerPresent.KERNEL32 ref: 00007FFF2F36662D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F366637
UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F366642
GetCurrentProcess.KERNEL32 ref: 00007FFF2F366658
TerminateProcess.KERNEL32 ref: 00007FFF2F366666

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
Instruction ID: f7fa531ce21df2cfae4d63be4f963476f41a2a06a05b8830735c014eff13716e
Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
Instruction Fuzzy Hash: 16313E72A2CB8282EA248B55F8803AEB3E0FB88754F400135DB8D57A99DF7CD549CF00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON

Download Yara Rule

Strings

]k, xrefs: 000000018002232E
]$d, xrefs: 00000001800220D6
M8;, xrefs: 0000000180022338
]k, xrefs: 0000000180022069
1l7., xrefs: 00000001800220AF
94, xrefs: 0000000180022371
"+H, xrefs: 000000018002236A

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36C1C7
GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36C209
GetACP.KERNEL32 ref: 00007FFF2F36C22C

Strings

ACP, xrefs: 00007FFF2F36C195
OCP, xrefs: 00007FFF2F36C1A5

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
Instruction ID: 1bb0c4f9e97d7a536f82aa4298185b60a8241dfa2eb8f7d55b90a05369bb6873
Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
Instruction Fuzzy Hash: 1D214F21B2C68781FA609B21ED902B963E0BF487E9F444131DA4D6B6D5EF2CFD45C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON

Download Yara Rule

Strings

QL&, xrefs: 0000000180003C57
o, xrefs: 0000000180003CAE
li7, xrefs: 0000000180003802
I-, xrefs: 0000000180004227
1h, xrefs: 0000000180004545
IY, xrefs: 0000000180003ECF

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1h$I-$IY$QL&$li7$o
API String ID: 0-890095520
Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON

Download Yara Rule

Strings

i, xrefs: 000000018000B672
$-%, xrefs: 000000018000B3AF
1, xrefs: 000000018000AD5C
", xrefs: 000000018000B539
{,, xrefs: 000000018000AD2C
Rku, xrefs: 000000018000B40E

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$ {,$"$$-%$Rku$ i
API String ID: 0-1845893065
Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON

Download Yara Rule

Strings

VUS/, xrefs: 000000018002A254
p, xrefs: 000000018002A15A
OX, xrefs: 000000018002A0D4
@, xrefs: 0000000180029B80
EX, xrefs: 000000018002A39C
YV~, xrefs: 000000018002A301

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: VUS/$YV~$p$@$EX$OX
API String ID: 0-2743166816
Opcode ID: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
Opcode Fuzzy Hash: 5155f202f137bac6474ba6043cf7c54f40f5ffdfe883d22239fc44ed7813b08b
Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON

Download Yara Rule

Strings

lbzZ, xrefs: 0000000180013863
kO, xrefs: 000000018001387E
"`2, xrefs: 00000001800139CE
lmq, xrefs: 0000000180013A6B
tro, xrefs: 00000001800139A0
$, xrefs: 0000000180013C6D

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F364558 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFF2F36458F
GetCurrentProcessId.KERNEL32 ref: 00007FFF2F36459A
GetCurrentThreadId.KERNEL32 ref: 00007FFF2F3645A6
GetTickCount.KERNEL32 ref: 00007FFF2F3645B2
QueryPerformanceCounter.KERNEL32 ref: 00007FFF2F3645C3

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
Instruction ID: c6388669b9e75551fe7957103205f5955499132ace4bdd6764e4e761c1894589
Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
Instruction Fuzzy Hash: 2F015B21B39E0582EB408F21ED9026563A0FB49BA0F446630EE5E5B7E4DE3CEC958B01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

2f, xrefs: 000000018001051C
)#?, xrefs: 0000000180010418
EX., xrefs: 000000018001032D
PT, xrefs: 000000018001038A
UbA, xrefs: 00000001800103C4

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

tZp, xrefs: 000000018001FFAF
QP|m, xrefs: 000000018001FCBC
$T, xrefs: 000000018001FF09
?F, xrefs: 0000000180020023
qjf, xrefs: 000000018001FD57

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

t, xrefs: 0000000180017275
k&(, xrefs: 0000000180017125
v, xrefs: 00000001800170BE
x\J, xrefs: 00000001800171C3
JQ, xrefs: 0000000180016D72

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

?rIc, xrefs: 000000018000710E
V, xrefs: 0000000180007053
L==, xrefs: 0000000180007159
)H8, xrefs: 000000018000709E
R, xrefs: 00000001800070D3

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

bt, xrefs: 0000000180011A1E
+, xrefs: 00000001800119DA
Qq, xrefs: 0000000180011A84
S, xrefs: 0000000180011A92
vird, xrefs: 00000001800119C2

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C450 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF2F36C477
GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36C4AC
GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36C504
GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36C5F8

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
Instruction ID: f79f91e1d3e53bd1a93c7b9468b080946cff489c399ffe65ca939438d9fb431f
Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
Instruction Fuzzy Hash: C6617272B2898697EB699A61DD843E973E1FB88356F44013AC71D9B2D0CF3CF8648705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

@, xrefs: 0000000180011F6B
P9, xrefs: 0000000180011DC0
V, xrefs: 0000000180011B81
^_", xrefs: 0000000180011D6E

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

=_, xrefs: 00000001800136EB
b/, xrefs: 000000018001347F
syG, xrefs: 000000018001339D
F)k, xrefs: 000000018001336C

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

vG, xrefs: 000000018000316F
iJ6, xrefs: 0000000180003091
#X, xrefs: 0000000180002E74
'Xsa, xrefs: 0000000180002EA2

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

]2, xrefs: 0000000180009CC2
*i^, xrefs: 0000000180009A7A
-Z, xrefs: 0000000180009D06
MIC, xrefs: 0000000180009BF0

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

Strings

LsRW, xrefs: 000000018002820A
?, xrefs: 0000000180027FC1
~x, xrefs: 0000000180028423
>97", xrefs: 0000000180028161

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >97"$?$LsRW$~x
API String ID: 0-2554301858
Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

_, xrefs: 0000000180010A56
EG, xrefs: 000000018001082C
B, xrefs: 0000000180010AEC
QsF, xrefs: 0000000180010894

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

-`G, xrefs: 00000001800206A2
Z`35, xrefs: 00000001800205D3
., xrefs: 00000001800206DC
5B.Y, xrefs: 000000018002045A

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

#o, xrefs: 000000018000EFD8
WSh, xrefs: 000000018000EEF0
*+_, xrefs: 000000018000EF25
\O, xrefs: 000000018000F046

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

M*K, xrefs: 0000000180024E36
\<, xrefs: 0000000180024E9B
O, xrefs: 0000000180024F9B
.B, xrefs: 0000000180025032

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

$, xrefs: 000000018002A454
~O, xrefs: 000000018002A626
xVO, xrefs: 000000018002A587
$, xrefs: 000000018002A477

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

JMg, xrefs: 000000018000252F
l, xrefs: 0000000180002548
G, xrefs: 0000000180002557
,IW, xrefs: 0000000180002565

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36AF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF2F36B009
_errno.LIBCMT ref: 00007FFF2F36B293
__tzset.LIBCMT ref: 00007FFF2F36B489

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$__tzset
String ID:
API String ID: 3587134695-0
Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
Instruction ID: 20b16b9023d5a394b88b3e087b500a89703ad495c5d19b3113ac63f87fa277b9
Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
Instruction Fuzzy Hash: 6F029432B28682C7F7648F2998D01BD2BE1BB45755F24403AD74E6A6D2CF38DD488F09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36FB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF2F36FB92
_errno.LIBCMT ref: 00007FFF2F36FBA4

Part of subcall function 00007FFF2F3666D8: DecodePointer.KERNEL32 ref: 00007FFF2F3666FF

_errno.LIBCMT ref: 00007FFF2F36FBF0

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
Instruction ID: 0c83666c2bc9259a0d8a327c240ad769c775ab35961f64059fab6901c5980051
Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
Instruction Fuzzy Hash: 60318121B2C75342FB659A71ADA637A61D19F583E4F044435DE4DAFAC6EE2CEC008A08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36D318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFF2F36D357
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F36D39D
UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F36D3A8

Part of subcall function 00007FFF2F366F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF2F367194,?,?,?,?,00007FFF2F366C69,?,?,00000000,00007FFF2F3630C0), ref: 00007FFF2F366FCF

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
Instruction ID: b1a967f714b00bcf6f0e5a0ea4b37ab92e5bba38dae495c4bf61b25c847329d7
Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
Instruction Fuzzy Hash: 63114225738A4642F7249B51EC943BA63D1FF85314F440135D54E2ABD5DF6DE804CB15

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON

Download Yara Rule

Strings

S^r, xrefs: 0000000180014FB9
5F, xrefs: 0000000180014AA5
*4, xrefs: 0000000180014A1B

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *4$5F$S^r
API String ID: 0-3556444313
Opcode ID: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
Opcode Fuzzy Hash: b0743c1ec2acfd1e8c25e2f2eb51529e5db6bb1cba9eb6ae32e5b6bbd2ab9b57
Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON

Download Yara Rule

Strings

'~W, xrefs: 000000018001BEA8
<x<, xrefs: 000000018001BED4
&lz2, xrefs: 000000018001BE19

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &lz2$'~W$<x<
API String ID: 0-2268522332
Opcode ID: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
Opcode Fuzzy Hash: b4611eb32689572206be92ce00cd3efb5fa8211b09b44c780cf48fb277428f5a
Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON

Download Yara Rule

Strings

$, xrefs: 0000000180020AED
ba^2, xrefs: 0000000180020A27
T]0, xrefs: 00000001800209FC

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$T]0$ba^2
API String ID: 0-1276948933
Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

V , xrefs: 000000018001D544
6w5*, xrefs: 000000018001D7AF
EDO, xrefs: 000000018001D752

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6w5*$EDO$V
API String ID: 0-1640223502
Opcode ID: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
Opcode Fuzzy Hash: ed1df3146ad4429725400e2b1b62204332b0e2ca82f1b7aeb1a5f2c194113b0e
Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

|Y, xrefs: 000000018000AB17
Y(), xrefs: 000000018000A773
i_"o, xrefs: 000000018000AB62

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y()$i_"o$|Y
API String ID: 0-942011364
Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

-, xrefs: 00000001800174FF
,G, xrefs: 000000018001749E
O), xrefs: 0000000180017436

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: O)$,G$-
API String ID: 0-23008916
Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

;U[, xrefs: 000000018000A476
L, xrefs: 000000018000A3C5
Q#, xrefs: 000000018000A498

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;U[$L$Q#
API String ID: 0-2933747092
Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

Strings

qwX, xrefs: 000000018001E11A
<:*, xrefs: 000000018001E0BA
5(, xrefs: 000000018001E16D

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5($<:*$qwX
API String ID: 0-3944236288
Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

s`~, xrefs: 000000018001C1CE
v;, xrefs: 000000018001C13F
79&, xrefs: 000000018001C10D

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 79&$s`~$v;
API String ID: 0-3844292866
Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

wQ_, xrefs: 000000018000561A
1_, xrefs: 000000018000579C
ac, xrefs: 0000000180005543

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wQ_$1_$ac
API String ID: 0-1037425278
Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON

Download Yara Rule

Strings

)K, xrefs: 000000018002390F
U|, xrefs: 0000000180023A9A
|1-, xrefs: 00000001800238AE

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )K$U|$|1-
API String ID: 0-2543966960
Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

H~z, xrefs: 00000001800294EE
6|, xrefs: 0000000180029474
6`d, xrefs: 0000000180029414

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6|$6`d$H~z
API String ID: 0-1702722476
Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON

Download Yara Rule

Strings

t>, xrefs: 0000000180019652
d~, xrefs: 0000000180019780
`5, xrefs: 0000000180019696

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: d~$`5$t>
API String ID: 0-1282322184
Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

hmn, xrefs: 000000018000BC20
#St, xrefs: 000000018000BC5D
JYr, xrefs: 000000018000BB50

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #St$JYr$hmn
API String ID: 0-1556749129
Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON

Download Yara Rule

Strings

W}, xrefs: 0000000180002698
TGA, xrefs: 00000001800026C3
K, xrefs: 000000018000261C

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: TGA$K$W}
API String ID: 0-588348707
Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

:1,, xrefs: 0000000180007470
@H, xrefs: 00000001800074B7
{C=, xrefs: 0000000180007424

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :1,$@H${C=
API String ID: 0-2737386091
Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON

Download Yara Rule

Strings

uL , xrefs: 00000001800148B7
prP, xrefs: 00000001800148D3
q<C, xrefs: 000000018001491B

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: prP$q<C$uL
API String ID: 0-1414207395
Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON

Download Yara Rule

Strings

(R', xrefs: 00000001800064CE
Kl, xrefs: 0000000180006524
:00D, xrefs: 00000001800064D2

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :00D$Kl$(R'
API String ID: 0-3661897330
Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F365944 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF2F36597E

Part of subcall function 00007FFF2F367FBC: _errno.LIBCMT ref: 00007FFF2F367FD4

Part of subcall function 00007FFF2F366550: RtlCaptureContext.KERNEL32 ref: 00007FFF2F36658F
Part of subcall function 00007FFF2F366550: IsDebuggerPresent.KERNEL32 ref: 00007FFF2F36662D
Part of subcall function 00007FFF2F366550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F366637
Part of subcall function 00007FFF2F366550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F366642
Part of subcall function 00007FFF2F366550: GetCurrentProcess.KERNEL32 ref: 00007FFF2F366658
Part of subcall function 00007FFF2F366550: TerminateProcess.KERNEL32 ref: 00007FFF2F366666

Strings

C, xrefs: 00007FFF2F3659CC

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
String ID: C
API String ID: 1583075380-1037565863
Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
Instruction ID: a63274c115b843f6452bfbadb4a5139efc1a947797e245cefb251c2490390a1e
Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
Instruction Fuzzy Hash: DC516123B2868241FAA09E21D9917BA56D0FF88BA4F448031DF4D6FBC9DE3DD815C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C6E4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF2F36C706
GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36C73B

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
Instruction ID: 925dfddd86fa16e214296c4d11751866edad455e4775919dfbfeff72d8b36e39
Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
Instruction Fuzzy Hash: 4C215C32B186828AFB689B25DD853E973E0FB88796F404135C61D9B6C5DF3CE8648B04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C2B4 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF2F36C2DB
GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36C310

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
Instruction ID: 8d0e908d1861e3fe167af8c480fc8e46b9ff3388af1d489ce1e06510d90203c5
Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
Instruction Fuzzy Hash: 1321A132B2868196EB28CB20E8857E973E0FB88B95F544135DA5D9B394DF3CE954CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

Y}, xrefs: 00000001800265BF
$, xrefs: 000000018002686D

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$Y}
API String ID: 0-941771097
Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

?C, xrefs: 000000018001823C
7;}~, xrefs: 000000018001830E

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 7;}~$?C
API String ID: 0-2633536567
Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON

Download Yara Rule

Strings

Wu, xrefs: 0000000180026174
5"*, xrefs: 0000000180025E9D

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5"*$Wu
API String ID: 0-3407213400
Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

F/|, xrefs: 0000000180026ECB
]M, xrefs: 0000000180026CA3

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F/|$]M
API String ID: 0-4182351379
Opcode ID: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
Opcode Fuzzy Hash: 43b00b6be08a8afbf3f5eb28955fc8fd0982218358cdb9bdb13e45d672a344d5
Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

nK, xrefs: 0000000180021D5B
;SH, xrefs: 0000000180021D77

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;SH$nK
API String ID: 0-1681473137
Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

z, xrefs: 000000018000150B
,, xrefs: 0000000180001690

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$z
API String ID: 0-3532108746
Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

g/?, xrefs: 000000018001A61B
~l;, xrefs: 000000018001A543

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g/?$~l;
API String ID: 0-1448562259
Opcode ID: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
Opcode Fuzzy Hash: c1035f7af6a4496562a9c3e7f8bb9bdabded1ee22b21e9d05eb711cf1176ed3d
Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

S, xrefs: 000000018000F363
JM, xrefs: 000000018000F3F0

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JM$S
API String ID: 0-422059844
Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

\4t, xrefs: 000000018000678D
sT>, xrefs: 000000018000694E

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \4t$sT>
API String ID: 0-514966222
Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

lh, xrefs: 0000000180007774
6 zT, xrefs: 000000018000776A

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6 zT$lh
API String ID: 0-3667112246
Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

t<p, xrefs: 00000001800249FD
2Q', xrefs: 0000000180024A93

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2Q'$t<p
API String ID: 0-2959822804
Opcode ID: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
Opcode Fuzzy Hash: 3a858c916c0ce97b4f34a75536e8983d6f889f87815844e5a642c7b43e21a109
Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

95s, xrefs: 00000001800130A8
\`s, xrefs: 000000018001308C

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 95s$\`s
API String ID: 0-3495284040
Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

3*, xrefs: 000000018001AB25
qMu, xrefs: 000000018001AB45

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3*$qMu
API String ID: 0-4093015089
Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018002C99B
"n&E, xrefs: 000000018002C9F6

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$"n&E
API String ID: 0-1188898577
Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

Bw~, xrefs: 0000000180017803
fy, xrefs: 00000001800176C4

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Bw~$fy
API String ID: 0-1663007907
Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

XyLe, xrefs: 0000000180013245
/0, xrefs: 00000001800131B1

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /0$XyLe
API String ID: 0-3562702181
Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

>I, xrefs: 000000018001910D
>I, xrefs: 00000001800191E1

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >I$>I
API String ID: 0-3948471910
Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

}i#c, xrefs: 000000018001DB7A
{H2}, xrefs: 000000018001DB0E

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {H2}$}i#c
API String ID: 0-1724349491
Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

4V, xrefs: 0000000180026AB2
so, xrefs: 0000000180026A7A

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4V$so
API String ID: 0-1060102820
Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

O$, xrefs: 000000018002973D
F+', xrefs: 000000018002985C

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F+'$O$
API String ID: 0-4064122715
Opcode ID: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
Opcode Fuzzy Hash: 2ce923b60eb562ae85959f621386450c4d7366c85186967bb9bba02107a4a539
Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

bO6, xrefs: 000000018001228D
1, xrefs: 00000001800121E3

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$bO6
API String ID: 0-3242911120
Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

\rba, xrefs: 0000000180019D7E
)j-J, xrefs: 0000000180019DA5

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )j-J$\rba
API String ID: 0-105394296
Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

5T, xrefs: 00000001800246BF
7c, xrefs: 000000018002471E

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5T$7c
API String ID: 0-2666566123
Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

",)x, xrefs: 0000000180017C8A
PX, xrefs: 0000000180017C43

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ",)x$PX
API String ID: 0-926260526
Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C39C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36C3DD

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
Instruction ID: 9a05914206cc3cacbbbe7f18b48b5ada3c9807f9c721d9ec434eda7391277c2e
Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
Instruction Fuzzy Hash: 1B11C832B2C58245FA729B65ECD17B912D0AB847EDF444031DA8DAE6C1CE1CEC468709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FFF2F36C884

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
Instruction ID: faebb342b9a39c2d40605851f076dbcc4cbb3148e91d2bfeaece174edea5c0e1
Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
Instruction Fuzzy Hash: 61115272B2860587FB298B31C89537937E0FB94B6AF144435C60D5A2C6CFBCDD948789

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FFF2F365A8C), ref: 00007FFF2F36C8FD

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
Instruction ID: 717f1802e788ab21de2b0827c563625dc7d1dbb90d6e02e09fe3fc7fd3e4134d
Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
Instruction Fuzzy Hash: 12F0C862F2850686F7588B31C8953B927D1EB94B9AF188031C64D5A2C6CF7CDD918249

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36DF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFF2F362534: _getptd.LIBCMT ref: 00007FFF2F36254A

GetLocaleInfoW.KERNEL32 ref: 00007FFF2F36DF6C

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
Instruction ID: c57fa20320f4d389282aabdbd8ae649c54afa75ba6dd53d67fc8c8ac1a78109c
Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
Instruction Fuzzy Hash: F9F05422B186C083E7118B16F44455AE7A1F7C4BF0F584221EB9E5BB99CE2CC856CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36E1E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FFF2F36E210

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
Instruction ID: b501b82123b57abb2b0f8a6fbbb46faf62d2a11f38318947b7d0151735df38b8
Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
Instruction Fuzzy Hash: FBE06521B2C58181FA30A710EC913AA27D1BF98768F900231D69D6A6E5DE2CE6558B09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36C7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FFF2F36C81E

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
Instruction ID: 3131cb627c5a0ce774fc7e1f0f08c3d76895744aa9460bbdda02668f3e4e891c
Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
Instruction Fuzzy Hash: 1BE08667F1860582FB588B71D88437422D1EF98B5AF088031CA0C152D5CF7CCD96CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

cYte, xrefs: 00000001800128D1

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: cYte
API String ID: 0-489798635
Opcode ID: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
Opcode Fuzzy Hash: 6004706ed1147b69530f76000c159dc057970e6c457d66b2cd8eae28b0101d69
Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

Pc, xrefs: 000000018002AC68

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Pc
API String ID: 0-2609325410
Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

xDC, xrefs: 000000018001CAFA

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: xDC
API String ID: 0-90241050
Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

g >, xrefs: 000000018001EF27

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g >
API String ID: 0-3862707646
Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

2, xrefs: 0000000180018DDB

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2
API String ID: 0-2012265552
Opcode ID: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
Opcode Fuzzy Hash: 4b072a5d04a01b9100fac41699cb466bc37952194d83653627602ebfe7fd88fa
Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

Wcl, xrefs: 0000000180028B98

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Wcl
API String ID: 0-2623992880
Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

ws8, xrefs: 00000001800299E0

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ws8
API String ID: 0-2196714860
Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

p/g, xrefs: 0000000180017A5F

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: p/g
API String ID: 0-1786412500
Opcode ID: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
Opcode Fuzzy Hash: ea109bfccebd437b4b01984c5c0f8ff51e1effdcf135339ee94665a9e60d530a
Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

%, xrefs: 0000000180001481

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %
API String ID: 0-3714942587
Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

A.}, xrefs: 000000018000DA2D

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A.}
API String ID: 0-2880059976
Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

0#, xrefs: 0000000180001DF0

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0#
API String ID: 0-456275806
Opcode ID: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
Opcode Fuzzy Hash: f4a433f559aee369bf21c69c9b7459dc344cb914e6653285f272d73a33117f3a
Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

n), xrefs: 0000000180008DD6

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n)
API String ID: 0-1227437150
Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

H&0, xrefs: 000000018001EBA0

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H&0
API String ID: 0-1691334370
Opcode ID: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
Opcode Fuzzy Hash: 5a191e61a79b4d2933a8800ab4c515fbfaecb0eb7acbf0dede020ee38eb43630
Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

<+o, xrefs: 000000018002884F

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <+o
API String ID: 0-2035106886
Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

2d, xrefs: 0000000180015418

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2d
API String ID: 0-3866551247
Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

ZF{;, xrefs: 0000000180025218

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ZF{;
API String ID: 0-2351138993
Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

o^, xrefs: 00000001800118C1

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o^
API String ID: 0-3380573087
Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

8N, xrefs: 0000000180017DB3

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8N
API String ID: 0-1657423088
Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

J3n, xrefs: 00000001800021BA

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: J3n
API String ID: 0-3694000235
Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

c&A, xrefs: 000000018001F817

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c&A
API String ID: 0-649646960
Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

(3, xrefs: 0000000180002ABA

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (3
API String ID: 0-2570504824
Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

[r\^, xrefs: 000000018002C8A4

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [r\^
API String ID: 0-4041245994
Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018001A072

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

[[x, xrefs: 00000001800028BE

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [[x
API String ID: 0-2553898450
Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

g\&, xrefs: 000000018001E9C1

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g\&
API String ID: 0-1994035986
Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

#X, xrefs: 0000000180003431

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

GfMu, xrefs: 0000000180009601

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GfMu
API String ID: 0-241548529
Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

k|, xrefs: 000000018000FABD

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: k|
API String ID: 0-998972391
Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

wz_, xrefs: 000000018001D9E9

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wz_
API String ID: 0-2163964638
Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

{?Q, xrefs: 00000001800058F9

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {?Q
API String ID: 0-927583641
Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

|}6\, xrefs: 00000001800215C8

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |}6\
API String ID: 0-3074799505
Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

3&a, xrefs: 000000018001FB09

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3&a
API String ID: 0-537350193
Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

o0:X, xrefs: 000000018001438E

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o0:X
API String ID: 0-645126758
Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

D4}, xrefs: 0000000180020DB4

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D4}
API String ID: 0-491520632
Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36AA0C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
String ID:
API String ID: 1583075380-0
Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
Instruction ID: 25d09d190789e20eb7d95b3338c790553821e9fff720222ea7c58d703ba7e1bf
Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
Instruction Fuzzy Hash: 92A1B532B2858141EB649F259A957BEA392FF84BD4F448136DE4D2FBC5CE3CE8018704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36EB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
Instruction ID: d2c2506a2c8dbb4c604b508d22c07378d17c816cfa2d09b1090fdb5b7551c4a2
Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
Instruction Fuzzy Hash: CD71D272F282464BE31CCB18ED9167866D6E7E4314F588035D90ADFBD8EA39FD448B04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018598 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019300 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
Opcode Fuzzy Hash: f7aced778150c02bbca5db0e3f41738242a846810a111e238ccae7171f94d46c
Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F917 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36A77C Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
Instruction ID: 79f046b254ce9aa97cc877e0421d16c856ab1e9a7c4d568e32f26c88f9ced1fe
Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
Instruction Fuzzy Hash: 8131B022B2868181FB549F2AD8997AA67A1EB84BD0F084136EA4D1F7D5DE3CD841C708

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F944 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389095642.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36DF20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
Instruction ID: c647fbff3cc5973c07ad890c3f1d83f6c27cde7ac71041407e02954cf335bb72
Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
Instruction Fuzzy Hash: 9AB09229B1CB5886876987076844A19AAD2B7ACBE4B0440349D0DA7BA4D93CEA408B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3698A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF2F3698B9

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

free.LIBCMT ref: 00007FFF2F3698C2
free.LIBCMT ref: 00007FFF2F3698CB
free.LIBCMT ref: 00007FFF2F3698D4
free.LIBCMT ref: 00007FFF2F3698DD
free.LIBCMT ref: 00007FFF2F3698E6
free.LIBCMT ref: 00007FFF2F3698EE
free.LIBCMT ref: 00007FFF2F3698F7
free.LIBCMT ref: 00007FFF2F369900
free.LIBCMT ref: 00007FFF2F369909
free.LIBCMT ref: 00007FFF2F369912
free.LIBCMT ref: 00007FFF2F36991B
free.LIBCMT ref: 00007FFF2F369924
free.LIBCMT ref: 00007FFF2F36992D
free.LIBCMT ref: 00007FFF2F369936
free.LIBCMT ref: 00007FFF2F36993F
free.LIBCMT ref: 00007FFF2F36994B
free.LIBCMT ref: 00007FFF2F369957
free.LIBCMT ref: 00007FFF2F369963
free.LIBCMT ref: 00007FFF2F36996F
free.LIBCMT ref: 00007FFF2F36997B
free.LIBCMT ref: 00007FFF2F369987
free.LIBCMT ref: 00007FFF2F369993
free.LIBCMT ref: 00007FFF2F36999F
free.LIBCMT ref: 00007FFF2F3699AB
free.LIBCMT ref: 00007FFF2F3699B7
free.LIBCMT ref: 00007FFF2F3699C3
free.LIBCMT ref: 00007FFF2F3699CF
free.LIBCMT ref: 00007FFF2F3699DB
free.LIBCMT ref: 00007FFF2F3699E7
free.LIBCMT ref: 00007FFF2F3699F3
free.LIBCMT ref: 00007FFF2F3699FF
free.LIBCMT ref: 00007FFF2F369A0B
free.LIBCMT ref: 00007FFF2F369A17
free.LIBCMT ref: 00007FFF2F369A23
free.LIBCMT ref: 00007FFF2F369A2F
free.LIBCMT ref: 00007FFF2F369A3B
free.LIBCMT ref: 00007FFF2F369A47
free.LIBCMT ref: 00007FFF2F369A53
free.LIBCMT ref: 00007FFF2F369A5F
free.LIBCMT ref: 00007FFF2F369A6B
free.LIBCMT ref: 00007FFF2F369A77
free.LIBCMT ref: 00007FFF2F369A83

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
Instruction ID: 8df4ed39c9354391cc5c07954796083b21512f19687ec3980bc66bfc05fc4d44
Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
Instruction Fuzzy Hash: 7C418432B29481D1FA64EB21DC912BC53E0AF84B54F046132DB5E6E2E6CE15DC49C358

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36D0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D0F5
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D111
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D139
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D142
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D158
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D161
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D177
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D180
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D19E
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D1A7
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D1D9
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D1E8
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D240
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D260
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FFF2F3670D4,?,?,?,?,?,00007FFF2F367194), ref: 00007FFF2F36D279

Strings

GetProcessWindowStation, xrefs: 00007FFF2F36D194
USER32.DLL, xrefs: 00007FFF2F36D0EE
GetUserObjectInformationA, xrefs: 00007FFF2F36D166
GetLastActivePopup, xrefs: 00007FFF2F36D147
GetActiveWindow, xrefs: 00007FFF2F36D128
MessageBoxA, xrefs: 00007FFF2F36D107

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
Instruction ID: 5f2090515252028ead5e808d4e5d837a88da7ac42544c7bbffdab0807fa9f602
Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
Instruction Fuzzy Hash: 5051E320F2AB4680FD64AB52ACC417463E06F49BA4F450139DC4E6E7E1EE3CEC568215

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F37028C Relevance: 21.3, APIs: 14, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F3707CE), ref: 00007FFF2F3702F9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F3707CE), ref: 00007FFF2F37030D
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F3707CE), ref: 00007FFF2F370410

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
Instruction ID: 5d338bbb3e44714c5aec869cb91f97c18c408dffd15de0908f7cb42dce8fea60
Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
Instruction Fuzzy Hash: 3CE16DA2B282828AEB709F1198846BD26D2FB44BB4F544535DA5D6FBC4CF3CED44C702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3676A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF2F3677F1
SetConsoleCtrlHandler.KERNEL32 ref: 00007FFF2F367816
__doserrno.LIBCMT ref: 00007FFF2F367829
GetLastError.KERNEL32 ref: 00007FFF2F367831
DecodePointer.KERNEL32 ref: 00007FFF2F36786F
EncodePointer.KERNEL32 ref: 00007FFF2F367884
DecodePointer.KERNEL32 ref: 00007FFF2F367899
EncodePointer.KERNEL32 ref: 00007FFF2F3678AA
DecodePointer.KERNEL32 ref: 00007FFF2F3678BF
EncodePointer.KERNEL32 ref: 00007FFF2F3678D0
DecodePointer.KERNEL32 ref: 00007FFF2F3678E5
EncodePointer.KERNEL32 ref: 00007FFF2F3678F6
_errno.LIBCMT ref: 00007FFF2F36792C

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
String ID:
API String ID: 3466867069-0
Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
Instruction ID: ff32ff86d392f1a87677ddac4ef7a8e1827be273dfedf31fe3c766296a488300
Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
Instruction Fuzzy Hash: AA716A21F3D64B80FE699B189CD627D22D1AF417B0F98053AC95E3E6E1DE2CEC41C649

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F362E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF2F362E37

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

free.LIBCMT ref: 00007FFF2F362E45
free.LIBCMT ref: 00007FFF2F362E53
free.LIBCMT ref: 00007FFF2F362E61
free.LIBCMT ref: 00007FFF2F362E6F
free.LIBCMT ref: 00007FFF2F362E7D
free.LIBCMT ref: 00007FFF2F362E8E
free.LIBCMT ref: 00007FFF2F362EA6
_lock.LIBCMT ref: 00007FFF2F362EB0
free.LIBCMT ref: 00007FFF2F362EDE
_lock.LIBCMT ref: 00007FFF2F362EF3
free.LIBCMT ref: 00007FFF2F362F3D

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
Instruction ID: 0cdc9909b46861587e41670d5e0a08ae8b08e6e61cc99b5b50b2b836a00fd7c9
Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
Instruction Fuzzy Hash: 97310A21B3E54285FE68EA6198E177853D1BF80BA4F05113AEA5E2F7C6CF1CEC448359

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36A250 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FFF2F36A377

Part of subcall function 00007FFF2F367D10: GetLastError.KERNEL32 ref: 00007FFF2F367D79
Part of subcall function 00007FFF2F367D10: free.LIBCMT ref: 00007FFF2F367E05

free.LIBCMT ref: 00007FFF2F36A540
free.LIBCMT ref: 00007FFF2F36A550
free.LIBCMT ref: 00007FFF2F36A560
free.LIBCMT ref: 00007FFF2F36A56C
free.LIBCMT ref: 00007FFF2F36A5C1
free.LIBCMT ref: 00007FFF2F36A5C9
free.LIBCMT ref: 00007FFF2F36A5D1
free.LIBCMT ref: 00007FFF2F36A5D9
free.LIBCMT ref: 00007FFF2F36A5E3

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
Instruction ID: 633cbdbaa99ef73230ee22a37d3fbe064ac1a599656ce0e732a3dc0f3b91f347
Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
Instruction Fuzzy Hash: 91B1C032B2869186EB20CF2598942AD77E0FB48764F544135EB9D9B7D1DF3DE881CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F364F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF2F364F50

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

Part of subcall function 00007FFF2F369DF8: free.LIBCMT ref: 00007FFF2F369E16
Part of subcall function 00007FFF2F369DF8: free.LIBCMT ref: 00007FFF2F369E28
Part of subcall function 00007FFF2F369DF8: free.LIBCMT ref: 00007FFF2F369E3A
Part of subcall function 00007FFF2F369DF8: free.LIBCMT ref: 00007FFF2F369E4C
Part of subcall function 00007FFF2F369DF8: free.LIBCMT ref: 00007FFF2F369E5E
Part of subcall function 00007FFF2F369DF8: free.LIBCMT ref: 00007FFF2F369E70
Part of subcall function 00007FFF2F369DF8: free.LIBCMT ref: 00007FFF2F369E82

free.LIBCMT ref: 00007FFF2F364F72
free.LIBCMT ref: 00007FFF2F364F8A
free.LIBCMT ref: 00007FFF2F364F96
free.LIBCMT ref: 00007FFF2F364FBA
free.LIBCMT ref: 00007FFF2F364FCE
free.LIBCMT ref: 00007FFF2F364FDD
free.LIBCMT ref: 00007FFF2F364FE9
free.LIBCMT ref: 00007FFF2F365016
free.LIBCMT ref: 00007FFF2F36503E
free.LIBCMT ref: 00007FFF2F365058

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
Instruction ID: 55e3197b969d73396424d94175f0d43633dcf2a706ed0e37a711449aa406b395
Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
Instruction Fuzzy Hash: 6A41E932F2958294FE659E21C9903B823E0AF84B64F081431DA1E6E7D5CE2DEC95C319

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F370A34 Relevance: 13.8, APIs: 9, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF2F370A5C

Part of subcall function 00007FFF2F3666D8: DecodePointer.KERNEL32 ref: 00007FFF2F3666FF

__wtomb_environ.LIBCMT ref: 00007FFF2F370B55
_errno.LIBCMT ref: 00007FFF2F370B5F
free.LIBCMT ref: 00007FFF2F370C51
SetEnvironmentVariableA.KERNEL32 ref: 00007FFF2F370D9C
_errno.LIBCMT ref: 00007FFF2F370DAA
free.LIBCMT ref: 00007FFF2F370DB8
free.LIBCMT ref: 00007FFF2F370DC5
free.LIBCMT ref: 00007FFF2F370DD7

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID:
API String ID: 3451773520-0
Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
Instruction ID: 7c6966dcce55d59620a774223c7fe07bc94a24aea24bfe9f6bcd53877d656946
Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
Instruction Fuzzy Hash: 38A1C165F2D64281FA20AB20AD9027A62D1BF40FB8F148635D91E6F7C5DF3CEC958306

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36E23C Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E292
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E2B1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E356
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E3B5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E3F0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E42C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E46C
free.LIBCMT ref: 00007FFF2F36E47A
free.LIBCMT ref: 00007FFF2F36E49C

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree
String ID:
API String ID: 1638741495-0
Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
Instruction ID: 4563068e2733b2eee98e221a7f70dcc87b2f369fdc653b537df74b4010c5cb2c
Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
Instruction Fuzzy Hash: FD61E532B2868286F7209B259C801B967D5FF847B8F644A35DA1D6BBD4DF3CDC858608

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF2F363555
DecodePointer.KERNEL32 ref: 00007FFF2F363588
DecodePointer.KERNEL32 ref: 00007FFF2F3635A5
DecodePointer.KERNEL32 ref: 00007FFF2F3635E4
DecodePointer.KERNEL32 ref: 00007FFF2F3635FD
DecodePointer.KERNEL32 ref: 00007FFF2F36360C
_initterm.LIBCMT ref: 00007FFF2F36364B
_initterm.LIBCMT ref: 00007FFF2F36365E
ExitProcess.KERNEL32 ref: 00007FFF2F363697

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
Instruction ID: 479c2e2b2a137f62071b35354fcd63e4347066b53cbfc0ca6c4c9c7e55a66c77
Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
Instruction Fuzzy Hash: 63417E21B2A64281FA509B05ECC017962E4FF88BE4F540134EA5D6F7E5DF3CEC558B0A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F368F34 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F369206), ref: 00007FFF2F368F94
GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F369206), ref: 00007FFF2F368FA6
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F369206), ref: 00007FFF2F369006
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F369206), ref: 00007FFF2F3690BC
GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F369206), ref: 00007FFF2F3690D3
free.LIBCMT ref: 00007FFF2F3690E4
GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FFF2F369206), ref: 00007FFF2F369161
free.LIBCMT ref: 00007FFF2F369171

Part of subcall function 00007FFF2F36E23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E292
Part of subcall function 00007FFF2F36E23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E2B1
Part of subcall function 00007FFF2F36E23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E3B5
Part of subcall function 00007FFF2F36E23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FFF2F36E3F0

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
String ID:
API String ID: 3535580693-0
Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
Instruction ID: 5dbb79934a96a870d7151ccc26630d6a3b1fe69afb9c82194d32c0f3b8607204
Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
Instruction Fuzzy Hash: 53619E32B2968686FB649F21DDD446967D2FB48BF8B140235EE1D2BBD4CE38EC418744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F363758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 00007FFF2F36377D

Part of subcall function 00007FFF2F363108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F362DA3,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36314D

GetFileType.KERNEL32 ref: 00007FFF2F3638FA

Strings

@, xrefs: 00007FFF2F3639F5

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
Instruction ID: f6b8cedfe90b87f35fd11bcb23ce78d37c69850877fe771bf58d3b39cf5e3d14
Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
Instruction Fuzzy Hash: 9B917A22B2868281E7108B24DC883682AE5FB06774F654735C67D5B3D1DF7DEC86C716

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3625F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFF2F362534: _getptd.LIBCMT ref: 00007FFF2F36254A

_errno.LIBCMT ref: 00007FFF2F362638
_errno.LIBCMT ref: 00007FFF2F3627F2

Strings

0, xrefs: 00007FFF2F362731
+, xrefs: 00007FFF2F3626D5
-, xrefs: 00007FFF2F3626CA
0, xrefs: 00007FFF2F362703

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
Instruction ID: 3b5e0ed86ddcc88728864c9573d6eaaf2fc07e8d5eed0797b45ee168c4b2c764
Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
Instruction Fuzzy Hash: 7D71D322F2C68285FFB547158C94B7E26D0BB45774F174136CE9E2A6D2DE6CEC408709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F366AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FFF2F366ADF

Part of subcall function 00007FFF2F366F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FFF2F367194,?,?,?,?,00007FFF2F366C69,?,?,00000000,00007FFF2F3630C0), ref: 00007FFF2F366FCF

Part of subcall function 00007FFF2F36334C: ExitProcess.KERNEL32 ref: 00007FFF2F36335B

Part of subcall function 00007FFF2F36309C: Sleep.KERNEL32(?,?,00000000,00007FFF2F366B19,?,?,00000000,00007FFF2F366BC3,?,?,?,?,?,?,00000000,00007FFF2F362DC8), ref: 00007FFF2F3630D2

_errno.LIBCMT ref: 00007FFF2F366B21
_lock.LIBCMT ref: 00007FFF2F366B35
free.LIBCMT ref: 00007FFF2F366B57
_errno.LIBCMT ref: 00007FFF2F366B5C
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FFF2F366BC3,?,?,?,?,?,?,00000000,00007FFF2F362DC8,?,?,?,00007FFF2F362DFF), ref: 00007FFF2F366B82

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
String ID:
API String ID: 1354249094-0
Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
Instruction ID: ea10bb4bdc3728a088243c6eae75ce49366b73ab20b1c259cee7f9c32f9b17d5
Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
Instruction Fuzzy Hash: 2E210E21F3964282F664AB119C9437A62D4AF887E4F045035E94E6F7C2CF7CEC458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F362D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F362D7A
FlsGetValue.KERNEL32(?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F362D88
SetLastError.KERNEL32(?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F362DE0

Part of subcall function 00007FFF2F363108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F362DA3,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36314D

FlsSetValue.KERNEL32(?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F362DB4
free.LIBCMT ref: 00007FFF2F362DD7

Part of subcall function 00007FFF2F362CBC: _lock.LIBCMT ref: 00007FFF2F362D0C
Part of subcall function 00007FFF2F362CBC: _lock.LIBCMT ref: 00007FFF2F362D2C

GetCurrentThreadId.KERNEL32 ref: 00007FFF2F362DC8

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
Instruction ID: 7f213df8d3fa3eb6030d58eed8516e4d7c0a6c30ea64bdd83ef02f9814e5c2be
Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
Instruction Fuzzy Hash: 4C017520B29B4282FA145B659CD413862E2BF48770F144534D92E2A3D1DE3CFC44CB35

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F369DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF2F369E16

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

free.LIBCMT ref: 00007FFF2F369E28
free.LIBCMT ref: 00007FFF2F369E3A
free.LIBCMT ref: 00007FFF2F369E4C
free.LIBCMT ref: 00007FFF2F369E5E
free.LIBCMT ref: 00007FFF2F369E70
free.LIBCMT ref: 00007FFF2F369E82

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
Instruction ID: 9c11741f8b6609e33f12df90b010acca3d74775f9f3083e8d447240b9d0c24e4
Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
Instruction Fuzzy Hash: 5001A822B2D442A1FE64DB61DDE107453E1AF84720F442031E61E6EBD1CE6DFC808769

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F369E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF2F369F10
free.LIBCMT ref: 00007FFF2F369F37
free.LIBCMT ref: 00007FFF2F36A208
free.LIBCMT ref: 00007FFF2F36A214

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
Instruction ID: 56b41ecfd85b373f72aeb592d51f7030303d70f2f19fc0485562292f35d82a1e
Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
Instruction Fuzzy Hash: FAB19032B29B4685FB20DF22E8805AA77E0FB857A4F400531EA8E5B785DF3CD915C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3660B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF2F3660F3
free.LIBCMT ref: 00007FFF2F366133
free.LIBCMT ref: 00007FFF2F366153
free.LIBCMT ref: 00007FFF2F3661B0
free.LIBCMT ref: 00007FFF2F3661C8

Part of subcall function 00007FFF2F363108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F362DA3,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36314D

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$Sleep_errno
String ID:
API String ID: 2081351063-0
Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
Instruction ID: 3ebabaff94d1d55dcd79e4e63df29adcf5f44591bab1bf98d3422cda79eccc95
Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
Instruction Fuzzy Hash: E431FC61B2964285FB55AB16CDA127D66E1AF84FE4F448035DE0D2F3DADE2CEC018748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3672D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FFF2F3673E5,?,?,?,?,00007FFF2F3634D2,?,?,?,00007FFF2F3621CB), ref: 00007FFF2F3672FD
DecodePointer.KERNEL32(?,?,?,00007FFF2F3673E5,?,?,?,?,00007FFF2F3634D2,?,?,?,00007FFF2F3621CB), ref: 00007FFF2F36730C

Part of subcall function 00007FFF2F36D070: _errno.LIBCMT ref: 00007FFF2F36D079

EncodePointer.KERNEL32(?,?,?,00007FFF2F3673E5,?,?,?,?,00007FFF2F3634D2,?,?,?,00007FFF2F3621CB), ref: 00007FFF2F367389

Part of subcall function 00007FFF2F36318C: realloc.LIBCMT ref: 00007FFF2F3631B7
Part of subcall function 00007FFF2F36318C: Sleep.KERNEL32(?,?,00000000,00007FFF2F367379,?,?,?,00007FFF2F3673E5,?,?,?,?,00007FFF2F3634D2), ref: 00007FFF2F3631D3

EncodePointer.KERNEL32(?,?,?,00007FFF2F3673E5,?,?,?,?,00007FFF2F3634D2,?,?,?,00007FFF2F3621CB), ref: 00007FFF2F367398
EncodePointer.KERNEL32(?,?,?,00007FFF2F3673E5,?,?,?,?,00007FFF2F3634D2,?,?,?,00007FFF2F3621CB), ref: 00007FFF2F3673A4

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
Instruction ID: 26be6324551b07a6cf25b8f64391125bb4c024891fb1db3a7800ef483dedd003
Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
Instruction Fuzzy Hash: D021B011B2964650FE10AF22ECC80B9A2E1BB45BE0FA44835D90D2F7C6DE3CE895C348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3671A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FFF2F3671C6
DecodePointer.KERNEL32 ref: 00007FFF2F3671D5

Part of subcall function 00007FFF2F36D070: _errno.LIBCMT ref: 00007FFF2F36D079

EncodePointer.KERNEL32 ref: 00007FFF2F367248

Part of subcall function 00007FFF2F36318C: realloc.LIBCMT ref: 00007FFF2F3631B7
Part of subcall function 00007FFF2F36318C: Sleep.KERNEL32(?,?,00000000,00007FFF2F367379,?,?,?,00007FFF2F3673E5,?,?,?,?,00007FFF2F3634D2), ref: 00007FFF2F3631D3

EncodePointer.KERNEL32 ref: 00007FFF2F367257
EncodePointer.KERNEL32 ref: 00007FFF2F367263

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
Instruction ID: f4c0e31c97530fac642efbd94477315bc9cbb03463796701808db8fb41846d59
Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
Instruction Fuzzy Hash: A721B310B2968654FE00EF11ADC41B9A2E1BB457E4F880435E94D2F3D5DE3CE854C308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F363310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FFF2F363359,?,?,00000028,00007FFF2F366C7D,?,?,00000000,00007FFF2F3630C0,?,?,00000000,00007FFF2F366B19), ref: 00007FFF2F36331F
GetProcAddress.KERNEL32(?,?,000000FF,00007FFF2F363359,?,?,00000028,00007FFF2F366C7D,?,?,00000000,00007FFF2F3630C0,?,?,00000000,00007FFF2F366B19), ref: 00007FFF2F363334

Strings

CorExitProcess, xrefs: 00007FFF2F36332A
mscoree.dll, xrefs: 00007FFF2F363318

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
Instruction ID: fa4cf05a269356897878b916d07e972a8edd02396c1c00cc407bc4a97800cf7b
Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
Instruction Fuzzy Hash: 1AE0EC50F2960241FE195B50ACC413412D0BF58B30F585438C82F2E3E1DE6CEE98C621

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFF2F36309C: Sleep.KERNEL32(?,?,00000000,00007FFF2F366B19,?,?,00000000,00007FFF2F366BC3,?,?,?,?,?,?,00000000,00007FFF2F362DC8), ref: 00007FFF2F3630D2

Part of subcall function 00007FFF2F36BDF4: _errno.LIBCMT ref: 00007FFF2F36BE0F

free.LIBCMT ref: 00007FFF2F3658A5
free.LIBCMT ref: 00007FFF2F3658C1

Part of subcall function 00007FFF2F366550: RtlCaptureContext.KERNEL32 ref: 00007FFF2F36658F
Part of subcall function 00007FFF2F366550: IsDebuggerPresent.KERNEL32 ref: 00007FFF2F36662D
Part of subcall function 00007FFF2F366550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F366637
Part of subcall function 00007FFF2F366550: UnhandledExceptionFilter.KERNEL32 ref: 00007FFF2F366642
Part of subcall function 00007FFF2F366550: GetCurrentProcess.KERNEL32 ref: 00007FFF2F366658
Part of subcall function 00007FFF2F366550: TerminateProcess.KERNEL32 ref: 00007FFF2F366666

free.LIBCMT ref: 00007FFF2F3658D6

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

free.LIBCMT ref: 00007FFF2F3658F5
free.LIBCMT ref: 00007FFF2F365911

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
String ID:
API String ID: 2294642566-0
Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
Instruction ID: fcc0d7587e404c49fce3ef1d24e0ebc33f5b77b49f41ff00c72932803ad75f87
Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
Instruction Fuzzy Hash: 9F517C36B18A8182EB609F2AEC9016A63E5FB84BB8F484035DE4D5B794DE3CDD46C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F365B84 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF2F365BB6

Part of subcall function 00007FFF2F365944: _getptd.LIBCMT ref: 00007FFF2F36597E

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
Instruction ID: 2632f02f33111724575067428354fff50db89360f44d9a9c6bb9cd6e124924ef
Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
Instruction Fuzzy Hash: F1819F73B2968296EB64CF25E9846AA73E0FB48794F504135DB8D4B794DF3CE850CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F3661F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF2F366217

Part of subcall function 00007FFF2F3666D8: DecodePointer.KERNEL32 ref: 00007FFF2F3666FF

_getptd.LIBCMT ref: 00007FFF2F36623D
_lock.LIBCMT ref: 00007FFF2F366276
_lock.LIBCMT ref: 00007FFF2F366309

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
Instruction ID: ff797696b0848fcee2d2cabadc5b2624adf7b6a253743ed8679058057a2176b9
Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
Instruction Fuzzy Hash: 17515821B2968282FB549B25EDA07BA26D1FF447E4F104039DA4D6F7D6DE7CEC408B09

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36F9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FFF2F36FA07

Part of subcall function 00007FFF2F3666D8: DecodePointer.KERNEL32 ref: 00007FFF2F3666FF

calloc.LIBCMT ref: 00007FFF2F36FA65
_errno.LIBCMT ref: 00007FFF2F36FA72
_errno.LIBCMT ref: 00007FFF2F36FA7D

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointercalloc
String ID:
API String ID: 1531210114-0
Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
Instruction ID: fb97d7eae6c65e6ab8b3a4819d0641b5822528bf6d0cc6718a5c3df2448f2542
Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
Instruction Fuzzy Hash: E9217162B2874245FB149B65E89177A62E0AF54BE4F488534DF4CAF7C6EF3CDC108A48

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FFF2F3653B2
free.LIBCMT ref: 00007FFF2F3653D7

Part of subcall function 00007FFF2F363024: HeapFree.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36303A
Part of subcall function 00007FFF2F363024: _errno.LIBCMT ref: 00007FFF2F363044
Part of subcall function 00007FFF2F363024: GetLastError.KERNEL32(?,?,00000000,00007FFF2F362DDC,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36304C

_lock.LIBCMT ref: 00007FFF2F3653F2
free.LIBCMT ref: 00007FFF2F365438

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _lockfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 3188102813-0
Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
Instruction ID: b07073a1034cc8bd70c73aaf9d591b4cc03eb8d3174f25b63280bafecc0a9741
Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
Instruction Fuzzy Hash: 38118B22B2B50281FFA9ABB1CCE137822D09F80B74F145134D71E2E3C6DE6CAC418769

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F362C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FFF2F362217), ref: 00007FFF2F362CA3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F362217), ref: 00007FFF2F366A32
free.LIBCMT ref: 00007FFF2F366A3B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFF2F362217), ref: 00007FFF2F366A5B

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
Instruction ID: 48d2535b225110599f9aa0aa5ccceb28bd0b03e676379aa5ffceee281d328253
Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
Instruction Fuzzy Hash: 5A116071F2864286FA188F15EC9013873E0FB44BA0F588530DA6D2E6D5CF3CEC918B15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FFF2F365456

Part of subcall function 00007FFF2F363108: Sleep.KERNEL32(?,?,0000000A,00007FFF2F362DA3,?,?,?,00007FFF2F362DFF,?,?,?,00007FFF2F36254F,?,?,?,00007FFF2F36262A), ref: 00007FFF2F36314D

_errno.LIBCMT ref: 00007FFF2F365473
_lock.LIBCMT ref: 00007FFF2F3654A6
_lock.LIBCMT ref: 00007FFF2F3654C4

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _lock$Sleep_errno_getptd
String ID:
API String ID: 2111406555-0
Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
Instruction ID: 9419c9c9d8f5823623d90fda272aff82c66e991de00178bf2063e403941f99c0
Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
Instruction Fuzzy Hash: 49017122B2A64286FB446B75DC917AD62D0EF44BA4F448034DB0D2F3C6CE2CEC5487A9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F36BB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFF2F362534: _getptd.LIBCMT ref: 00007FFF2F36254A

_errno.LIBCMT ref: 00007FFF2F36BCD8
_errno.LIBCMT ref: 00007FFF2F36BD12

Strings

#, xrefs: 00007FFF2F36BC70

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd
String ID: #
API String ID: 3432092939-1885708031
Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
Instruction ID: 4cf2ced40efca8feaff1f1fc1c7052d5d7ea1b7c54c5a37d963ec84d92467198
Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
Instruction Fuzzy Hash: 1F519122B1CA8585E7208F14E8802BEBBA4F786BA4F584131DA8D2B795CE3DD841CB15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFF2F369BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FFF2F369C43
free.LIBCMT ref: 00007FFF2F369CDB
free.LIBCMT ref: 00007FFF2F369D76
free.LIBCMT ref: 00007FFF2F369D82

Memory Dump Source

Source File: 00000002.00000002.389163747.00007FFF2F321000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FFF2F320000, based on PE: true

Associated: 00000002.00000002.389143987.00007FFF2F320000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389248199.00007FFF2F372000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389255068.00007FFF2F376000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.389271182.00007FFF2F379000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7fff2f320000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
Instruction ID: 829475bd94f6baf370a7223179a5042ea311a383bf7c0874868c87ba2290f2c7
Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
Instruction Fuzzy Hash: 1C51B332B2968586FB689F12E8901B977E0BB45BA0F544531DB9E5B7C1CE3CEC41C314

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 6360, Parent PID: 4464COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 000001C9284A0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001C9284A0450
GetNativeSystemInfo.KERNELBASE ref: 000001C9284A0539
VirtualAlloc.KERNELBASE ref: 000001C9284A0580
VirtualProtect.KERNELBASE ref: 000001C9284A09E9
RtlAddFunctionTable.KERNEL32 ref: 000001C9284A0A79

Strings

truc, xrefs: 000001C9284A0121
ofRe, xrefs: 000001C9284A0318
urce, xrefs: 000001C9284A0340
RtlA, xrefs: 000001C9284A015C
Free, xrefs: 000001C9284A034D
Slee, xrefs: 000001C9284A00B7
Cach, xrefs: 000001C9284A012F
Load, xrefs: 000001C9284A02F4
Reso, xrefs: 000001C9284A0355
onTa, xrefs: 000001C9284A0171
Size, xrefs: 000001C9284A0311
ativ, xrefs: 000001C9284A013D
urce, xrefs: 000001C9284A035D
tion, xrefs: 000001C9284A0128
Virt, xrefs: 000001C9284A00E0
lloc, xrefs: 000001C9284A00F0
ualA, xrefs: 000001C9284A00E8
ualP, xrefs: 000001C9284A00FF
aryA, xrefs: 000001C9284A00D8
eSys, xrefs: 000001C9284A0144
urce, xrefs: 000001C9284A02E7
Reso, xrefs: 000001C9284A02FC
ncti, xrefs: 000001C9284A016A
Reso, xrefs: 000001C9284A0338
Libr, xrefs: 000001C9284A00D0
Flus, xrefs: 000001C9284A0113
Virt, xrefs: 000001C9284A00F8
temI, xrefs: 000001C9284A014B
urce, xrefs: 000001C9284A0304
ddFu, xrefs: 000001C9284A0163
rote, xrefs: 000001C9284A0106
Lock, xrefs: 000001C9284A0330
Find, xrefs: 000001C9284A02D0
Load, xrefs: 000001C9284A00C8
GetN, xrefs: 000001C9284A0136
sour, xrefs: 000001C9284A031F
Reso, xrefs: 000001C9284A02DB
hIns, xrefs: 000001C9284A011A

Memory Dump Source

Source File: 00000003.00000002.385460702.000001C9284A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C9284A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1c9284a0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 33e3c1540505d742b8eb61a539de4434311f6bb74459e4116e5a9ade284d1038
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: AE72E431518B48DBEB69DF18C899BE9B7E0FB98304F10462DE8CADB251DB34E541CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(I, xrefs: 000000018002C62C
Z, xrefs: 000000018002C36B
l, xrefs: 000000018002C1F5
Ekf, xrefs: 000000018002C0CA
#C, xrefs: 000000018002C55D
l, xrefs: 000000018002C347
-:, xrefs: 000000018002C100
<W, xrefs: 000000018002C1D0

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 0000000180011205
lA, xrefs: 0000000180011819
/Zb, xrefs: 000000018001119F
OV4T, xrefs: 0000000180011307
/v|, xrefs: 00000001800113E2
)|x, xrefs: 000000018001168C

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.pN, xrefs: 0000000180021AE0
, xrefs: 00000001800219DA
)O, xrefs: 000000018002164B
&.+, xrefs: 000000018002180B
F>9, xrefs: 0000000180021937
t(/, xrefs: 0000000180021ABB

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

w\H, xrefs: 000000018000C959
K', xrefs: 000000018000CAC7
+#;), xrefs: 000000018000CBDA
sf, xrefs: 000000018000CE95

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<4P, xrefs: 000000018001E690
<8, xrefs: 000000018001E63C
<w., xrefs: 000000018001E582

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]k, xrefs: 0000000180022069
94, xrefs: 0000000180022371
"+H, xrefs: 000000018002236A
M8;, xrefs: 0000000180022338
1l7., xrefs: 00000001800220AF
]k, xrefs: 000000018002232E
]$d, xrefs: 00000001800220D6

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t:v, xrefs: 0000000180005E76
-!zt, xrefs: 0000000180005BD7
Mv`b, xrefs: 0000000180005D4E
R3T, xrefs: 0000000180005C59
d}9J, xrefs: 0000000180006179
ru, xrefs: 000000018000623C

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kO, xrefs: 000000018001387E
lmq, xrefs: 0000000180013A6B
"`2, xrefs: 00000001800139CE
lbzZ, xrefs: 0000000180013863
tro, xrefs: 00000001800139A0
$, xrefs: 0000000180013C6D

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2f, xrefs: 000000018001051C
UbA, xrefs: 00000001800103C4
EX., xrefs: 000000018001032D
PT, xrefs: 000000018001038A
)#?, xrefs: 0000000180010418

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

QP|m, xrefs: 000000018001FCBC
$T, xrefs: 000000018001FF09
qjf, xrefs: 000000018001FD57
tZp, xrefs: 000000018001FFAF
?F, xrefs: 0000000180020023

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

x\J, xrefs: 00000001800171C3
JQ, xrefs: 0000000180016D72
t, xrefs: 0000000180017275
v, xrefs: 00000001800170BE
k&(, xrefs: 0000000180017125

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

R, xrefs: 00000001800070D3
L==, xrefs: 0000000180007159
V, xrefs: 0000000180007053
?rIc, xrefs: 000000018000710E
)H8, xrefs: 000000018000709E

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

+, xrefs: 00000001800119DA
bt, xrefs: 0000000180011A1E
S, xrefs: 0000000180011A92
Qq, xrefs: 0000000180011A84
vird, xrefs: 00000001800119C2

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

V, xrefs: 0000000180011B81
^_", xrefs: 0000000180011D6E
P9, xrefs: 0000000180011DC0
@, xrefs: 0000000180011F6B

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB
F)k, xrefs: 000000018001336C
b/, xrefs: 000000018001347F

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

iJ6, xrefs: 0000000180003091
vG, xrefs: 000000018000316F
#X, xrefs: 0000000180002E74
'Xsa, xrefs: 0000000180002EA2

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

-Z, xrefs: 0000000180009D06
*i^, xrefs: 0000000180009A7A
MIC, xrefs: 0000000180009BF0
]2, xrefs: 0000000180009CC2

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

QsF, xrefs: 0000000180010894
_, xrefs: 0000000180010A56
EG, xrefs: 000000018001082C
B, xrefs: 0000000180010AEC

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

5B.Y, xrefs: 000000018002045A
Z`35, xrefs: 00000001800205D3
., xrefs: 00000001800206DC
-`G, xrefs: 00000001800206A2

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

#o, xrefs: 000000018000EFD8
*+_, xrefs: 000000018000EF25
WSh, xrefs: 000000018000EEF0
\O, xrefs: 000000018000F046

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

M*K, xrefs: 0000000180024E36
\<, xrefs: 0000000180024E9B
.B, xrefs: 0000000180025032
O, xrefs: 0000000180024F9B

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

$, xrefs: 000000018002A454
$, xrefs: 000000018002A477
~O, xrefs: 000000018002A626
xVO, xrefs: 000000018002A587

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

,IW, xrefs: 0000000180002565
l, xrefs: 0000000180002548
G, xrefs: 0000000180002557
JMg, xrefs: 000000018000252F

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

2S=, xrefs: 0000000180018BF3
,, xrefs: 0000000180018B66
i`}G, xrefs: 0000000180018BFA
,, xrefs: 0000000180018C14

Memory Dump Source

Source File: 00000003.00000002.385208738.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$,$2S=$i`}G
API String ID: 0-4285990414
Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 1320, Parent PID: 6276COMMON

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 000001C271780000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001C271780450
GetNativeSystemInfo.KERNELBASE ref: 000001C271780539
VirtualAlloc.KERNELBASE ref: 000001C271780580
VirtualProtect.KERNELBASE ref: 000001C2717809E9
RtlAddFunctionTable.KERNEL32 ref: 000001C271780A79

Strings

Size, xrefs: 000001C271780311
Reso, xrefs: 000001C271780338
aryA, xrefs: 000001C2717800D8
Flus, xrefs: 000001C271780113
Reso, xrefs: 000001C2717802FC
ativ, xrefs: 000001C27178013D
truc, xrefs: 000001C271780121
Slee, xrefs: 000001C2717800B7
tion, xrefs: 000001C271780128
onTa, xrefs: 000001C271780171
eSys, xrefs: 000001C271780144
ncti, xrefs: 000001C27178016A
ualP, xrefs: 000001C2717800FF
Reso, xrefs: 000001C271780355
ofRe, xrefs: 000001C271780318
Find, xrefs: 000001C2717802D0
rote, xrefs: 000001C271780106
urce, xrefs: 000001C2717802E7
Free, xrefs: 000001C27178034D
Libr, xrefs: 000001C2717800D0
ualA, xrefs: 000001C2717800E8
temI, xrefs: 000001C27178014B
urce, xrefs: 000001C27178035D
Virt, xrefs: 000001C2717800E0
lloc, xrefs: 000001C2717800F0
Load, xrefs: 000001C2717800C8
RtlA, xrefs: 000001C27178015C
Load, xrefs: 000001C2717802F4
ddFu, xrefs: 000001C271780163
Reso, xrefs: 000001C2717802DB
urce, xrefs: 000001C271780340
Lock, xrefs: 000001C271780330
GetN, xrefs: 000001C271780136
sour, xrefs: 000001C27178031F
hIns, xrefs: 000001C27178011A
Virt, xrefs: 000001C2717800F8
urce, xrefs: 000001C271780304
Cach, xrefs: 000001C27178012F

Memory Dump Source

Source File: 00000004.00000002.386418514.000001C271780000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001C271780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c271780000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 94d6bbba923704969f668127bdbeebc53ade529d9cd4ea082820748da8910d38
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: E1729230658B488BEB59DF58C886AF9B7E1FFA4305F20462DE88EC7251DB38D541CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l, xrefs: 000000018002C347
-:, xrefs: 000000018002C100
(I, xrefs: 000000018002C62C
Ekf, xrefs: 000000018002C0CA
<W, xrefs: 000000018002C1D0
Z, xrefs: 000000018002C36B
#C, xrefs: 000000018002C55D
l, xrefs: 000000018002C1F5

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)|x, xrefs: 000000018001168C
\, xrefs: 0000000180011205
OV4T, xrefs: 0000000180011307
lA, xrefs: 0000000180011819
/Zb, xrefs: 000000018001119F
/v|, xrefs: 00000001800113E2

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00000001800219DA
&.+, xrefs: 000000018002180B
.pN, xrefs: 0000000180021AE0
F>9, xrefs: 0000000180021937
t(/, xrefs: 0000000180021ABB
)O, xrefs: 000000018002164B

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q27, xrefs: 0000000180028EC2, 0000000180028F2F, 0000000180028DCC, 0000000180028F82, 000000018002907C, 0000000180028FD5, 0000000180028FEB, 0000000180029134, 00000001800290DD, 0000000180028E8F, 0000000180029047, 0000000180028CC6, 0000000180029040
Mh, xrefs: 0000000180029055
_5, xrefs: 00000001800290F7
yy8x, xrefs: 0000000180028D19
:G, xrefs: 0000000180028C4C

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: :G$Q27$_5$yy8x$Mh
API String ID: 0-3587547327
Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

w\H, xrefs: 000000018000C959
K', xrefs: 000000018000CAC7
sf, xrefs: 000000018000CE95
+#;), xrefs: 000000018000CBDA

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<4P, xrefs: 000000018001E690
<w., xrefs: 000000018001E582
<8, xrefs: 000000018001E63C

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xDC, xrefs: 000000018001CAFA

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: xDC
API String ID: 0-90241050
Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1l7., xrefs: 00000001800220AF
M8;, xrefs: 0000000180022338
]k, xrefs: 0000000180022069
]$d, xrefs: 00000001800220D6
94, xrefs: 0000000180022371
]k, xrefs: 000000018002232E
"+H, xrefs: 000000018002236A

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Mv`b, xrefs: 0000000180005D4E
t:v, xrefs: 0000000180005E76
-!zt, xrefs: 0000000180005BD7
ru, xrefs: 000000018000623C
d}9J, xrefs: 0000000180006179
R3T, xrefs: 0000000180005C59

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kO, xrefs: 000000018001387E
lmq, xrefs: 0000000180013A6B
tro, xrefs: 00000001800139A0
$, xrefs: 0000000180013C6D
lbzZ, xrefs: 0000000180013863
"`2, xrefs: 00000001800139CE

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

EX., xrefs: 000000018001032D
)#?, xrefs: 0000000180010418
UbA, xrefs: 00000001800103C4
2f, xrefs: 000000018001051C
PT, xrefs: 000000018001038A

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

$T, xrefs: 000000018001FF09
QP|m, xrefs: 000000018001FCBC
?F, xrefs: 0000000180020023
tZp, xrefs: 000000018001FFAF
qjf, xrefs: 000000018001FD57

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

JQ, xrefs: 0000000180016D72
x\J, xrefs: 00000001800171C3
t, xrefs: 0000000180017275
v, xrefs: 00000001800170BE
k&(, xrefs: 0000000180017125

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

V, xrefs: 0000000180007053
)H8, xrefs: 000000018000709E
R, xrefs: 00000001800070D3
L==, xrefs: 0000000180007159
?rIc, xrefs: 000000018000710E

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

vird, xrefs: 00000001800119C2
S, xrefs: 0000000180011A92
+, xrefs: 00000001800119DA
Qq, xrefs: 0000000180011A84
bt, xrefs: 0000000180011A1E

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

P9, xrefs: 0000000180011DC0
@, xrefs: 0000000180011F6B
V, xrefs: 0000000180011B81
^_", xrefs: 0000000180011D6E

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

F)k, xrefs: 000000018001336C
b/, xrefs: 000000018001347F
syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

iJ6, xrefs: 0000000180003091
vG, xrefs: 000000018000316F
#X, xrefs: 0000000180002E74
'Xsa, xrefs: 0000000180002EA2

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

-Z, xrefs: 0000000180009D06
]2, xrefs: 0000000180009CC2
MIC, xrefs: 0000000180009BF0
*i^, xrefs: 0000000180009A7A

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

Strings

?, xrefs: 0000000180027FC1
~x, xrefs: 0000000180028423
>97", xrefs: 0000000180028161
LsRW, xrefs: 000000018002820A

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: >97"$?$LsRW$~x
API String ID: 0-2554301858
Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

_, xrefs: 0000000180010A56
QsF, xrefs: 0000000180010894
B, xrefs: 0000000180010AEC
EG, xrefs: 000000018001082C

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

Z`35, xrefs: 00000001800205D3
5B.Y, xrefs: 000000018002045A
., xrefs: 00000001800206DC
-`G, xrefs: 00000001800206A2

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

\O, xrefs: 000000018000F046
*+_, xrefs: 000000018000EF25
WSh, xrefs: 000000018000EEF0
#o, xrefs: 000000018000EFD8

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

\<, xrefs: 0000000180024E9B
O, xrefs: 0000000180024F9B
.B, xrefs: 0000000180025032
M*K, xrefs: 0000000180024E36

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

$, xrefs: 000000018002A454
~O, xrefs: 000000018002A626
$, xrefs: 000000018002A477
xVO, xrefs: 000000018002A587

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

JMg, xrefs: 000000018000252F
l, xrefs: 0000000180002548
G, xrefs: 0000000180002557
,IW, xrefs: 0000000180002565

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

2S=, xrefs: 0000000180018BF3
,, xrefs: 0000000180018C14
i`}G, xrefs: 0000000180018BFA
,, xrefs: 0000000180018B66

Memory Dump Source

Source File: 00000004.00000002.386117726.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$,$2S=$i`}G
API String ID: 0-4285990414
Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 4700, Parent PID: 5860COMMON

Execution Graph

Execution Coverage:	18.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.8%
Total number of Nodes:	83
Total number of Limit Nodes:	8

Executed Functions

Function 00760000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00760450
GetNativeSystemInfo.KERNELBASE ref: 00760539
VirtualAlloc.KERNELBASE ref: 00760580
VirtualProtect.KERNELBASE ref: 007609E9
RtlAddFunctionTable.KERNEL32 ref: 00760A79

Strings

ddFu, xrefs: 00760163
urce, xrefs: 007602E7
Reso, xrefs: 00760338
Size, xrefs: 00760311
Reso, xrefs: 007602FC
temI, xrefs: 0076014B
urce, xrefs: 0076035D
Virt, xrefs: 007600E0
urce, xrefs: 00760340
truc, xrefs: 00760121
Cach, xrefs: 0076012F
GetN, xrefs: 00760136
eSys, xrefs: 00760144
onTa, xrefs: 00760171
Find, xrefs: 007602D0
RtlA, xrefs: 0076015C
Slee, xrefs: 007600B7
Reso, xrefs: 007602DB
Load, xrefs: 007600C8
Load, xrefs: 007602F4
tion, xrefs: 00760128
ativ, xrefs: 0076013D
Virt, xrefs: 007600F8
ncti, xrefs: 0076016A
Reso, xrefs: 00760355
aryA, xrefs: 007600D8
lloc, xrefs: 007600F0
ualA, xrefs: 007600E8
ofRe, xrefs: 00760318
hIns, xrefs: 0076011A
Lock, xrefs: 00760330
urce, xrefs: 00760304
ualP, xrefs: 007600FF
Flus, xrefs: 00760113
Libr, xrefs: 007600D0
sour, xrefs: 0076031F
Free, xrefs: 0076034D
rote, xrefs: 00760106

Memory Dump Source

Source File: 00000006.00000002.898390444.0000000000760000.00000040.00001000.00020000.00000000.sdmp, Offset: 00760000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_760000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: b425358ad29a8c1413ad9ea0640e80c441408673206696c21754b83af8887acb
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 5172B530618B488BDB19DF18C8856BAB7E1FB98305F14462DE88BD7251DB38E946CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ec;, xrefs: 000000018000D485
J, xrefs: 000000018000D653
^c, xrefs: 000000018000D7F1
#X, xrefs: 000000018000D803
^c, xrefs: 000000018000D2F5
n, xrefs: 000000018000D64B

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$Ec;$J$^c$^c$n
API String ID: 0-2929744921
Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b/, xrefs: 000000018001347F
syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB
F)k, xrefs: 000000018001336C

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

5IF, xrefs: 0000000180004890
P)#, xrefs: 0000000180004995

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5IF$P)#
API String ID: 0-1025399686
Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectW.WININET ref: 000000018001D008

Strings

C, xrefs: 000000018001CFA7
:G?, xrefs: 000000018001CF7D

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: :G?$C
API String ID: 3050416762-1225920220
Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 000000018000FC2F

Strings

gF\, xrefs: 000000018000FBA2

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: gF\
API String ID: 823142352-1982329323
Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestW.WININET ref: 000000018000A612

Strings

:G?, xrefs: 000000018000A59A

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: :G?
API String ID: 1984915467-1508054202
Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 0000000180012C0A

Strings

:G?, xrefs: 0000000180012BAF

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: :G?
API String ID: 2038078732-1508054202
Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0000000180015F50

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 0000000180019B4B

Memory Dump Source

Source File: 00000006.00000002.898746812.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Plt3z2W7KQ

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

Windows Analysis Report
Plt3z2W7KQ

Function 00EF0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551
COMMON

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Function 00007FFF2F363EEC Relevance: 15.1, APIs: 10, Instructions: 121
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre