Edit tour

Windows Analysis Report
qJhkILqiEA

Overview

General Information

Sample Name:	qJhkILqiEA (renamed file extension from none to dll)
Analysis ID:	631909
MD5:	8516983eedc8690c1495b828b4262a63
SHA1:	bdd250044234e53e9f08db444a1de00987735930
SHA256:	90498f1ee590da28566434c15efcfd98e829846f233387553ea655fc7559168d
Tags:	exetrojan
Infos:

Detection

Emotet

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for sample

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

IP address seen in connection with other malware

AV process strings found (often used to terminate AV products)

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Registers a DLL

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6012 cmdline: loaddll64.exe "C:\Users\user\Desktop\qJhkILqiEA.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 5772 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 2960 cmdline: rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 6528 cmdline: C:\Windows\system32\WerFault.exe -u -p 2960 -s 352 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

regsvr32.exe (PID: 2320 cmdline: regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6448 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JTkGafd\eTKTE.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

rundll32.exe (PID: 6236 cmdline: rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 6544 cmdline: C:\Windows\system32\WerFault.exe -u -p 6236 -s 328 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

rundll32.exe (PID: 6412 cmdline: rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6552 cmdline: rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)

svchost.exe (PID: 6616 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6772 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6848 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6912 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6952 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6972 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 3024 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 7004 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5164 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2944 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6364 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.276299390.00000000010B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.275085692.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.273091773.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.301040705.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000000.275341515.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.275169745.0000014B00000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.300731557.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000000.274124592.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.300443242.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000000.275509127.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000000.273232804.0000014B00000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.780104900.0000000002430000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.780540136.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000000.273887036.0000000180001000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.301094896.0000014B00000000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.regsvr32.exe.2430000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.14b00000000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.0.rundll32.exe.1bb54e00000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.10b0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.14b00000000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.0.rundll32.exe.1bb54e00000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.regsvr32.exe.2430000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.0.rundll32.exe.1bb54e00000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.0.rundll32.exe.1bb54e00000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.1bb54e00000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.14b00000000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.14b00000000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.14b00000000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.1bb54e00000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.0.rundll32.exe.14b00000000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.10b0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 11 entries

Code function: 3_2_00007FFFE27312E3 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_00007FFFE27312E3

Source: qJhkILqiEA.dll

Static PE information: real checksum: 0x654f5 should be: 0x66558

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll

Source: C:\Windows\System32\regsvr32.exe

PE file moved: C:\Windows\System32\JTkGafd\eTKTE.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\JTkGafd\eTKTE.dll:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 1404	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4180	Thread sleep time: -90000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_4-12589
Source: C:\Windows\System32\regsvr32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_3-16410

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	API coverage: 8.2 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.6 %

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 9_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose,

9_2_00000001800248B0

Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node	graph_3-16412
Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node	graph_3-16378
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-12591
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_4-12564

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000015.00000002.666840804.00000233A0C24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`RF
Source: svchost.exe, 00000015.00000002.667132701.00000233A6462000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @Hyper-V RAW(@
Source: regsvr32.exe, 00000009.00000002.779704007.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.779591916.0000000000BB5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.574209878.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.667115148.00000233A6449000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.645176753.0000024506ED6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.645202538.0000024506EED000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.645130309.0000024506EAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000002.779374181.000001E85C802000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000D.00000002.779489914.000001E85C841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.779540220.0000024354A29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_00007FFFE272BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00007FFFE272BE50

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_00007FFFE2730215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error,

3_2_00007FFFE2730215

Source: C:\Windows\System32\regsvr32.exe

3_2_00007FFFE27312E3

Source: C:\Windows\System32\loaddll64.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFFE272BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFFE272BE50
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFFE2723280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFFE2723280
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FFFE272BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FFFE272BE50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00007FFFE2723280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FFFE2723280

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe

Network Connect: 173.82.82.196 8080

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_00007FFFE2728900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

3_2_00007FFFE2728900

Source: C:\Windows\System32\regsvr32.exe

Code function: 3_2_00007FFFE2728860 HeapCreate,GetVersion,HeapSetInformation,

3_2_00007FFFE2728860

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: svchost.exe, 00000012.00000002.779551502.000002064CE40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000012.00000002.779505236.000002064CE29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.779593376.000002064CF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 9.2.regsvr32.exe.2430000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.14b00000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.1bb54e00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.14b00000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.1bb54e00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.2430000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.1bb54e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.rundll32.exe.1bb54e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1bb54e00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.14b00000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.14b00000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.14b00000000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1bb54e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.rundll32.exe.14b00000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.10b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.276299390.00000000010B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.275085692.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.273091773.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.301040705.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.275341515.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.275169745.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.300731557.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.274124592.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.300443242.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.275509127.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.273232804.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.780104900.0000000002430000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.780540136.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.273887036.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.301094896.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	3 Virtualization/Sandbox Evasion	Security Account Manager	61 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	3 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Regsvr32	Proc Filesystem	25 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 DLL Side-Loading	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	1 File Deletion	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qJhkILqiEA.dll	39%	Virustotal		Browse
qJhkILqiEA.dll	59%	ReversingLabs	Win64.Trojan.Emotet
qJhkILqiEA.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://173.82.82.196:8080/tem	100%	Avira URL Cloud	malware
https://www.pango.co/privacy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report	0%	URL Reputation	safe
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://173.82.82.196:8080/4	100%	Avira URL Cloud	malware
https://173.82.82.196/	100%	URL Reputation	malware
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://173.82.82.196:8080/	100%	URL Reputation	malware
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://173.82.82.196:8080/X	100%	Avira URL Cloud	malware
https://dynamic.t	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.tiles.ditu.live.com/tiles/gen	svchost.exe, 00000010.00000002.326477827.000001EEBD456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325925433.000001EEBD450000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 00000010.00000002.326457641.000001EEBD442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325882596.000001EEBD441000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://173.82.82.196:8080/tem	regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000010.00000002.326457641.000001EEBD442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325882596.000001EEBD441000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.hotspotshield.com/terms/	svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pango.co/privacy	svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report	svchost.exe, 00000026.00000003.624893055.0000024507789000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000010.00000002.326155574.000001EEBD413000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://173.82.82.196:8080/4	regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325877149.000001EEBD445000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000010.00000002.326502045.000001EEBD469000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325786484.000001EEBD467000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325877149.000001EEBD445000.00000004.00000020.00020000.00000000.sdmp	false		high
https://173.82.82.196/	regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://crl.ver)	svchost.exe, 00000015.00000002.667067807.00000233A6413000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000026.00000003.624813083.00000245077B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624938666.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624922280.000002450779A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624893055.0000024507789000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624832618.00000245077B0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000010.00000002.326155574.000001EEBD413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000010.00000002.326477827.000001EEBD456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325925433.000001EEBD450000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.hotspotshield.com/	svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp	false		high
https://173.82.82.196:8080/	regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://173.82.82.196:8080/X	regsvr32.exe, 00000009.00000002.779344665.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://dynamic.t	svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	false		high
https://disneyplus.com/legal.	svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326347509.000001EEBD439000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	false		high
https://activity.windows.com	svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
173.82.82.196	unknown	United States		35916	MULTA-ASN1US	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	631909
Start date and time: 22/05/202222:35:11	2022-05-22 22:35:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	qJhkILqiEA (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winDLL@32/16@0/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 67.5% (good quality ratio 36%) Quality average: 32.7% Quality standard deviation: 37.6%
HCA Information:	Successful, ratio: 94% Number of executed functions: 53 Number of non-executed functions: 243
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.42.73.29, 23.54.113.104, 173.222.108.210, 173.222.108.226, 20.223.24.244
Excluded domains from analysis (whitelisted): a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
22:36:45	API Interceptor	2x Sleep call for process: WerFault.exe modified
22:36:54	API Interceptor	11x Sleep call for process: svchost.exe modified
22:37:50	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
173.82.82.196	kUXfb4ZQK4.dll	Get hash	malicious	Browse
	ySv9jlPYxN.dll	Get hash	malicious	Browse
	uDAHAlLDYG.dll	Get hash	malicious	Browse
	KzqzJLGI6e.dll	Get hash	malicious	Browse
	EVS7gcLnud.dll	Get hash	malicious	Browse
	kUXfb4ZQK4.dll	Get hash	malicious	Browse
	o2PJRbV77k.dll	Get hash	malicious	Browse
	EVS7gcLnud.dll	Get hash	malicious	Browse
	KzqzJLGI6e.dll	Get hash	malicious	Browse
	o2PJRbV77k.dll	Get hash	malicious	Browse
	M7GdKu4Giv.dll	Get hash	malicious	Browse
	Hr5V6ZHTKv.dll	Get hash	malicious	Browse
	M7GdKu4Giv.dll	Get hash	malicious	Browse
	Hr5V6ZHTKv.dll	Get hash	malicious	Browse
	M8WPxI5dUq.dll	Get hash	malicious	Browse
	IakisE3UQP.dll	Get hash	malicious	Browse
	F2cSKnVRtQ.dll	Get hash	malicious	Browse
	ytOneM9rNb.dll	Get hash	malicious	Browse
	3vM1vIMlME.dll	Get hash	malicious	Browse
	IakisE3UQP.dll	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MULTA-ASN1US	kUXfb4ZQK4.dll	Get hash	malicious	Browse	173.82.82.196
	ySv9jlPYxN.dll	Get hash	malicious	Browse	173.82.82.196
	uDAHAlLDYG.dll	Get hash	malicious	Browse	173.82.82.196
	KzqzJLGI6e.dll	Get hash	malicious	Browse	173.82.82.196
	EVS7gcLnud.dll	Get hash	malicious	Browse	173.82.82.196
	kUXfb4ZQK4.dll	Get hash	malicious	Browse	173.82.82.196
	o2PJRbV77k.dll	Get hash	malicious	Browse	173.82.82.196
	EVS7gcLnud.dll	Get hash	malicious	Browse	173.82.82.196
	KzqzJLGI6e.dll	Get hash	malicious	Browse	173.82.82.196
	o2PJRbV77k.dll	Get hash	malicious	Browse	173.82.82.196
	miori.arm7-20220522-1600	Get hash	malicious	Browse	216.127.183.179
	M7GdKu4Giv.dll	Get hash	malicious	Browse	173.82.82.196
	Hr5V6ZHTKv.dll	Get hash	malicious	Browse	173.82.82.196
	M7GdKu4Giv.dll	Get hash	malicious	Browse	173.82.82.196
	Hr5V6ZHTKv.dll	Get hash	malicious	Browse	173.82.82.196
	M8WPxI5dUq.dll	Get hash	malicious	Browse	173.82.82.196
	IakisE3UQP.dll	Get hash	malicious	Browse	173.82.82.196
	F2cSKnVRtQ.dll	Get hash	malicious	Browse	173.82.82.196
	ytOneM9rNb.dll	Get hash	malicious	Browse	173.82.82.196
	3vM1vIMlME.dll	Get hash	malicious	Browse	173.82.82.196

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24947612639605962
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4a:BJiRdwfu2SRU4a
MD5:	20D65F737AC7651971A0AA755D1E7E12
SHA1:	6675199D990A5433EB11EB36FD0AA3559C220DC5
SHA-256:	411B0A8BD735F0620F5DDE39895EFD131D17DCCF5EB25F2296694B910D51E885
SHA-512:	5D12720DD83B469C15800DEC713DA2F2C1CB37F52CA1D6F2C79DFC08C66D7DCC345C49A0F0B267A01F451B9D4A593615D8DA4862174EE00D7E19452441589351
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xadbf7199, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2505206879766742
Encrypted:	false
SSDEEP:	384:FLu+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:FLBSB2nSB2RSjlK/+mLesOj1J2
MD5:	73394369205269EDEE99F5D26DA68F54
SHA1:	BBC4E6BC8EFCEC7C16D0B4AD815B7861C16EB17C
SHA-256:	58AC059ECE0C37F1E3E4B9DD37EF0E9DB135D4E05C97E89F53FD3BFE07AFBE87
SHA-512:	2CD314095DFE0B026536896D1925BE7E2E33EB5D141606B9AA76A457CEC5F492C40A2303C1CBE9574715C5CA50E1D2F6868570CE1D1B05CF63E6CF2AB467F840
Malicious:	false
Preview:	..q.... ................e.f.3...w........................)......(...z..6$...z..h.(......(...z....)..............3...w...........................................................................................................B...........@...................................................................................................... ...................................................................................................................................................................................................................................................'..A.(...z....................4..(...z..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07358110724839773
Encrypted:	false
SSDEEP:	3:mlT7vTQaslt41gkgNqk9ihNpVWyasltAll3Vkttlmlnl:mrO41gpNqT6yNA3
MD5:	D5B239BD9A6FDC26898A229E38204473
SHA1:	9A52385262A2D6272E26291C39D934944E1E0281
SHA-256:	447943F993982FC35D978C0406301AC5263FF255511A6BBF879F90BBE126E9FC
SHA-512:	908413F299141CEC92336CF0BFAD2173C874BB9AA3526980F1F112732960A60BC93C300DBCCFBCB94B04A4563EEF57533BD4EC2698047756E9AEC1670C382DA1
Malicious:	false
Preview:	8.!......................................3...w..6$...z...(...z...........(...z...(...z..X....(...z....................4..(...z..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_qJh_4c633c907b4a85acdb7918fc966c22f420621b1_e567d4a7_19e8067e\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7859304120709223
Encrypted:	false
SSDEEP:	96:THsiFO01xui4JPnyRjZ55ol7RH6tpXIQcQSc6rcEbcw3dXXaXz+HbHgSQgJPbsIA:T/n1ki4JKPHMvhBjC9/u7sVS274ltY3
MD5:	3CC5050A660AF149D59DD20835EF7835
SHA1:	AC1B7FA95ED16816A2B769E23921A44CF43B5707
SHA-256:	F68FA028840101375487807AE4FAB5A5DBEF84F74A2F120DBC81E67FA65215F4
SHA-512:	D9F3ED055B9753491453CE814E1DEA9066A13F7652CCC302224E57E2886C11108EC921AAD0B0AA6D9856F15E061E92A450A581844A23CA9E4B9FE9F1455F65C1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.2.5.3.9.6.2.2.4.0.3.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.7.2.5.4.0.3.8.1.7.7.5.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.0.4.4.5.c.9.-.e.a.3.6.-.4.6.b.1.-.a.0.f.b.-.8.1.9.6.6.f.e.f.c.6.5.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.0.8.e.c.4.9.-.0.b.7.2.-.4.5.0.5.-.b.f.c.d.-.7.6.7.2.5.8.b.b.6.b.4.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.q.J.h.k.I.L.q.i.E.A...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.9.0.-.0.0.0.1.-.0.0.1.c.-.4.7.3.3.-.9.c.9.b.1.b.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_qJh_4c633c907b4a85acdb7918fc966c22f420621b1_e567d4a7_19f80630\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7865047293153473
Encrypted:	false
SSDEEP:	96:TyTFlRjuiTmJPnyqjZ55ol7RH6tpXIQcQSc6rcEbcw3dXXaXz+HbHgSQgJPbsIDE:TUxyiKJK8HMvhBjC9/u7sVS274ltY3
MD5:	BE8E7AFD6D4D8E250CE1A726779FE8E6
SHA1:	272EE5BBA30B54931D1B9D8A45F5EF07237B37F9
SHA-256:	6EC80542284C3AD85D8F7CD2C0F120E436D3F42F3F5A5FB22261EB906D0556FF
SHA-512:	C83EF3BB0C3CB0F1D4BC056283D8A043D7BCD9B87D8FB8BA4A7720B2C331477053FE131C0D5FB068A98E95A223FA6E472465E37832C02E727B55ED53C3E02ABA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.7.2.5.3.9.7.2.4.2.4.5.5.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.7.2.5.4.0.4.0.3.9.6.4.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.a.6.b.d.8.7.-.b.a.b.e.-.4.2.b.b.-.9.b.0.7.-.5.5.f.f.f.6.2.1.9.8.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.c.8.c.9.e.2.-.e.1.1.3.-.4.5.1.5.-.8.e.a.0.-.0.7.2.5.c.8.f.e.3.7.8.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.q.J.h.k.I.L.q.i.E.A...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.5.c.-.0.0.0.1.-.0.0.1.c.-.0.7.8.a.-.1.9.9.c.1.b.6.e.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.7.0.c.e.2.3.9.c.7.d.0.0.7.0.6.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE25C.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun May 22 20:36:37 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	64530
Entropy (8bit):	2.315537384600245
Encrypted:	false
SSDEEP:	384:9kMXiPwsv7fawuClNswEniFpDaCszpNFcp4S:KPPNvz7uClNj6S1gpop4S
MD5:	6E3A6E38BDE0EBAF672E0B152B2E9CF8
SHA1:	15D7C2EAB0A78B5594AE198671074CD3705BC384
SHA-256:	F3EBE8933537C8579E3DDA32ED19A4C49E631206C2C29543A80D4BE47902750F
SHA-512:	4AF1E2B65CA5EA3E91E2FD283C73E6CED6964AADB50C794D8B51E2782EFBDA1E4CB811821313A681F1E493BB13A8EF9A1A3D3F67CD5ADAA15A4DC3A7E55B7818
Malicious:	false
Preview:	MDMP....... .........b........................................8...........p;..........`.......8...........T...............j............"...........$...................................................................U...........B......\%......Lw................[.z...T.............b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE625.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun May 22 20:36:38 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	64134
Entropy (8bit):	2.3132814896368528
Encrypted:	false
SSDEEP:	384:4kMiiPwsv7faw0CsOdswiniF0i0IJlPwwLGn:L0PNvz70CsOdj0S0iV4fn
MD5:	5762DF0D5C2D10CFC58DEC5EDC63512D
SHA1:	102E5BD0BAF25BBF95E64D58355E0542FD2377D4
SHA-256:	C0593FDBF884DFA66D9FE0F5754A5DF0E8FA1B96FA410EFCC0553DB512F14A1F
SHA-512:	53D4EC26D60D6A0201CB240D08D7F75A0DD191F4CE131EEF5E2DB439DE06DA90372F91DBCF43CA2C6154F1B79B92FDDCAA4E9D99D4AF112C9AB930609A3C8CD1
Malicious:	false
Preview:	MDMP....... .........b........................................8...........p;..........`.......8...........T...........X................"...........$...................................................................U...........B......\%......Lw................-.....T.......\.....b.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9CF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8654
Entropy (8bit):	3.7023316502859234
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi4TlURnIWi6YsrggmfWIS6+pr289bplgf0FqDm:RrlsNi8lURnPi6YwggmfWISZpyfeX
MD5:	B8E3028C112C3C71A3CB60C7B7FCDDD0
SHA1:	D38E9FB48CDC23A92AD506C135763E18DF93AB72
SHA-256:	45DC1365195E5C811A19BECCA1668BB85CAAB2B911B04602390C73088BA0ED95
SHA-512:	FD60D614313495F8B70ED5F9A780EC113190C3CC99CF9C8C74C4783CCEAF0DAB24AA72C885DDE1C95C1DB040052D52A80F1B434D7664816E08354BACB6FB742B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.6.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEF0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8648
Entropy (8bit):	3.7038225115094234
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiMLLknn7q6YcrEgmfWIS6+pru89bgCjfgAm:RrlsNiQwnn7q6YwEgmfWISBg+fO
MD5:	965DAF269BD9EFCFE40F782FD4698C80
SHA1:	4656D35C5D7E9567670A03FD740745A4FBFD9052
SHA-256:	DB0014AFD19EB60F62AD7842007E2372E17E7E86D26F7EDC87C1C86667BDD6BB
SHA-512:	AEE10F34B4ACA2DC76C8DB1486E51ACFC8197874D5B37946A7338CC583C15AA6450D7907FD1B1C26D648866E21A39B9F03D5C8A43C6C87E4D93A33CEAB249DFF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD1A.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4892
Entropy (8bit):	4.512466543323588
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtBI9SkWgc8sqYjD8fm8M4JCGCZgnFCyq8vhZgIZESC5Snd:uITfqQ9grsqYMJ0WHVvnd
MD5:	8F1689406911B2F7E49C47368E43E230
SHA1:	66C4B97D02C8484C78A2E9B59588697D331319C7
SHA-256:	8C292370BB9AA8DAE8FE42A1081425FBB0C06C24AE26CE66875319CFD1557C7C
SHA-512:	E861BE0A7AED138F28FAE5EA383DCA347AC34CA7D2A24923073914613E73F5F49BA69F364115F232B7CECEF952BA81232739F1309C879BF42477801A34B798BA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1526747" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEFE.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4892
Entropy (8bit):	4.509638164405873
Encrypted:	false
SSDEEP:	48:cvIwSD8zssJgtBI9SkWgc8sqYjes8fm8M4JCGCZgnFOIyq8vhZgMZESC5S6d:uITfqQ9grsqYiRJgIWDVv6d
MD5:	E9691250CF31B709DDD09DCAB4C634E6
SHA1:	57168296F89C4D8250AE7E143AD264F9AB43432A
SHA-256:	C5298984E457F5D65F87122FCFA189BA9ACADE8CE9162EA40076EF293CC968D5
SHA-512:	F6936C882F01C2D25E3A0D6F11E9BD02A562B7C877173990400C698F7FF5430F724A40D96197DF9C12175DC589B8DAD3E1CE01CC82DCA504C9E79C92060F3171
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1526747" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 61480 bytes, 1 file
Category:	dropped
Size (bytes):	61480
Entropy (8bit):	7.9951219482618905
Encrypted:	true
SSDEEP:	1536:kmu7iDG/SCACih0/8uIGantJdjFpTE8lTeNjiXKGgUN:CeGf5gKsG4vdjFpjlYeX9gUN
MD5:	B9F21D8DB36E88831E5352BB82C438B3
SHA1:	4A3C330954F9F65A2F5FD7E55800E46CE228A3E2
SHA-256:	998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
SHA-512:	D4A2AC7C14227FBAF8B532398FB69053F0A0D913273F6917027C8CADBBA80113FDBEC20C2A7EB31B7BB57C99F9FDECCF8576BE5F39346D8B564FC72FB1699476
Malicious:	false
Preview:	MSCF....(.......,...................I........y.........Tbr .authroot.stl..$..4..CK..<Tk...c_.d....A.K.....Y.f....!.))$7I.....e..eKT..k....n.3.......S..9.s.....3H.Mh......qV.=M6.=.4.F.....V:F..]......B`....Q...c"U.0.n....J.....4.....i7s..:.27....._...+).lE..he.4\|.?,...h....7..PA..b.,. .....#1+..o...g.....2n1m...=.......Dp.;..f..ljX.Dx..r<'.1RI3B0<w.D.z..)D\|..8<..c+..'XH..K,.Y..d.j.<.A.......l_lVb[w..rDp...'.....nL....!G.F....f.fX..r.. ?.....v(...L..<.\.Z..g;.>.0v...P ......\|...A..(..x...T0.`g...c..7.U?...9.p..a..&..9......sV..l0..D..fhi..h.F....q...y.....Mq].4..Z.....={L....AS..9.....:.:.........+..P.N....EAQ.V. sr.....y.B.`.Efe..8../....$...y-.q.J.......nP...2.Q8...O........M.@\.>=X....V..z.4.=.@...ws.N.M3.S.c?.....C4]?..\.K.9......^...CU......O....X.`........._.gU.....V.{V6..m..D.-\|.Q.t.7.....9.~....[...I.<e...~$..>......s.I.S....~1..IV.2Ri:..]R!8...q...l.X.%.)@......2.gb,t...}..;...@.Z..<q..y..:...e3..cY.we.$....z..\| .#.......I...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	330
Entropy (8bit):	3.126909434994818
Encrypted:	false
SSDEEP:	6:kKKHqoJN+SkQlPlEGYRMY9z+4KlDA3RUesJ21:SkkPlE99SNxAhUesE1
MD5:	5E35003528F15CD05DB54A3585BB9393
SHA1:	12083A67A69375170A9BD0E64728765AC7536A81
SHA-256:	D7D802C99828C068267463359043F4B4ADDAD7B647084563C88E3B6B07FD3B88
SHA-512:	E252615B1E602E9DE45EB7B2CBEA3BE41181721ADB4EFFCFDE89A5A6C75E3078EC0669A0A5C3A3E47B6D3F3AAD37B261EEB38CFFB09D867AB8F0EFD0E305212B
Malicious:	false
Preview:	p...... .........E...n..(....................................................... ........3k/"[......(...........(...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.3.3.6.b.2.f.2.2.5.b.d.8.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	10844
Entropy (8bit):	3.1613309566460055
Encrypted:	false
SSDEEP:	192:cY+38+DJM+i2Jt+iDQ+yw+f0+rU+0Jtk+EOtF+E7tC+Ewy+9:j+s+i+Z+z+B+c+Y+0g+J+j+u+9
MD5:	1BA198FFF3092A95D17C9CBD2DA7E593
SHA1:	E12CF2DE690D37FF2F70A7ED8C9FB2D270B406AA
SHA-256:	4E911FCFE261EDCEAC5FDC1162387B53C1F96A02216643FB68F8B143612D2C7F
SHA-512:	0AC7019EF4CFB43D56A190A9620445D3A260E29EA77BA3AC63FC40208CE9F215BAFDF45A2FB39E29AE2C70D5B2FCC4B6A65348ED5E96424D43F51ECDF2021338
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.158106332990621
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	qJhkILqiEA.dll
File size:	365056
MD5:	8516983eedc8690c1495b828b4262a63
SHA1:	bdd250044234e53e9f08db444a1de00987735930
SHA256:	90498f1ee590da28566434c15efcfd98e829846f233387553ea655fc7559168d
SHA512:	c5b6a37a787a70e70be8614f957c183547b85dfa0913b746f6bc701cec09bd54e04fb53443dfeffedcf83176f581e6a5f4de06219a1fa6d9d015691e9432cd93
SSDEEP:	3072:JI0AM0yQkR9M6lglELtJUNjiWGyWcTb0JUiA2tqZ4IvUlDAj7UOjVifSwHEDQVLK:i5MR9M6y3TWRIvgMSS3AyUrhYu3j
TLSH:	7A747D56F6F110F5E8B7C138C9A23267F8317D559B38A7CB8A08865A4F70BA4E93D740
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8..ik..ik..ik...k..ik...k..ik...k..ik..hk..ik...k..ik...k..ik...k..ik...k..ikRich..ik................PE..d...v{.b.........."

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x180003580
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x62877B76 [Fri May 20 11:28:54 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	ad5c5b0f3e2e211c551f3b5059e614d7

Entrypoint Preview

Instruction
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 28h
cmp dword ptr [esp+38h], 01h
jne 00007FD4ECB0DDC7h
call 00007FD4ECB13127h
dec esp
mov eax, dword ptr [esp+40h]
mov edx, dword ptr [esp+38h]
dec eax
mov ecx, dword ptr [esp+30h]
call 00007FD4ECB0DDD4h
dec eax
add esp, 28h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
dec esp
mov dword ptr [esp+18h], eax
mov dword ptr [esp+10h], edx
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 48h
mov dword ptr [esp+20h], 00000001h
cmp dword ptr [esp+58h], 00000000h
jne 00007FD4ECB0DDD2h
cmp dword ptr [00028DE8h], 00000000h
jne 00007FD4ECB0DDC9h
xor eax, eax
jmp 00007FD4ECB0DEE4h
cmp dword ptr [esp+58h], 01h
je 00007FD4ECB0DDC9h
cmp dword ptr [esp+58h], 02h
jne 00007FD4ECB0DE10h
dec eax
cmp dword ptr [0001EDB9h], 00000000h
je 00007FD4ECB0DDDAh
dec esp
mov eax, dword ptr [esp+60h]
mov edx, dword ptr [esp+58h]
dec eax
mov ecx, dword ptr [esp+50h]
call dword ptr [0001EDA3h]
mov dword ptr [esp+20h], eax
cmp dword ptr [esp+20h], 00000000h
je 00007FD4ECB0DDD9h
dec esp
mov eax, dword ptr [esp+60h]
mov edx, dword ptr [esp+58h]
dec eax
mov ecx, dword ptr [esp+50h]
call 00007FD4ECB0DB2Ah
mov dword ptr [esp+20h], eax
cmp dword ptr [esp+20h], 00000000h
jne 00007FD4ECB0DDC9h
xor eax, eax

Rich Headers

Programming Language:

[LNK] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[EXP] VS2010 build 30319
[RES] VS2010 build 30319
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2aad0	0x84	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a204	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x2d1fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2f000	0xfcc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5e000	0x294	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x22000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x203fa	0x20400	False	0.405969900678	zlib compressed data	5.75556665875	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x22000	0x8b54	0x8c00	False	0.276395089286	data	4.42213983851	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2b000	0x3798	0x1400	False	0.1609375	data	2.22442517754	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x2f000	0xfcc	0x1000	False	0.50537109375	data	5.09571430422	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x2d1fc	0x2d200	False	0.922572931094	data	7.88663988983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5e000	0x6f2	0x800	False	0.21337890625	data	2.33584866509	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_FONTDIR	0x300a0	0x2d000	data	English	United States
RT_MANIFEST	0x5d0a0	0x15a	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTimeFormatA, GetDateFormatA, GetThreadLocale, FileTimeToSystemTime, VirtualAlloc, ExitProcess, CloseHandle, CreateFileW, SetStdHandle, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, RtlUnwindEx, EncodePointer, FlsGetValue, FlsAlloc, FlsFree, SetLastError, GetLastError, HeapSize, HeapValidate, IsBadReadPtr, DecodePointer, GetProcAddress, GetModuleHandleW, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapSetInformation, GetVersion, HeapCreate, HeapDestroy, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, GetACP, GetOEMCP, GetCPInfo, IsValidCodePage, HeapAlloc, GetModuleFileNameW, HeapReAlloc, HeapQueryInformation, HeapFree, WriteFile, LoadLibraryW, LCMapStringW, MultiByteToWideChar, GetStringTypeW, OutputDebugStringA, WriteConsoleW, OutputDebugStringW, RaiseException, RtlPcToFileHeader, SetFilePointer, GetConsoleCP, GetConsoleMode, FlushFileBuffers
USER32.dll	MessageBoxA
ole32.dll	CoTaskMemFree, CoTaskMemAlloc, CoLoadLibrary

Exports

Name	Ordinal	Address
AddIn_FileTime	1	0x180001140
AddIn_SystemTime	2	0x1800010b0
DllRegisterServer	3	0x180003110

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2022 22:37:03.828249931 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:37:04.001533031 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:04.001677036 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:37:04.024921894 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:37:04.198132038 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:04.216738939 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:04.216763973 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:04.216927052 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:37:08.523586988 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:37:08.696876049 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:08.697592974 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:08.698016882 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:37:08.702534914 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:37:08.891077042 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:09.558660030 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:09.558732986 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:37:12.560230017 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:12.560255051 CEST	8080	49753	173.82.82.196	192.168.2.4
May 22, 2022 22:37:12.560350895 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:38:54.432938099 CEST	49753	8080	192.168.2.4	173.82.82.196
May 22, 2022 22:38:54.432982922 CEST	49753	8080	192.168.2.4	173.82.82.196

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll64.exePID: 6012, Parent PID: 3700

General

Target ID:	1
Start time:	22:36:24
Start date:	22/05/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\qJhkILqiEA.dll"
Imagebase:	0x7ff794690000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5772, Parent PID: 6012

General

Target ID:	2
Start time:	22:36:25
Start date:	22/05/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Imagebase:	0x7ff7bb450000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2320, Parent PID: 6012

General

Target ID:	3
Start time:	22:36:26
Start date:	22/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll
Imagebase:	0x7ff706060000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.276299390.00000000010B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2960, Parent PID: 5772

General

Target ID:	4
Start time:	22:36:26
Start date:	22/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Imagebase:	0x7ff755bc0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.275085692.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.273091773.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.301040705.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.275169745.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000000.273232804.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.301094896.0000014B00000000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6236, Parent PID: 6012

General

Target ID:	5
Start time:	22:36:27
Start date:	22/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime
Imagebase:	0x7ff755bc0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.275341515.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.300731557.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.274124592.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.300443242.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.275509127.000001BB54E00000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000000.273887036.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6412, Parent PID: 6012

General

Target ID:	6
Start time:	22:36:31
Start date:	22/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime
Imagebase:	0x7ff755bc0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 6448, Parent PID: 2320

General

Target ID:	9
Start time:	22:36:33
Start date:	22/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JTkGafd\eTKTE.dll"
Imagebase:	0x7ff706060000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.780104900.0000000002430000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.780540136.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6528, Parent PID: 2960

General

Target ID:	10
Start time:	22:36:35
Start date:	22/05/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2960 -s 352
Imagebase:	0x7ff770e00000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6544, Parent PID: 6236

General

Target ID:	11
Start time:	22:36:35
Start date:	22/05/2022
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6236 -s 328
Imagebase:	0x7ff770e00000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 6552, Parent PID: 6012

General

Target ID:	12
Start time:	22:36:35
Start date:	22/05/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer
Imagebase:	0x7ff755bc0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6616, Parent PID: 564

General

Target ID:	13
Start time:	22:36:39
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6772, Parent PID: 564

General

Target ID:	14
Start time:	22:36:44
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6848, Parent PID: 564

General

Target ID:	15
Start time:	22:36:46
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6912, Parent PID: 564

General

Target ID:	16
Start time:	22:36:47
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: SgrmBroker.exePID: 6952, Parent PID: 564

General

Target ID:	17
Start time:	22:36:48
Start date:	22/05/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7e6360000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6972, Parent PID: 564

General

Target ID:	18
Start time:	22:36:48
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 7004, Parent PID: 564

General

Target ID:	19
Start time:	22:36:49
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5164, Parent PID: 564

General

Target ID:	21
Start time:	22:36:53
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: MpCmdRun.exePID: 3024, Parent PID: 6972

General

Target ID:	25
Start time:	22:37:49
Start date:	22/05/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff678970000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5772, Parent PID: 3024

General

Target ID:	26
Start time:	22:37:50
Start date:	22/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff647620000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2944, Parent PID: 564

General

Target ID:	28
Start time:	22:37:59
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6476, Parent PID: 564

General

Target ID:	33
Start time:	22:38:29
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5884, Parent PID: 564

General

Target ID:	35
Start time:	22:38:45
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 6364, Parent PID: 564

General

Target ID:	38
Start time:	22:38:57
Start date:	22/05/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7338d0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: regsvr32.exePID: 2320, Parent PID: 6012COMMON

Execution Graph

Execution Coverage:	7.9%
Dynamic/Decrypted Code Coverage:	2.6%
Signature Coverage:	9.9%
Total number of Nodes:	1891
Total number of Limit Nodes:	35

Executed Functions

Function 00007FFFE27212B0 Relevance: 210.9, APIs: 6, Strings: 114, Instructions: 872
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoLoadLibrary.OLE32 ref: 00007FFFE2722F02
MessageBoxA.USER32 ref: 00007FFFE2722F1C
ExitProcess.KERNEL32 ref: 00007FFFE2722F27
VirtualAlloc.KERNELBASE ref: 00007FFFE2722F57
RtlAllocateHeap.NTDLL ref: 00007FFFE2722F65
RtlDeleteBoundaryDescriptor.NTDLL ref: 00007FFFE2722F86

Strings

(pd, xrefs: 00007FFFE27221CA
ePO, xrefs: 00007FFFE2721A04
D)'U, xrefs: 00007FFFE27222A6
^*C, xrefs: 00007FFFE272209E
$}%z, xrefs: 00007FFFE2722C7E
{$U|, xrefs: 00007FFFE27223A0
N3, xrefs: 00007FFFE272245E
h78<, xrefs: 00007FFFE2721AA4
} z$, xrefs: 00007FFFE27229F4
%</, xrefs: 00007FFFE27224A4
3ob, xrefs: 00007FFFE27215EA
P+oo, xrefs: 00007FFFE272233C
-'C, xrefs: 00007FFFE2721AAE
MDj, xrefs: 00007FFFE272281E
U+on, xrefs: 00007FFFE2721E28
j+h, xrefs: 00007FFFE27228BE
Pl5, xrefs: 00007FFFE2721E3C
#z$U, xrefs: 00007FFFE27221B6
aUJ', xrefs: 00007FFFE27217F2
$931, xrefs: 00007FFFE2721D56
5vCx, xrefs: 00007FFFE2722B98
:'U@, xrefs: 00007FFFE2722490
?CE`, xrefs: 00007FFFE2721BF8
S[L, xrefs: 00007FFFE272218E
L ]1, xrefs: 00007FFFE2721842
M13U, xrefs: 00007FFFE27217B6
l|f, xrefs: 00007FFFE2722080
QlyO, xrefs: 00007FFFE2721D9C
0kj., xrefs: 00007FFFE272144D
Cb47, xrefs: 00007FFFE2722D00
EBg, xrefs: 00007FFFE2721F9A
+iT, xrefs: 00007FFFE2722012
+ong, xrefs: 00007FFFE2722A3A
*hH, xrefs: 00007FFFE2721386
jfX, xrefs: 00007FFFE2721EF0
<)@P, xrefs: 00007FFFE27215E0
<v:, xrefs: 00007FFFE2721A4A
?x?, xrefs: 00007FFFE2721D2E
t(O, xrefs: 00007FFFE27218C4
Ko*h, xrefs: 00007FFFE2722CC4
=kf^, xrefs: 00007FFFE2721662
%Uc, xrefs: 00007FFFE2722E18
w&ed, xrefs: 00007FFFE2722288
HPZ, xrefs: 00007FFFE2722896
wC54, xrefs: 00007FFFE2722AF8
}'6, xrefs: 00007FFFE2721B76
Eekg, xrefs: 00007FFFE27224D6
BxJr, xrefs: 00007FFFE2721B26
wk/, xrefs: 00007FFFE2721784
xA\#, xrefs: 00007FFFE272163A
tc`, xrefs: 00007FFFE27221C0
%U9, xrefs: 00007FFFE2722A9E
;qdf, xrefs: 00007FFFE2721A7C
}WL, xrefs: 00007FFFE2721A22
hx", xrefs: 00007FFFE2721B30
-{*, xrefs: 00007FFFE272285A
%8#, xrefs: 00007FFFE2721D06
R;pB, xrefs: 00007FFFE2721BBC
|X, xrefs: 00007FFFE2721AC2
%<, xrefs: 00007FFFE2722CE2
0.3, xrefs: 00007FFFE27213AC
$huN, xrefs: 00007FFFE2722DE6
8<-, xrefs: 00007FFFE2721BEE
rkE@, xrefs: 00007FFFE2721415
.#(, xrefs: 00007FFFE2721346
e7tc, xrefs: 00007FFFE2722C6A
FLIn, xrefs: 00007FFFE27228FA
N1kj^H<M1vf@$_yiXP+o*hH*fZQl5vC5qjfXErgxjcCb4v_e75<edkge!z$U9k+h, xrefs: 00007FFFE2722FBB
It, xrefs: 00007FFFE2721CC0
mbPv, xrefs: 00007FFFE2721423
M z, xrefs: 00007FFFE2721438
VO4, xrefs: 00007FFFE2721BD0
werfault.exe, xrefs: 00007FFFE2722E68
Ya], xrefs: 00007FFFE2721590
kxfc, xrefs: 00007FFFE27218A6
4bB, xrefs: 00007FFFE2722210
|e:, xrefs: 00007FFFE2722EDD
M1vi, xrefs: 00007FFFE27226F2
mCl4, xrefs: 00007FFFE27216C6
i~e, xrefs: 00007FFFE2721FCC
pAT#, xrefs: 00007FFFE2721B4E
`AnM, xrefs: 00007FFFE2722E6F
PX5, xrefs: 00007FFFE272265C
&\hR, xrefs: 00007FFFE2721EBE
oE, xrefs: 00007FFFE2722418
"V2, xrefs: 00007FFFE272280A
c-_j, xrefs: 00007FFFE27221F2
`I, xrefs: 00007FFFE2722634
Puvm, xrefs: 00007FFFE2722D0A
>~, xrefs: 00007FFFE2721DA6
9[+, xrefs: 00007FFFE2721FD6
:!@, xrefs: 00007FFFE272145B
V9s, xrefs: 00007FFFE272260C
,1., xrefs: 00007FFFE272258A
cDj, xrefs: 00007FFFE27218E2
{fM$, xrefs: 00007FFFE2721B8A
C/, xrefs: 00007FFFE2721E82
V#s, xrefs: 00007FFFE2721676
1\u, xrefs: 00007FFFE2722CBA
gVWH, xrefs: 00007FFFE2721D88
<M}O, xrefs: 00007FFFE2721D6A
@ , xrefs: 00007FFFE27229EA
2s<S, xrefs: 00007FFFE272236E
$:*:, xrefs: 00007FFFE2722C74
5qj', xrefs: 00007FFFE2721F90
"!k, xrefs: 00007FFFE27221FC
,$n, xrefs: 00007FFFE2721658
g@$, xrefs: 00007FFFE2722328
S}pn, xrefs: 00007FFFE27222BA
U9#(, xrefs: 00007FFFE27224EA
$D1v, xrefs: 00007FFFE27215CC
:9m?, xrefs: 00007FFFE2722792
!@C+, xrefs: 00007FFFE2721824
*hH%, xrefs: 00007FFFE272215C

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: AllocAllocateBoundaryDeleteDescriptorExitHeapLibraryLoadMessageProcessVirtual
String ID: %<$Ya]$g@$$|X$ 4bB$!@C+$"V2$#z$U$$931$$:*:$$D1v$$huN$$}%z$%8#$%</$%U9$&\hR$*hH%$+ong$+iT$-{*$-'C$.#($0kj.$0.3$1\u$2s<S$3ob$5qj'$5vCx$8<-$:!@$:'U@$:9m?$;qdf$<)@P$<M}O$<v:$=kf^$>~$?CE`$@ $BxJr$C/$Cb47$D)'U$Eekg$FLIn$HPZ$Ko*h$L ]1$M13U$M1vi$MDj$N1kj^H<M1vf@$_yiXP+o*hH*fZQl5vC5qjfXErgxjcCb4v_e75<edkge!z$U9k+h$P+oo$PX5$Puvm$QlyO$R;pB$S[L$S}pn$U+on$U9#($V#s$V9s$VO4$^*C$`AnM$aUJ'$c-_j$cDj$e7tc$ePO$gVWH$h78<$hx"$j+h$kxfc$l|f$mCl4$mbPv$pAT#$rkE@$t(O$tc`$w&ed$wC54$werfault.exe$wk/$xA\#${$U|${fM$$|e:$} z$$}'6$}WL$It$"!k$%Uc$(pd$*hH$,$n$,1.$9[+$?x?$EBg$M z$N3$Pl5$i~e$jfX$oE$`I
API String ID: 3056597726-2032897877
Opcode ID: be2b6721a01229fe6d62131d54c2e067f3d2e24da2d5df3bb551e88fe72b0fff
Instruction ID: 67f92827ad41a2542b30726a5c914b66c0de43806d78508feeb5baaad886ed12
Opcode Fuzzy Hash: be2b6721a01229fe6d62131d54c2e067f3d2e24da2d5df3bb551e88fe72b0fff
Instruction Fuzzy Hash: 39E2C9B690A7C18FE3748F229A817DD3AB0F346748F509208D3991FA1DDB795252CF86

Uniqueness

Uniqueness Score: -1.00%

Function 010A0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 010A0450
GetNativeSystemInfo.KERNELBASE ref: 010A0539
VirtualAlloc.KERNELBASE ref: 010A0580
VirtualProtect.KERNELBASE ref: 010A09E9
RtlAddFunctionTable.KERNEL32 ref: 010A0A79

Strings

Reso, xrefs: 010A02FC
Free, xrefs: 010A034D
ofRe, xrefs: 010A0318
ualA, xrefs: 010A00E8
truc, xrefs: 010A0121
Reso, xrefs: 010A0355
Size, xrefs: 010A0311
urce, xrefs: 010A0340
RtlA, xrefs: 010A015C
onTa, xrefs: 010A0171
urce, xrefs: 010A02E7
Lock, xrefs: 010A0330
ativ, xrefs: 010A013D
ddFu, xrefs: 010A0163
hIns, xrefs: 010A011A
Cach, xrefs: 010A012F
urce, xrefs: 010A0304
Reso, xrefs: 010A0338
ncti, xrefs: 010A016A
Slee, xrefs: 010A00B7
Virt, xrefs: 010A00F8
Load, xrefs: 010A02F4
rote, xrefs: 010A0106
Libr, xrefs: 010A00D0
aryA, xrefs: 010A00D8
Reso, xrefs: 010A02DB
lloc, xrefs: 010A00F0
ualP, xrefs: 010A00FF
GetN, xrefs: 010A0136
temI, xrefs: 010A014B
Load, xrefs: 010A00C8
Flus, xrefs: 010A0113
urce, xrefs: 010A035D
sour, xrefs: 010A031F
Find, xrefs: 010A02D0
Virt, xrefs: 010A00E0
eSys, xrefs: 010A0144
tion, xrefs: 010A0128

Memory Dump Source

Source File: 00000003.00000002.276294579.00000000010A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10a0000_regsvr32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 3e3059254975dde5098bffead435d44693f9f1c501969c0c56e64dd291b0ef52
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: D372F430618B4C8FDB69DF68C8856BABBE1FB98305F50462DE8CAC7215DB34D542CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002B7B2 Relevance: 7.9, Strings: 6, Instructions: 449
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

BaG, xrefs: 000000018002BE19
i1V, xrefs: 000000018002BC55
m?, xrefs: 000000018002BBF9
j, xrefs: 000000018002BD56
E^7, xrefs: 000000018002BD0B
{=/, xrefs: 000000018002B8E8

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: j$BaG$E^7$i1V$m?${=/
API String ID: 0-1718370006
Opcode ID: 7215d537d5299d177d4048e19a4dae45df63305aab7e83eff15929c82d00da66
Instruction ID: c2786c6f7bce021451845d5168b6505f680b7f0c5368ce25f063ff62f9696b2b
Opcode Fuzzy Hash: 7215d537d5299d177d4048e19a4dae45df63305aab7e83eff15929c82d00da66
Instruction Fuzzy Hash: 64223B70E4870DDBCB59DFA8C4AA6DEBBF6FB44344F0081A9D805A7290DB74560ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180005C74 Relevance: 6.6, Strings: 5, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

z_o^, xrefs: 0000000180005E6A
&C, xrefs: 0000000180005D95
b , xrefs: 0000000180005CFC
]o-, xrefs: 0000000180006087
$E, xrefs: 0000000180005F53

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $E$&C$b $z_o^$]o-
API String ID: 0-182765021
Opcode ID: fd2830ddd061059d70b3ed5c5ef2773e5c4c00071749e16c1f80641060217d81
Instruction ID: b82cae2a5c5b3167ef3d8ad315f999371e1e8449cd72bf967428ee4211bfb190
Opcode Fuzzy Hash: fd2830ddd061059d70b3ed5c5ef2773e5c4c00071749e16c1f80641060217d81
Instruction Fuzzy Hash: 5CE1277151468CDFDF88DF28C889ADD3BA1FB483A8F956219FD0A97250D774D888CB84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000359C Relevance: 6.5, Strings: 5, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{>K, xrefs: 0000000180003892
k?@`, xrefs: 0000000180003705
8, xrefs: 000000018000367F
?I , xrefs: 00000001800039AB
s, xrefs: 0000000180003832

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8$?I $k?@`${>K$s
API String ID: 0-923624899
Opcode ID: 59fac920170ce31af9fc739010187020a0354a51edcd4550f4f509655bae4bf8
Instruction ID: ebffd08f5432af4d9268e2276ec0df8890e8c351c8fd12e1d0a52c84a5ba0a07
Opcode Fuzzy Hash: 59fac920170ce31af9fc739010187020a0354a51edcd4550f4f509655bae4bf8
Instruction Fuzzy Hash: F4C1F070519784ABC388DF24C4CA95BBBF1FBD4758F906A1CF9C68A260D774D948CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E99C Relevance: 5.4, Strings: 4, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`/U, xrefs: 000000018000EF79
\, xrefs: 000000018000F001
,8, xrefs: 000000018000EF6F
&k8, xrefs: 000000018000EB8F

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &k8$,8$\$`/U
API String ID: 0-956392518
Opcode ID: 342d408fbb0085f8b5c961c7b7314e28d99ae80dc1fdc32ae007dfb548a83613
Instruction ID: eb6f1617cd975c6e10cf27e40abea16f203efbb492656816d2660eb5cb9ff966
Opcode Fuzzy Hash: 342d408fbb0085f8b5c961c7b7314e28d99ae80dc1fdc32ae007dfb548a83613
Instruction Fuzzy Hash: 7D2215715093C88BDBBECF64C889BDA7BB9FB44708F10561CEA4A9E258DB745748CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2728860 Relevance: 4.5, APIs: 3, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FFFE27233C2), ref: 00007FFFE2728876
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFFE27233C2), ref: 00007FFFE2728891
HeapSetInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFFE27233C2), ref: 00007FFFE27288BB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 48cf33cfee9be34a63005782b3e03b00dcbae59413766f72d2946869900c76f4
Instruction ID: a4b7a6bdda38610a550ad5372ec37e07a09351380a1bab0d157ecdf67a4dbb95
Opcode Fuzzy Hash: 48cf33cfee9be34a63005782b3e03b00dcbae59413766f72d2946869900c76f4
Instruction Fuzzy Hash: BBF08275E18A4282F7109751E80A77923D0FF8A344F814434D58DC27A4FFBDD5A9C602

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025A4C Relevance: 4.0, Strings: 3, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6"*n, xrefs: 0000000180025E81
z:7, xrefs: 0000000180025F7D
US8, xrefs: 0000000180025C24

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6"*n$US8$z:7
API String ID: 0-1851205513
Opcode ID: 58433aa2b9792d0adc8ab8c110bebc0308ab9451cbeb18f254fd2c2554077b90
Instruction ID: 607295142d9547307d046de48b3748fa472aee76cf77032a28cf9f5936a2d7e5
Opcode Fuzzy Hash: 58433aa2b9792d0adc8ab8c110bebc0308ab9451cbeb18f254fd2c2554077b90
Instruction Fuzzy Hash: 57E1F9706057889FEBBADF24C88A7DE7BA1FB49744F50422DDC8A8E250DB745648CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020118 Relevance: 4.0, Strings: 3, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-;, xrefs: 0000000180020168
00, xrefs: 0000000180020267
-;, xrefs: 0000000180020142

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -;$-;$00
API String ID: 0-2539125404
Opcode ID: e5d2d7a5effa9139195d6567bf27e5ccee4a567d383a55797e692f753d0c9eb9
Instruction ID: 193f60ccd2842279d11af0df6a42cb9b90b2b7ab7c379db6368ea7840d008f1f
Opcode Fuzzy Hash: e5d2d7a5effa9139195d6567bf27e5ccee4a567d383a55797e692f753d0c9eb9
Instruction Fuzzy Hash: 28A1377051478CDBDBAADF28C8C9AD93BA1FF48394FA05219FD0287251CB75D985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019628 Relevance: 3.1, Strings: 2, Instructions: 565COMMON

Download Yara Rule

Strings

f+hb, xrefs: 0000000180019A9E
zm, xrefs: 0000000180019EC6

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: f+hb$zm
API String ID: 0-4294548274
Opcode ID: 6963b25ea24f854b6089165216e044e7a65ef6823e0c7b2cadf5353a03fffeac
Instruction ID: b2f4f577a3df5b024e80de80ecfd692f42b94ed80d4232126a84951cd6e5a716
Opcode Fuzzy Hash: 6963b25ea24f854b6089165216e044e7a65ef6823e0c7b2cadf5353a03fffeac
Instruction Fuzzy Hash: 4852C97050068D8FDF98DF68C8866DA3BA1FB58388F124319FC8AA7291D778D655CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006414 Relevance: 2.8, Strings: 2, Instructions: 314COMMON

Download Yara Rule

Strings

u., xrefs: 000000018000655E
L, xrefs: 000000018000677D

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: L$u.
API String ID: 0-1908859981
Opcode ID: 963c97d349dba17e05ff2ad4f8c091e323bd32606f741df39a0923b695cd3283
Instruction ID: fe013bb6a98280fd3664de29af0d6deafe853b8c6d857857911529a75c261ac8
Opcode Fuzzy Hash: 963c97d349dba17e05ff2ad4f8c091e323bd32606f741df39a0923b695cd3283
Instruction Fuzzy Hash: FDE1167152478DABDF98CF28C8C6ADD3BA1FB48394F906229FD0287260D775D985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002ACE8 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

#U6, xrefs: 000000018002AE5D

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #U6
API String ID: 0-3443268899
Opcode ID: e6a0a67d4c68fd780a130b425ea3d31e719d89ab7dc9c3de49232e364b014bec
Instruction ID: 59d24509ec93e958c93c94dd97d6e32fc772fd919bc53da4f0cdd3954875abf9
Opcode Fuzzy Hash: e6a0a67d4c68fd780a130b425ea3d31e719d89ab7dc9c3de49232e364b014bec
Instruction Fuzzy Hash: 57510E715087888BC7B8DF28C49A6CBBBF1FF86344F10091DE68987260CB76D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024104 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

{dN, xrefs: 00000001800241F3

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: {dN
API String ID: 0-923835543
Opcode ID: 9e75a9b6c969771d2fbed292b07595da2e1a6dc424cdc2e689696f47c6000392
Instruction ID: f9e1d774cd1a5aafce577d99eb21246fb33c51757267e19de4f8e3655d4c3e4d
Opcode Fuzzy Hash: 9e75a9b6c969771d2fbed292b07595da2e1a6dc424cdc2e689696f47c6000392
Instruction Fuzzy Hash: A24118B091470D8BCF48DFA8C58A1DEBFB1FB483A8F25521DE90AB6250C7749585CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727DE0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__initmbctable.LIBCMT ref: 00007FFFE2727DED
_calloc_dbg.LIBCMTD ref: 00007FFFE2727E7B
_calloc_dbg.LIBCMTD ref: 00007FFFE2727F1B

Part of subcall function 00007FFFE272D490: _invalid_parameter.LIBCMTD ref: 00007FFFE272D541

_invoke_watson_if_error.LIBCMTD ref: 00007FFFE2727F9B

Strings

~, xrefs: 00007FFFE2727EFE
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c, xrefs: 00007FFFE2727E66, 00007FFFE2727F06
strcpy_s(*env, cchars, p), xrefs: 00007FFFE2727F92
_setenvp, xrefs: 00007FFFE2727F8B
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c, xrefs: 00007FFFE2727F84

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _calloc_dbg$__initmbctable_invalid_parameter_invoke_watson_if_error
String ID: _setenvp$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c$strcpy_s(*env, cchars, p)$~
API String ID: 1648969265-681193798
Opcode ID: f93d43cf3bb1813beee52146895ee3ce0099543f481cf7d004c716eae911393f
Instruction ID: dcacedbb14248261a71aad5f40c7e516b17f287a46e835536c7136326d2e1fa8
Opcode Fuzzy Hash: f93d43cf3bb1813beee52146895ee3ce0099543f481cf7d004c716eae911393f
Instruction Fuzzy Hash: EF514B62E1DA8282E750CB14E48073A77E0FBC6754F501135EA8EC77A9EFBDE4518B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2723D30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFFE2727540: _initp_misc_winsig.LIBCMTD ref: 00007FFFE272757B
Part of subcall function 00007FFFE2727540: _initp_eh_hooks.LIBCMTD ref: 00007FFFE2727585

Part of subcall function 00007FFFE2728FE0: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFFE272906F

FlsAlloc.KERNEL32 ref: 00007FFFE2723D55

Part of subcall function 00007FFFE2723E00: FlsFree.KERNEL32 ref: 00007FFFE2723E13
Part of subcall function 00007FFFE2723E00: _mtdeletelocks.LIBCMTD ref: 00007FFFE2723E23

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tidtable.c, xrefs: 00007FFFE2723D7B

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: AllocCountCriticalFreeInitializeSectionSpin_initp_eh_hooks_initp_misc_winsig_mtdeletelocks
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tidtable.c
API String ID: 3828364660-3898981997
Opcode ID: 57cc27a1817b354a41c90cd4e830bede4952610ad4d5e9ce9ee4939fd8329ad8
Instruction ID: 9b921ddf588745f1dff84b07792f31616c70ff992d00bca1a10dd692cdbdbcd2
Opcode Fuzzy Hash: 57cc27a1817b354a41c90cd4e830bede4952610ad4d5e9ce9ee4939fd8329ad8
Instruction Fuzzy Hash: F9115EB2E2C64286F350AB25E84577926E1FFC6750F005631E96EC22E5FFBCE4248612

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272F570 Relevance: 7.6, APIs: 5, Instructions: 83
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00007FFF7FFFE272F570(intOrPtr __edx, long long __rcx, void* __rdx, long long __r8, void* _a8, intOrPtr _a16, long long _a24, intOrPtr _a32, void* _a40, intOrPtr _a48, intOrPtr _a64) {
				long long _v24;
				intOrPtr _v32;
				long long _v40;
				signed int _v48;
				int _v52;
				int _v56;
				signed int _v64;
				long long _v72;
				void* _t53;
				long long _t82;

				_a32 = r9d;
				_a24 = __r8;
				_a16 = __edx;
				_a8 = __rcx;
				_v56 = 0;
				if (_a48 != 0) goto 0xe272f5ab;
				_a48 =  *((intOrPtr*)( *_a8 + 4));
				if (_a64 == 0) goto 0xe272f5bf;
				_v32 = 9;
				goto 0xe272f5c7;
				_v32 = 1;
				_v64 = 0;
				_v72 = 0;
				r9d = _a32;
				_v48 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_v48 != 0) goto 0xe272f60b;
				goto 0xe272f6f8;
				if (0 != 0) goto 0xe272f652;
				if (_v48 <= 0) goto 0xe272f652;
				if (_v48 - 0xfffffff0 > 0) goto 0xe272f652;
				_t82 = _v48 + _v48 + 0x10;
				_t53 = malloc(??); // executed
				E00007FFF7FFFE272F3B0(_t53, 0xdddd, _t82);
				_v24 = _t82;
				goto 0xe272f65b;
				_v24 = 0;
				_v40 = _v24;
				if (_v40 != 0) goto 0xe272f674;
				goto 0xe272f6f8;
				E00007FFF7FFFE27232B0(0, _a48, 0, _v40, __rdx, _v48 << 1);
				_v64 = _v48;
				_v72 = _v40;
				r9d = _a32;
				_v52 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_v52 == 0) goto 0xe272f6ea;
				r8d = _v52;
				_v56 = GetStringTypeW(??, ??, ??, ??);
				E00007FFF7FFFE272F3E0(_v40);
				return _v56;
			}

0x7fffe272f570
0x7fffe272f575
0x7fffe272f57a
0x7fffe272f57e
0x7fffe272f587
0x7fffe272f597
0x7fffe272f5a4
0x7fffe272f5b3
0x7fffe272f5b5
0x7fffe272f5bd
0x7fffe272f5bf
0x7fffe272f5c7
0x7fffe272f5cf
0x7fffe272f5d8
0x7fffe272f5f9
0x7fffe272f602
0x7fffe272f606
0x7fffe272f60f
0x7fffe272f616
0x7fffe272f62a
0x7fffe272f631
0x7fffe272f639
0x7fffe272f646
0x7fffe272f64b
0x7fffe272f650
0x7fffe272f652
0x7fffe272f660
0x7fffe272f66b
0x7fffe272f66f
0x7fffe272f686
0x7fffe272f68f
0x7fffe272f698
0x7fffe272f69d
0x7fffe272f6bf
0x7fffe272f6c8
0x7fffe272f6d2
0x7fffe272f6e6
0x7fffe272f6ef
0x7fffe272f6fc

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFFE272F5F3
malloc.LIBCMTD ref: 00007FFFE272F639
_MarkAllocaS.LIBCMTD ref: 00007FFFE272F646
MultiByteToWideChar.KERNEL32 ref: 00007FFFE272F6B9
GetStringTypeW.KERNEL32 ref: 00007FFFE272F6E0

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$AllocaMarkStringTypemalloc
String ID:
API String ID: 2618398691-0
Opcode ID: 05827e3f81ca9d4f9e036e9cc38fe06689f9ef4e573a4afec1c92632646a1a95
Instruction ID: 4a7f984997382a94e8b666fde504fac4200be57e4b2825777eac7ff93877540b
Opcode Fuzzy Hash: 05827e3f81ca9d4f9e036e9cc38fe06689f9ef4e573a4afec1c92632646a1a95
Instruction Fuzzy Hash: 2D41C972A18781CAD7609B15E08476AB7E0F7C6794F104135EA9E83BA9EFBCD494CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2728040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__initmbctable.LIBCMT ref: 00007FFFE2728056
GetModuleFileNameA.KERNEL32 ref: 00007FFFE2728071

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdargv.c, xrefs: 00007FFFE272813C
C:\Windows\SYSTEM32\regsvr32.exe, xrefs: 00007FFFE2728068, 00007FFFE2728077, 00007FFFE27280A9

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: FileModuleName__initmbctable
String ID: C:\Windows\SYSTEM32\regsvr32.exe$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdargv.c
API String ID: 3548084100-2649671803
Opcode ID: d38f4fd9cb9ecdd73cd32345429acc70b773e7a180fa8c1b1693dc69edd9f2e5
Instruction ID: d7a432a20c16e5a675df41514b393c4b8a9c7c084268069e4116af50100cbff1
Opcode Fuzzy Hash: d38f4fd9cb9ecdd73cd32345429acc70b773e7a180fa8c1b1693dc69edd9f2e5
Instruction Fuzzy Hash: 13414262E18A4681EA10CB54E48036A73E0FBC67A4F500236E6AE867E4EFBDD050C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272A5E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E00007FFF7FFFE272A5E0(long long __rcx, void* _a8) {
				signed int _v24;
				char _v42;
				void* _v48;
				signed int _v56;
				char _v312;
				signed char* _v328;
				char _v584;
				char _v840;
				char _v1352;
				char _v1384;
				char _v1392;
				intOrPtr _v1400;
				long long _v1408;
				long long _v1416;
				signed long long _t206;
				signed char* _t214;
				signed long long _t223;
				intOrPtr _t225;
				intOrPtr _t226;
				signed long long _t233;

				_t224 = __rcx;
				_a8 = __rcx;
				_t206 =  *0xe274b018; // 0x6e18f8e0ed60
				_v24 = _t206 ^ _t233;
				if (GetCPInfo(??, ??) == 0) goto 0xe272a906;
				_v56 = 0;
				goto 0xe272a63c;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0xe272a661;
				 *((char*)(_t233 + _a8 + 0x470)) = _v56 & 0x000000ff;
				goto 0xe272a62c;
				_v312 = 0x20;
				_v328 =  &_v42;
				goto 0xe272a68f;
				_v328 =  &(_v328[2]);
				if (( *_v328 & 0x000000ff) == 0) goto 0xe272a6ea;
				_v56 =  *_v328 & 0x000000ff;
				goto 0xe272a6c2;
				_v56 = _v56 + 1;
				_t214 = _v328;
				if (_v56 - ( *(_t214 + 1) & 0x000000ff) > 0) goto 0xe272a6e8;
				 *((char*)(_t233 + _t214 + 0x470)) = 0x20;
				goto 0xe272a6b2;
				goto 0xe272a67b;
				_v1392 = 0;
				_v1400 =  *((intOrPtr*)(_a8 + 0xc));
				_v1408 =  *((intOrPtr*)(_a8 + 4));
				_v1416 =  &_v1352;
				r9d = 0x100;
				E00007FFF7FFFE272F4D0(1,  &_v1352, __rcx,  &_v312); // executed
				_v1384 = 0;
				_v1392 =  *((intOrPtr*)(_a8 + 4));
				_v1400 = 0x100;
				_v1408 =  &_v840;
				_v1416 = 0x100;
				r8d = 0x100;
				E00007FFF7FFFE272EF00( *((intOrPtr*)(_a8 + 0xc)), _a8, _t224,  &_v312);
				_v1384 = 0;
				_v1392 =  *((intOrPtr*)(_a8 + 4));
				_v1400 = 0x100;
				_v1408 =  &_v584;
				_v1416 = 0x100;
				r8d = 0x200;
				_t223 = _a8;
				E00007FFF7FFFE272EF00( *((intOrPtr*)(_t223 + 0xc)), _t223, _t224,  &_v312);
				_v56 = 0;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0xe272a901;
				if (( *(_t233 + 0x60 + _t223 * 2) & 1) == 0) goto 0xe272a879;
				_t225 = _a8;
				 *((char*)(_a8 + _t225 + 0x1c)) =  *(_t225 + _t223 + 0x1c) & 0x000000ff | 0x00000010;
				 *((char*)(_a8 + _t225 + 0x11d)) =  *(_t233 + _t223 + 0x260) & 0x000000ff;
				goto 0xe272a8fc;
				if (( *(_t233 + 0x60 + _t223 * 2) & 2) == 0) goto 0xe272a8e5;
				_t226 = _a8;
				 *((char*)(_a8 + _t226 + 0x1c)) =  *(_t226 + _t223 + 0x1c) & 0x000000ff | 0x00000020;
				 *((char*)(_a8 + _t226 + 0x11d)) =  *(_t233 + _t223 + 0x360) & 0x000000ff;
				goto 0xe272a8fc;
				 *((char*)(_a8 + _t223 + 0x11d)) = 0;
				goto L1;
				goto 0xe272aa20;
				_v56 = 0;
				_v56 = _v56 + 1;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0xe272aa20;
				if (_v56 - 0x41 < 0) goto 0xe272a99c;
				if (_v56 - 0x5a > 0) goto 0xe272a99c;
				_v56 = _v56 + 1;
				__rcx = _a8;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000010;
				_v56 = _v56 + 1;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x1c)) = __al;
				_v56 = _v56 + 0x20;
				__ecx = _v56;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x11d)) = __al;
				goto 0xe272aa1b;
				if (_v56 - 0x61 < 0) goto 0xe272aa04;
				if (_v56 - 0x7a > 0) goto 0xe272aa04;
				_v56 = _v56 + 1;
				__rcx = _a8;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000020;
				_v56 = _v56 + 1;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x1c)) = __al;
				_v56 = _v56 - 0x20;
				__ecx = _v56;
				__rdx = _a8;
				 *((char*)(__rdx + __rcx + 0x11d)) = __al;
				goto 0xe272aa1b;
				__eax = _v56;
				__rcx = _a8;
				 *((char*)(_a8 + __rax + 0x11d)) = 0;
				goto L2;
				__rcx = _v24;
				__rcx = _v24 ^ __rsp;
				return E00007FFF7FFFE2723280(_v56, _v56, __edx, _v24 ^ __rsp, __rdx, __r8);
			}

0x7fffe272a5e0
0x7fffe272a5e0
0x7fffe272a5ec
0x7fffe272a5f6
0x7fffe272a619
0x7fffe272a61f
0x7fffe272a62a
0x7fffe272a635
0x7fffe272a647
0x7fffe272a658
0x7fffe272a65f
0x7fffe272a661
0x7fffe272a671
0x7fffe272a679
0x7fffe272a687
0x7fffe272a69c
0x7fffe272a6a9
0x7fffe272a6b0
0x7fffe272a6bb
0x7fffe272a6c2
0x7fffe272a6d5
0x7fffe272a6de
0x7fffe272a6e6
0x7fffe272a6e8
0x7fffe272a6ea
0x7fffe272a6fd
0x7fffe272a70c
0x7fffe272a715
0x7fffe272a71a
0x7fffe272a72f
0x7fffe272a734
0x7fffe272a747
0x7fffe272a74b
0x7fffe272a75b
0x7fffe272a760
0x7fffe272a770
0x7fffe272a783
0x7fffe272a788
0x7fffe272a79b
0x7fffe272a79f
0x7fffe272a7af
0x7fffe272a7b4
0x7fffe272a7c4
0x7fffe272a7ca
0x7fffe272a7d7
0x7fffe272a7dc
0x7fffe272a7f2
0x7fffe272a804
0x7fffe272a81b
0x7fffe272a828
0x7fffe272a84b
0x7fffe272a86d
0x7fffe272a874
0x7fffe272a88a
0x7fffe272a897
0x7fffe272a8ba
0x7fffe272a8dc
0x7fffe272a8e3
0x7fffe272a8f4
0x7fffe272a8fc
0x7fffe272a901
0x7fffe272a906
0x7fffe272a91a
0x7fffe272a91c
0x7fffe272a92e
0x7fffe272a93c
0x7fffe272a946
0x7fffe272a94f
0x7fffe272a953
0x7fffe272a960
0x7fffe272a96a
0x7fffe272a96e
0x7fffe272a976
0x7fffe272a981
0x7fffe272a984
0x7fffe272a98b
0x7fffe272a993
0x7fffe272a99a
0x7fffe272a9a4
0x7fffe272a9ae
0x7fffe272a9b7
0x7fffe272a9bb
0x7fffe272a9c8
0x7fffe272a9d2
0x7fffe272a9d6
0x7fffe272a9de
0x7fffe272a9e9
0x7fffe272a9ec
0x7fffe272a9f3
0x7fffe272a9fb
0x7fffe272aa02
0x7fffe272aa04
0x7fffe272aa0b
0x7fffe272aa13
0x7fffe272aa1b
0x7fffe272aa20
0x7fffe272aa28
0x7fffe272aa37

APIs

GetCPInfo.KERNEL32 ref: 00007FFFE272A611

Strings

, xrefs: 00007FFFE272A6DE
z, xrefs: 00007FFFE272A9A6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 939841bcdfd8ad812f8c29de7d09562b703ae5a82c5ff0fab969d8d2fb6d5a5e
Instruction ID: 1fbd8f3d8b5c10613b8ef723a11aa059206e8282af59f0f222de6bd149daab00
Opcode Fuzzy Hash: 939841bcdfd8ad812f8c29de7d09562b703ae5a82c5ff0fab969d8d2fb6d5a5e
Instruction Fuzzy Hash: 36B1D772A1CAC0CAD7758B29E4807ABB7E0F789785F045125DACDC3B88EB6CD4529F01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2729C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__updatetmbcinfo.LIBCMTD ref: 00007FFFE2729C2F

Part of subcall function 00007FFFE2729B10: _unlock.LIBCMTD ref: 00007FFFE2729BD9

Part of subcall function 00007FFFE2729F20: GetOEMCP.KERNEL32 ref: 00007FFFE2729F65
Part of subcall function 00007FFFE2729F20: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2729F74

_unlock.LIBCMTD ref: 00007FFFE2729EC8

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbctype.c, xrefs: 00007FFFE2729C73

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale_unlock$UpdateUpdate::~___updatetmbcinfo
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbctype.c
API String ID: 4112623284-4095683531
Opcode ID: 8356b35877ad84119bda948381768e140a73398435746945450b774d02776550
Instruction ID: 59020e312baa57f6ca63761d647ac0075c74efbff70c18a6818c61b0eeea136e
Opcode Fuzzy Hash: 8356b35877ad84119bda948381768e140a73398435746945450b774d02776550
Instruction Fuzzy Hash: 0D914E73E08A85C6E7608B15E48036A7BE0FBC9794F544535EA8E837A8EF7CD950CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272461B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00007FFF7FFFE272461B(void* __rdx, void* __r8, long long _a32, long long _a40, intOrPtr _a64, long long _a72, void* _a80, intOrPtr _a88, long long _a96, long long _a128, signed int _a136, long long _a144, intOrPtr _a152, void* _a160) {
				signed int _t64;
				intOrPtr _t66;
				void* _t73;
				void* _t92;
				long long _t98;
				long long _t113;
				long long _t114;
				long long _t115;
				long long _t130;
				intOrPtr _t132;
				long long _t135;

				if (_a136 == 1) goto 0xe2724672;
				_t64 = _a136 & 0x0000ffff;
				if (_t64 == 2) goto 0xe2724672;
				if (_a136 == 3) goto 0xe2724672;
				_a40 = "Error: memory allocation: bad memory block type.\n";
				_a32 = "%s";
				r9d = 0;
				r8d = 0;
				0xe272ad00();
				if (_t64 != 1) goto 0xe2724672;
				asm("int3");
				_t98 = _a128 + 0x34;
				_a96 = _t98;
				0xe272ac90(); // executed
				_a80 = _t98;
				if (_a80 != 0) goto 0xe27246b8;
				if (_a160 == 0) goto 0xe27246b3;
				 *_a160 = 0xc;
				goto 0xe27248b4;
				_t66 =  *0xe274b03c; // 0x37
				 *0xe274b03c = _t66 + 1;
				if (_a64 == 0) goto 0xe272472d;
				 *_a80 = 0;
				 *((long long*)(_a80 + 8)) = 0;
				 *((long long*)(_a80 + 0x10)) = 0;
				 *((intOrPtr*)(_a80 + 0x18)) = 0xfedcbabc;
				 *((long long*)(_a80 + 0x20)) = _a128;
				 *(_a80 + 0x1c) = 3;
				 *((intOrPtr*)(_a80 + 0x28)) = 0;
				goto 0xe2724844;
				if (0xffffffff -  *0xe274c960 - _a128 <= 0) goto 0xe2724763;
				_t130 =  *0xe274c960; // 0x43d3
				 *0xe274c960 = _t130 + _a128;
				goto 0xe272476e;
				 *0xe274c960 = 0xffffffff;
				_t132 =  *0xe274c990; // 0xa9c
				 *0xe274c990 = _t132 + _a128;
				_t113 =  *0xe274c978; // 0x3384
				_t92 =  *0xe274c990 - _t113; // 0xa9c
				if (_t92 <= 0) goto 0xe27247a8;
				_t114 =  *0xe274c990; // 0xa9c
				 *0xe274c978 = _t114;
				if ( *0xe274c980 == 0) goto 0xe27247c4;
				_t115 =  *0xe274c980; // 0x2970b50
				 *((long long*)(_t115 + 8)) = _a80;
				goto 0xe27247d0;
				 *0xe274c968 = _a80;
				_t135 =  *0xe274c980; // 0x2970b50
				 *_a80 = _t135;
				 *((long long*)(_a80 + 8)) = 0;
				 *((long long*)(_a80 + 0x10)) = _a144;
				 *((intOrPtr*)(_a80 + 0x18)) = _a152;
				 *((long long*)(_a80 + 0x20)) = _a128;
				 *(_a80 + 0x1c) = _a136;
				_t78 = _a88;
				 *((intOrPtr*)(_a80 + 0x28)) = _a88;
				 *0xe274c980 = _a80;
				r8d = 4;
				E00007FFF7FFFE27232B0( *0xe274b04c & 0x000000ff, _a88,  *0xe274b04c & 0x000000ff, _a80 + 0x2c, __rdx, __r8);
				_t145 = _a128;
				r8d = 4;
				E00007FFF7FFFE27232B0( *0xe274b04c & 0x000000ff, _a88,  *0xe274b04c & 0x000000ff, _a80 + _a128 + 0x30, _a128, __r8);
				_t73 = E00007FFF7FFFE27232B0( *0xe274b04f & 0x000000ff, _t78,  *0xe274b04f & 0x000000ff, _a80 + 0x30, _t145, _a128);
				_a72 = _a80 + 0x30;
				return E00007FFF7FFFE2729360(_t73, 4);
			}

0x7fffe2724623
0x7fffe272462c
0x7fffe2724634
0x7fffe272463e
0x7fffe2724647
0x7fffe2724653
0x7fffe2724658
0x7fffe272465b
0x7fffe2724665
0x7fffe272466d
0x7fffe272466f
0x7fffe272467a
0x7fffe272467e
0x7fffe2724688
0x7fffe272468d
0x7fffe2724698
0x7fffe27246a3
0x7fffe27246ad
0x7fffe27246b3
0x7fffe27246b8
0x7fffe27246c0
0x7fffe27246cb
0x7fffe27246d2
0x7fffe27246de
0x7fffe27246eb
0x7fffe27246f8
0x7fffe272470c
0x7fffe2724715
0x7fffe2724721
0x7fffe2724728
0x7fffe2724743
0x7fffe272474d
0x7fffe272475a
0x7fffe2724761
0x7fffe2724763
0x7fffe2724776
0x7fffe2724783
0x7fffe272478a
0x7fffe2724791
0x7fffe2724798
0x7fffe272479a
0x7fffe27247a1
0x7fffe27247b0
0x7fffe27247b2
0x7fffe27247be
0x7fffe27247c2
0x7fffe27247c9
0x7fffe27247d5
0x7fffe27247dc
0x7fffe27247e4
0x7fffe27247f9
0x7fffe2724809
0x7fffe2724819
0x7fffe2724829
0x7fffe2724831
0x7fffe2724835
0x7fffe272483d
0x7fffe2724854
0x7fffe272485c
0x7fffe272486d
0x7fffe272487a
0x7fffe2724882
0x7fffe27248a1
0x7fffe27248af
0x7fffe27248c7

APIs

_unlock.LIBCMTD ref: 00007FFFE27248B9

Strings

Error: memory allocation: bad memory block type., xrefs: 00007FFFE2724640

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _unlock
String ID: Error: memory allocation: bad memory block type.
API String ID: 2480363372-1537269110
Opcode ID: 0e27953d906dd6213389af50a7459ab3260dce137a7056963e47b3559a26f049
Instruction ID: 4e3fc19a311f9ae9cbf456d18570ae5ee5886bde306668ad62606ba350f85556
Opcode Fuzzy Hash: 0e27953d906dd6213389af50a7459ab3260dce137a7056963e47b3559a26f049
Instruction Fuzzy Hash: F371E876E09B85C6EB208B55E49032AB7E0FBCAB50F004535DA9D837A4EFBCD464CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024EE6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000000180025094

Strings

z, xrefs: 000000018002502F

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: z
API String ID: 963392458-1375040831
Opcode ID: 044b6e1ce48cfd18270e48a4d1ffa5fa37b68dcc1aa27e33fe08f1a26b59e50a
Instruction ID: 5490f85ef4092ec497088e60b932e525f0ce693db587fe3a551d92928695aba5
Opcode Fuzzy Hash: 044b6e1ce48cfd18270e48a4d1ffa5fa37b68dcc1aa27e33fe08f1a26b59e50a
Instruction Fuzzy Hash: 5141C27191C7848FD7A5DF18D08A7DAB7E0FB98318F01495DE88CC7292DB749885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024F28 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 111processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE ref: 0000000180025094

Strings

z, xrefs: 000000018002502F

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: z
API String ID: 963392458-1375040831
Opcode ID: 274a6825be770f02a4f82c9f6cbe831b28a77f7637ef6bb2e3a1323e28db6850
Instruction ID: 90d0215384d3738c1bd812602d16852eefab8a4974bd8bae5625081230a7a3ff
Opcode Fuzzy Hash: 274a6825be770f02a4f82c9f6cbe831b28a77f7637ef6bb2e3a1323e28db6850
Instruction Fuzzy Hash: 4741377091CB848BD7B4DF18D08A7AAB7E0FB98315F10495EE88CC3252DB7498848B86

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2726FF2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFFE272CA00: EncodePointer.KERNEL32 ref: 00007FFFE272CA33

_initterm_e.LIBCMTD ref: 00007FFFE272701F

Strings

Y, xrefs: 00007FFFE272700C

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: EncodePointer_initterm_e
String ID: Y
API String ID: 1618838664-1754117475
Opcode ID: 24d3616295d43623420cef2980f0f4d1896d7dbbaf9113ec39dfe7d3f9684184
Instruction ID: 09d4764d2440139dab7535088fed78ae9481a30272dabaae75cf35c0d90944c2
Opcode Fuzzy Hash: 24d3616295d43623420cef2980f0f4d1896d7dbbaf9113ec39dfe7d3f9684184
Instruction Fuzzy Hash: 72E0A5A2D0804297F621AB20E9417BA63E0FFD2354F400231E64DC24A5FFACE928CA12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272A000 Relevance: 3.3, APIs: 2, Instructions: 256
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 47%

			E00007FFF7FFFE272A000(signed short __ecx, void* __rcx, long long __rdx, signed int _a8, void* _a16) {
				signed int _v24;
				signed char* _v32;
				char _v50;
				char _v56;
				signed int _v72;
				signed char* _v80;
				signed int _v84;
				signed int _v88;
				signed long long _t204;
				signed long long _t205;
				signed long long _t206;
				signed char* _t215;
				signed long long _t218;
				signed long long _t233;
				signed long long _t234;

				_a16 = __rdx;
				_a8 = __ecx;
				_t204 =  *0xe274b018; // 0x6e18f8e0ed60
				_t205 = _t204 ^ _t234;
				_v24 = _t205;
				_a8 = E00007FFF7FFFE2729F20(_a8, _t205);
				if (_a8 != 0) goto 0xe272a04d;
				E00007FFF7FFFE272A4E0(_a16);
				goto 0xe272a463;
				_v84 = 0;
				_v84 = _v84 + 1;
				if (_t205 - 5 >= 0) goto 0xe272a239;
				_t206 = _t205 * 0x30;
				if ( *((intOrPtr*)(0xe274bb70 + _t206)) != _a8) goto 0xe272a234;
				_v72 = 0;
				goto 0xe272a0a2;
				_v72 = _v72 + 1;
				if (_v72 - 0x101 >= 0) goto 0xe272a0bf;
				 *((char*)(_a16 + _t206 + 0x1c)) = 0;
				goto 0xe272a098;
				_v88 = 0;
				goto 0xe272a0d3;
				_v88 = _v88 + 1;
				if (_v88 - 4 >= 0) goto 0xe272a197;
				_v80 = 0x47ffef61a9700;
				goto 0xe272a111;
				_v80 =  &(_v80[2]);
				if (( *_v80 & 0x000000ff) == 0) goto 0xe272a192;
				if ((_v80[1] & 0x000000ff) == 0) goto 0xe272a192;
				_v72 =  *_v80 & 0x000000ff;
				goto 0xe272a142;
				_v72 = _v72 + 1;
				_t215 = _v80;
				if (_v72 - ( *(_t215 + 1) & 0x000000ff) > 0) goto 0xe272a18d;
				_t233 = _a16;
				 *((char*)(_t233 + 0xe274bb70 + _t206 * 0x30 + 0x1c)) =  *(_a16 + _t215 + 0x1c) & 0x000000ff |  *0xFFFFC4E976D8;
				goto 0xe272a138;
				goto 0xe272a103;
				goto 0xe272a0c9;
				 *(_a16 + 4) = _a8;
				 *((intOrPtr*)(_a16 + 8)) = 1;
				_t218 = _a16;
				 *(_a16 + 0xc) = E00007FFF7FFFE272A480( *((intOrPtr*)(_t218 + 4)));
				_v88 = 0;
				goto 0xe272a1e7;
				_v88 = _v88 + 1;
				if (_v88 - 6 >= 0) goto 0xe272a220;
				_t205 = 0xe274bb70;
				 *((short*)(_a16 + 0x10 + _t233 * 2)) =  *(0xe274bb70 + 4 + (0xe274bb70 + _t218 * 0x30) * 2) & 0x0000ffff;
				goto 0xe272a1dd;
				E00007FFF7FFFE272A5E0(_a16);
				goto 0xe272a463;
				goto L1;
				if (_a8 == 0) goto 0xe272a271;
				if (_a8 == 0xfde8) goto 0xe272a271;
				if (_a8 == 0xfde9) goto 0xe272a271;
				__eax = _a8 & 0x0000ffff;
				__ecx = _a8 & 0x0000ffff;
				if (IsValidCodePage(??) != 0) goto 0xe272a27b;
				__eax = 0xffffffff;
				goto 0xe272a463;
				__rdx =  &_v56;
				__ecx = _a8;
				if (GetCPInfo(??, ??) == 0) goto 0xe272a444;
				_v72 = 0;
				goto 0xe272a2a9;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				if (_v72 - 0x101 >= 0) goto 0xe272a2c6;
				__eax = _v72;
				__rcx = _a16;
				 *((char*)(_a16 + __rax + 0x1c)) = 0;
				goto 0xe272a29f;
				__rax = _a16;
				__ecx = _a8;
				 *(_a16 + 4) = _a8;
				__rax = _a16;
				 *(_a16 + 0xc) = 0;
				if (_v56 - 1 <= 0) goto 0xe272a3f4;
				__rax =  &_v50;
				_v32 =  &_v50;
				goto 0xe272a30c;
				_v32 =  &(_v32[2]);
				_v32 =  &(_v32[2]);
				__rax = _v32;
				__eax =  *_v32 & 0x000000ff;
				if (( *_v32 & 0x000000ff) == 0) goto 0xe272a37c;
				__rax = _v32;
				__eax =  *(__rax + 1) & 0x000000ff;
				if (( *(__rax + 1) & 0x000000ff) == 0) goto 0xe272a37c;
				__rax = _v32;
				__eax =  *_v32 & 0x000000ff;
				_v72 =  *_v32 & 0x000000ff;
				goto 0xe272a33d;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				__rax = _v32;
				__eax =  *(__rax + 1) & 0x000000ff;
				if (_v72 - ( *(__rax + 1) & 0x000000ff) > 0) goto 0xe272a37a;
				_v72 = _v72 + 1;
				__rcx = _a16;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000004;
				_v72 = _v72 + 1;
				__rdx = _a16;
				 *((char*)(_a16 + __rcx + 0x1c)) = __al;
				goto 0xe272a333;
				goto 0xe272a2fe;
				_v72 = 1;
				goto 0xe272a390;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				if (_v72 - 0xff >= 0) goto 0xe272a3c8;
				_v72 = _v72 + 1;
				__rcx = _a16;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000008;
				_v72 = _v72 + 1;
				__rdx = _a16;
				 *((char*)(_a16 + __rcx + 0x1c)) = __al;
				goto 0xe272a386;
				__rax = _a16;
				__ecx =  *(_a16 + 4);
				__eax = E00007FFF7FFFE272A480( *(_a16 + 4));
				__rcx = _a16;
				 *(_a16 + 0xc) = __eax;
				__rax = _a16;
				 *((intOrPtr*)(_a16 + 8)) = 1;
				goto 0xe272a403;
				__rax = _a16;
				 *(__rax + 8) = 0;
				_v88 = 0;
				goto 0xe272a417;
				_v88 = _v88 + 1;
				_v88 = _v88 + 1;
				if (_v88 - 6 >= 0) goto 0xe272a433;
				__eax = _v88;
				__ecx = 0;
				__rdx = _a16;
				 *((short*)(_a16 + 0x10 + __rax * 2)) = __cx;
				goto 0xe272a40d;
				__rcx = _a16;
				__eax = E00007FFF7FFFE272A5E0(_a16); // executed
				__eax = 0;
				goto 0xe272a463;
				if ( *0xe274cd68 == 0) goto 0xe272a45e;
				__rcx = _a16;
				E00007FFF7FFFE272A4E0(_a16) = 0;
				goto 0xe272a463;
				__eax = 0xffffffff;
				__rcx = _v24;
				__rcx = _v24 ^ __rsp;
				return E00007FFF7FFFE2723280(0xffffffff, __ecx, __edx, _v24 ^ __rsp, __rdx, __r8);
			}

0x7fffe272a000
0x7fffe272a005
0x7fffe272a00d
0x7fffe272a014
0x7fffe272a017
0x7fffe272a028
0x7fffe272a037
0x7fffe272a041
0x7fffe272a048
0x7fffe272a04d
0x7fffe272a05d
0x7fffe272a069
0x7fffe272a073
0x7fffe272a088
0x7fffe272a08e
0x7fffe272a096
0x7fffe272a09e
0x7fffe272a0aa
0x7fffe272a0b8
0x7fffe272a0bd
0x7fffe272a0bf
0x7fffe272a0c7
0x7fffe272a0cf
0x7fffe272a0d8
0x7fffe272a0fc
0x7fffe272a101
0x7fffe272a10c
0x7fffe272a11b
0x7fffe272a128
0x7fffe272a132
0x7fffe272a136
0x7fffe272a13e
0x7fffe272a142
0x7fffe272a14f
0x7fffe272a17f
0x7fffe272a187
0x7fffe272a18b
0x7fffe272a18d
0x7fffe272a192
0x7fffe272a1a6
0x7fffe272a1b1
0x7fffe272a1b8
0x7fffe272a1d0
0x7fffe272a1d3
0x7fffe272a1db
0x7fffe272a1e3
0x7fffe272a1ec
0x7fffe272a200
0x7fffe272a218
0x7fffe272a21e
0x7fffe272a228
0x7fffe272a22f
0x7fffe272a234
0x7fffe272a241
0x7fffe272a24e
0x7fffe272a25b
0x7fffe272a25d
0x7fffe272a265
0x7fffe272a26f
0x7fffe272a271
0x7fffe272a276
0x7fffe272a27b
0x7fffe272a280
0x7fffe272a28f
0x7fffe272a295
0x7fffe272a29d
0x7fffe272a2a3
0x7fffe272a2a5
0x7fffe272a2b1
0x7fffe272a2b3
0x7fffe272a2b7
0x7fffe272a2bf
0x7fffe272a2c4
0x7fffe272a2c6
0x7fffe272a2ce
0x7fffe272a2d5
0x7fffe272a2d8
0x7fffe272a2e0
0x7fffe272a2ec
0x7fffe272a2f2
0x7fffe272a2f7
0x7fffe272a2fc
0x7fffe272a303
0x7fffe272a307
0x7fffe272a30c
0x7fffe272a311
0x7fffe272a316
0x7fffe272a318
0x7fffe272a31d
0x7fffe272a323
0x7fffe272a325
0x7fffe272a32a
0x7fffe272a32d
0x7fffe272a331
0x7fffe272a337
0x7fffe272a339
0x7fffe272a33d
0x7fffe272a342
0x7fffe272a34a
0x7fffe272a350
0x7fffe272a354
0x7fffe272a361
0x7fffe272a368
0x7fffe272a36c
0x7fffe272a374
0x7fffe272a378
0x7fffe272a37a
0x7fffe272a37c
0x7fffe272a384
0x7fffe272a38a
0x7fffe272a38c
0x7fffe272a398
0x7fffe272a39e
0x7fffe272a3a2
0x7fffe272a3af
0x7fffe272a3b6
0x7fffe272a3ba
0x7fffe272a3c2
0x7fffe272a3c6
0x7fffe272a3c8
0x7fffe272a3d0
0x7fffe272a3d3
0x7fffe272a3d8
0x7fffe272a3e0
0x7fffe272a3e3
0x7fffe272a3eb
0x7fffe272a3f2
0x7fffe272a3f4
0x7fffe272a3fc
0x7fffe272a403
0x7fffe272a40b
0x7fffe272a411
0x7fffe272a413
0x7fffe272a41c
0x7fffe272a41e
0x7fffe272a422
0x7fffe272a424
0x7fffe272a42c
0x7fffe272a431
0x7fffe272a433
0x7fffe272a43b
0x7fffe272a440
0x7fffe272a442
0x7fffe272a44b
0x7fffe272a44d
0x7fffe272a45a
0x7fffe272a45c
0x7fffe272a45e
0x7fffe272a463
0x7fffe272a468
0x7fffe272a474

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_
String ID:
API String ID: 1901436342-0
Opcode ID: bd1aa9bb27f65b33b611181b282d42369fc0b805d559ad423015dd3100174c74
Instruction ID: 96b686e8ed65f2cf32d166d806b8576c290be12e6ee1a8d969cc91955e330c3d
Opcode Fuzzy Hash: bd1aa9bb27f65b33b611181b282d42369fc0b805d559ad423015dd3100174c74
Instruction Fuzzy Hash: A2D1F672A1C6818AD7A48B19E48472AB7E0F7C9754F108136EACEC3798EF7CE5558F01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727540 Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00007FFF7FFFE2727540(long long __rax) {
				long long _v24;
				void* _t8;
				void* _t9;

				_t16 = __rax;
				_t9 = E00007FFF7FFFE2723D00(_t8); // executed
				_v24 = __rax;
				return E00007FFF7FFFE272CF20(E00007FFF7FFFE272CFB0(E00007FFF7FFFE272D450(E00007FFF7FFFE272D470(E00007FFF7FFFE272BD50(E00007FFF7FFFE272AB90(_t9, _v24), _v24), _v24), _v24), _v24), _t16, _v24);
			}

0x7fffe2727540
0x7fffe2727544
0x7fffe2727549
0x7fffe272758e

APIs

Part of subcall function 00007FFFE2723D00: RtlEncodePointer.NTDLL ref: 00007FFFE2723D06

_initp_misc_winsig.LIBCMTD ref: 00007FFFE272757B
_initp_eh_hooks.LIBCMTD ref: 00007FFFE2727585

Part of subcall function 00007FFFE272CF20: EncodePointer.KERNEL32(?,?,?,?,00007FFFE272758A,?,?,?,?,?,?,00007FFFE2723D39), ref: 00007FFFE272CF30

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: EncodePointer$_initp_eh_hooks_initp_misc_winsig
String ID:
API String ID: 2678799220-0
Opcode ID: abe4bcf42024140c0e82e0fb2c3eff25659a698c9099ae3cd415aa6bcc21eafa
Instruction ID: 1b8e37825d707b5a65da6cf856aedc1f5953466c2328f97bba91035b22e155ca
Opcode Fuzzy Hash: abe4bcf42024140c0e82e0fb2c3eff25659a698c9099ae3cd415aa6bcc21eafa
Instruction Fuzzy Hash: A1E0E9A7D1848182D520FB11E85226B57B0FBDA748F500135FACD86A7BEF5CE6208B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272ACA8 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

__crtExitProcess.LIBCMTD ref: 00007FFFE272ACB7

Part of subcall function 00007FFFE27274E0: ExitProcess.KERNEL32 ref: 00007FFFE27274F5

RtlAllocateHeap.NTDLL ref: 00007FFFE272ACE7

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: ExitProcess$AllocateHeap__crt
String ID:
API String ID: 4215626177-0
Opcode ID: 77cc9cc60f8eca6ccffa51c036cc335ce9466cc401fd995fa093edd43c12ab32
Instruction ID: 87e0c3e73545775cf33cb1e620ed437e57b76fd1e2b0dcf9bb2360588bc6ef95
Opcode Fuzzy Hash: 77cc9cc60f8eca6ccffa51c036cc335ce9466cc401fd995fa093edd43c12ab32
Instruction Fuzzy Hash: 39E08662D0C98683F7249716E40037962E0FFC6348F400035D78E826A5EFBDD4A0D602

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2724399 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FFF7FFFE2724399(long long __rax, long long _a48, intOrPtr _a80, intOrPtr _a88, void* _a120) {

				_a48 = __rax;
				if (_a48 == 0) goto 0xe27243ad;
				goto 0xe27243f5;
				if (_a88 != 0) goto 0xe27243ce;
				if (_a120 == 0) goto 0xe27243c7;
				 *_a120 = 0xc;
				goto 0xe27243f5;
				if (E00007FFF7FFFE272ABB0(_a48, _a80) != 0) goto 0xe27243f3;
				if (_a120 == 0) goto 0xe27243ef;
				 *_a120 = 0xc;
				goto 0xe27243f5;
				goto 0xe2724377;
				return 0;
			}

0x7fffe2724399
0x7fffe27243a4
0x7fffe27243ab
0x7fffe27243b2
0x7fffe27243ba
0x7fffe27243c1
0x7fffe27243cc
0x7fffe27243da
0x7fffe27243e2
0x7fffe27243e9
0x7fffe27243f1
0x7fffe27243f3
0x7fffe27243f9

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac0a5da81333129a8f229358abc3f3628bfe7ae3225332448e9bf5308d83ad5
Instruction ID: f9500e763cc488584e92fce48ddd41780e2f09c25a59bc9845547f93983ae433
Opcode Fuzzy Hash: 1ac0a5da81333129a8f229358abc3f3628bfe7ae3225332448e9bf5308d83ad5
Instruction Fuzzy Hash: 6801B76391CB41C6FB608A15F55472AA7E0F7C6794F101131EA8D92BA9EFBCE490CA01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272F4D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFFE272F570: MultiByteToWideChar.KERNEL32 ref: 00007FFFE272F5F3

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE272F559

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$ByteCharMultiUpdateUpdate::~_Wide
String ID:
API String ID: 2569699860-0
Opcode ID: 0c57b3b436687e78039d68963cfd06a068c3edb785e51800680b91c9a9ce0a07
Instruction ID: 004c41a3f691551796ce53ee6b6f74ad1d37b64c650b821bc08f8634895cf6d0
Opcode Fuzzy Hash: 0c57b3b436687e78039d68963cfd06a068c3edb785e51800680b91c9a9ce0a07
Instruction Fuzzy Hash: D901BCB2A1C6C08AC760DF11F08169ABBA1F7CA384F60412AEACD83B59DB38D514CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2723471 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

_ioterm.LIBCMTD ref: 00007FFFE2723496

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _ioterm
String ID:
API String ID: 4163092671-0
Opcode ID: c4661e6c861f00f368b387c53bfc5a2878f93a0c021545087ea26df979c33d88
Instruction ID: 3c1ccf6929d225d3c6b3c40e201dbfa64a62672d202f23c29b65c1e83c8a0f40
Opcode Fuzzy Hash: c4661e6c861f00f368b387c53bfc5a2878f93a0c021545087ea26df979c33d88
Instruction Fuzzy Hash: DFF0F8A2C0C1078AF261A7A5A40537821D5AF93356F001278E81DC11D6FFECB9798A13

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2723433 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

_ioterm.LIBCMTD ref: 00007FFFE2723437

Part of subcall function 00007FFFE2727D00: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFFE272343C), ref: 00007FFFE2727D93

Part of subcall function 00007FFFE2723E00: FlsFree.KERNEL32 ref: 00007FFFE2723E13
Part of subcall function 00007FFFE2723E00: _mtdeletelocks.LIBCMTD ref: 00007FFFE2723E23

Part of subcall function 00007FFFE27288D0: HeapDestroy.KERNELBASE ref: 00007FFFE27288DB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: CriticalDeleteDestroyFreeHeapSection_ioterm_mtdeletelocks
String ID:
API String ID: 1508997487-0
Opcode ID: 8c7cd16c52d3f74447f8a2e4d1e0973512220e22c4a7d0e47614c04d6d0045ae
Instruction ID: d395bc0d8413e9f429c85debab940b19ae38d57a6e554c1269b4d17c8a82e960
Opcode Fuzzy Hash: 8c7cd16c52d3f74447f8a2e4d1e0973512220e22c4a7d0e47614c04d6d0045ae
Instruction Fuzzy Hash: 82E042E2E0C0039AF651677559423B911D4AF87786F400435E91EC52D6FFDDA9314663

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27288D0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNELBASE ref: 00007FFFE27288DB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: f7b981f9b1b51933cf7e1d9a1baddea90378982ce7575ce50583c327d4fc7a8e
Instruction ID: 9f2a592fa3145e32d2a1b0c9491a5bc943304d09c4a0d24410b01b9d385f8958
Opcode Fuzzy Hash: f7b981f9b1b51933cf7e1d9a1baddea90378982ce7575ce50583c327d4fc7a8e
Instruction Fuzzy Hash: 46C09B64D15A01C1F7046713FC8572422A07BD6705FD00034C54D81320EFBD59B6C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2723D00 Relevance: 1.5, APIs: 1, Instructions: 5COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL ref: 00007FFFE2723D06

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 486166b47cec33101184f167bfa082c8d21519f5c79393c344b51e77eb7d9bd4
Instruction ID: fde711d44ec06023455536852507d21a0d07da86bae1cafde684db35130635f6
Opcode Fuzzy Hash: 486166b47cec33101184f167bfa082c8d21519f5c79393c344b51e77eb7d9bd4
Instruction Fuzzy Hash: 3FA02220F02080C2CAAC33320C8303C00A02F28308FE00838C30F80220CC2CA2FE8B00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FFFE2730215 Relevance: 89.7, APIs: 29, Strings: 22, Instructions: 441COMMON

Download Yara Rule

APIs

_itow_s.LIBCMTD ref: 00007FFFE273024C
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE2730279
OutputDebugStringW.KERNEL32 ref: 00007FFFE2730285
OutputDebugStringW.KERNEL32 ref: 00007FFFE27302BF
OutputDebugStringW.KERNEL32 ref: 00007FFFE27302CC
OutputDebugStringW.KERNEL32 ref: 00007FFFE27302DA
OutputDebugStringW.KERNEL32 ref: 00007FFFE27302E7
_wcsftime_l.LIBCMTD ref: 00007FFFE2730352
_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE27303AA
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE2730408
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE2730484
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE27304CB
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE2730538
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE273057E
_snwprintf_s.LIBCMTD ref: 00007FFFE27305F5
_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE273064D
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE27306AB
_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE2730764
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE27307B8
_unlock.LIBCMTD ref: 00007FFFE2730900

Strings

<file unknown>, xrefs: 00007FFFE27302A8
Assertion failed!, xrefs: 00007FFFE2730433
Second Chance Assertion Failed: File , xrefs: 00007FFFE273027E
Assertion failed: , xrefs: 00007FFFE2730422
(*_errno()), xrefs: 00007FFFE2730396, 00007FFFE2730639
wcscat_s(szLineMessage, 4096, szUserMessage), xrefs: 00007FFFE27304C2
wcscat_s(szLineMessage, 4096, L"\n"), xrefs: 00007FFFE2730575
P, xrefs: 00007FFFE2730AC6
_CrtDbgReport: String too long or IO Error, xrefs: 00007FFFE27303C7, 00007FFFE273066A
_CrtDbgReport: String too long or Invalid characters in String, xrefs: 00007FFFE273077A
_VCrtDbgReportW, xrefs: 00007FFFE2730269, 00007FFFE273038A, 00007FFFE27303F8, 00007FFFE2730474, 00007FFFE27304BB, 00007FFFE2730528, 00007FFFE273056E, 00007FFFE273062D, 00007FFFE273069B, 00007FFFE2730744, 00007FFFE27307A8, 00007FFFE2730A90, 00007FFFE2730C0E
wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 00007FFFE27303FF
wcstombs_s(&ret, szaOutMessage, 4096, szOutMessage, ((size_t)-1)), xrefs: 00007FFFE2730A9C
wcscat_s(szLineMessage, 4096, L"\r"), xrefs: 00007FFFE273052F
, Line , xrefs: 00007FFFE27302C5
wcstombs_s(((void *)0), szOutMessage2, 4096, szOutMessage, ((size_t)-1)), xrefs: 00007FFFE2730750
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrptt.c, xrefs: 00007FFFE2730262, 00007FFFE273037E, 00007FFFE27303F1, 00007FFFE273046D, 00007FFFE27304B4, 00007FFFE2730521, 00007FFFE2730567, 00007FFFE2730621, 00007FFFE2730694, 00007FFFE2730738, 00007FFFE27307A1, 00007FFFE2730A84, 00007FFFE2730C07
strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String"), xrefs: 00007FFFE27307AF
_itow_s(nLine, szLineMessage, 4096, 10), xrefs: 00007FFFE2730270, 00007FFFE2730C15
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 00007FFFE27306A2
%s(%d) : %s, xrefs: 00007FFFE27305DB
wcscpy_s(szLineMessage, 4096, szFormat ? L"Assertion failed: " : L"Assertion failed!"), xrefs: 00007FFFE273047B

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invoke_watson_if_error$DebugOutputString$_invoke_watson_if_oneof$_itow_s_snwprintf_s_unlock_wcsftime_l
String ID: %s(%d) : %s$(*_errno())$, Line $<file unknown>$Assertion failed!$Assertion failed: $P$Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportW$_itow_s(nLine, szLineMessage, 4096, 10)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrptt.c$strcpy_s(szOutMessage2, 4096, "_CrtDbgReport: String too long or Invalid characters in String")$wcscat_s(szLineMessage, 4096, L"\n")$wcscat_s(szLineMessage, 4096, L"\r")$wcscat_s(szLineMessage, 4096, szUserMessage)$wcscpy_s(szLineMessage, 4096, szFormat ? L"Assertion failed: " : L"Assertion failed!")$wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")$wcscpy_s(szUserMessage, 4096, L"_CrtDbgReport: String too long or IO Error")$wcstombs_s(&ret, szaOutMessage, 4096, szOutMessage, ((size_t)-1))$wcstombs_s(((void *)0), szOutMessage2, 4096, szOutMessage, ((size_t)-1))
API String ID: 4197005980-4190456261
Opcode ID: 4879bfb960a2721f9666c96030d6b34d6758162388cb50bc2d04b6b5102aed05
Instruction ID: 1c31ddf60b0a903113d9ba9ccf6def0c400ae6744f5a9f7399572fa84992b107
Opcode Fuzzy Hash: 4879bfb960a2721f9666c96030d6b34d6758162388cb50bc2d04b6b5102aed05
Instruction Fuzzy Hash: AF42FE72D1CA86C5EB30CB14E4943EA73A5FB85344F404236D68D83A99EFBCE559CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27312E3 Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FFFE27312EA
GetProcAddress.KERNEL32 ref: 00007FFFE2731310

Strings

GetUserObjectInformationW, xrefs: 00007FFFE2731380
USER32.DLL, xrefs: 00007FFFE27312E3
MessageBoxW, xrefs: 00007FFFE2731304
GetProcessWindowStation, xrefs: 00007FFFE27313B3
GetActiveWindow, xrefs: 00007FFFE273133C
GetLastActivePopup, xrefs: 00007FFFE273135E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2574300362-564504941
Opcode ID: fee43fc66515416ac0980d72625433c0e8db806945977869f613c1f5f8def98f
Instruction ID: cff38b380fe39fb6ef4368f34dd365b69ba206a9911eae9123ed787b78258770
Opcode Fuzzy Hash: fee43fc66515416ac0980d72625433c0e8db806945977869f613c1f5f8def98f
Instruction Fuzzy Hash: 5651AC35E0CA82C6E7609B15F89436A73E0FB86750F551135DA8EC2668EFBCE464CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2724A70 Relevance: 30.3, APIs: 2, Strings: 15, Instructions: 504COMMONLIBRARYCODE

Download Yara Rule

Strings

Client hook re-allocation failure at file %hs line %d., xrefs: 00007FFFE2724C00
Invalid allocation size: %Iu bytes., xrefs: 00007FFFE2724CC6
fRealloc || (!fRealloc && pNewBlock == pOldBlock), xrefs: 00007FFFE27251AB
_CrtCheckMemory(), xrefs: 00007FFFE2724B23
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ, xrefs: 00007FFFE2724EA2
Error: memory allocation: bad memory block type.Memory allocated at %hs(%d)., xrefs: 00007FFFE2724D55
Error: possible heap corruption at or near 0x%p, xrefs: 00007FFFE2724F22
Error: memory allocation: bad memory block type., xrefs: 00007FFFE2724D7D
_pFirstBlock == pOldBlock, xrefs: 00007FFFE2725294
Invalid allocation size: %Iu bytes.Memory allocated at %hs(%d)., xrefs: 00007FFFE2724C94
Client hook re-allocation failure., xrefs: 00007FFFE2724C25
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE2724B38, 00007FFFE2724E45, 00007FFFE2724EB7, 00007FFFE27251C0, 00007FFFE272523B, 00007FFFE27252A9
The Block at 0x%p was allocated by aligned routines, use _aligned_realloc(), xrefs: 00007FFFE2724DE7
_pLastBlock == pOldBlock, xrefs: 00007FFFE2725226
_CrtIsValidHeapPointer(pUserData), xrefs: 00007FFFE2724E30

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID:
String ID: Client hook re-allocation failure at file %hs line %d.$Client hook re-allocation failure.$Error: memory allocation: bad memory block type.$Error: memory allocation: bad memory block type.Memory allocated at %hs(%d).$Error: possible heap corruption at or near 0x%p$Invalid allocation size: %Iu bytes.$Invalid allocation size: %Iu bytes.Memory allocated at %hs(%d).$The Block at 0x%p was allocated by aligned routines, use _aligned_realloc()$_CrtCheckMemory()$_CrtIsValidHeapPointer(pUserData)$_pFirstBlock == pOldBlock$_pLastBlock == pOldBlock$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$fRealloc || (!fRealloc && pNewBlock == pOldBlock)$pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
API String ID: 0-1181733849
Opcode ID: 0b4b4e85d1eb3ae1a0b395440fade81dc617beeaf4b680a727513a857c3a72e7
Instruction ID: 1b7118a543962d58d71c6231b00ff751ec4f7d25d0bf835af54eb67e45bec2ec
Opcode Fuzzy Hash: 0b4b4e85d1eb3ae1a0b395440fade81dc617beeaf4b680a727513a857c3a72e7
Instruction Fuzzy Hash: CE423E72E19B8586E7608B55E45036AB7E4FBC6790F101135DA9DC3BA4EFBCD4A0CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27253FB Relevance: 21.3, APIs: 2, Strings: 10, Instructions: 267memoryCOMMON

Download Yara Rule

APIs

_CrtIsValidHeapPointer.LIBCMTD ref: 00007FFFE27254D9
_free_base.LIBCMTD ref: 00007FFFE272583F

Strings

HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer., xrefs: 00007FFFE272579F
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFFE2725620
The Block at 0x%p was allocated by aligned routines, use _aligned_free(), xrefs: 00007FFFE272542B
Client hook free failure., xrefs: 00007FFFE27254A0
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse), xrefs: 00007FFFE2725558
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE27254F7, 00007FFFE272556D, 00007FFFE27257FE
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFFE272573C
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ, xrefs: 00007FFFE27257E9
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer., xrefs: 00007FFFE2725683
_CrtIsValidHeapPointer(pUserData), xrefs: 00007FFFE27254E2

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: HeapPointerValid_free_base
String ID: Client hook free failure.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$The Block at 0x%p was allocated by aligned routines, use _aligned_free()$_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)$_CrtIsValidHeapPointer(pUserData)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
API String ID: 1656799702-182684663
Opcode ID: 708cd418722caba3a196df14d36aa04cdda5776576cdf5b3aec82fe9c7f2493c
Instruction ID: 55000ad6caa0ee4132c74cccd6df6d8c561ed9693e4e0803b0d5751161a3ebd1
Opcode Fuzzy Hash: 708cd418722caba3a196df14d36aa04cdda5776576cdf5b3aec82fe9c7f2493c
Instruction Fuzzy Hash: AEC16076E28B5186EB248B55E45076AB7E1FBC6750F500536EA8D83BA4FFBCD420CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2725CAD Relevance: 17.8, Strings: 14, Instructions: 322COMMON

Download Yara Rule

Strings

HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer., xrefs: 00007FFFE2726030
%hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d)., xrefs: 00007FFFE272617C
HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d)., xrefs: 00007FFFE27260C7
_heapchk fails with _HEAPBADPTR., xrefs: 00007FFFE2725D7E
DAMAGED, xrefs: 00007FFFE2725E7D
_heapchk fails with _HEAPBADNODE., xrefs: 00007FFFE2725D19
_heapchk fails with unknown return value!, xrefs: 00007FFFE2725DAF
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFFE2725EF9
HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed., xrefs: 00007FFFE27260FA
_1, xrefs: 00007FFFE27261FC
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFFE2725FE7
_heapchk fails with _HEAPBADEND., xrefs: 00007FFFE2725D4D
_heapchk fails with _HEAPBADBEGIN., xrefs: 00007FFFE2725CE5
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer., xrefs: 00007FFFE2725F42

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID:
String ID: %hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d).$DAMAGED$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d).$_heapchk fails with _HEAPBADBEGIN.$_heapchk fails with _HEAPBADEND.$_heapchk fails with _HEAPBADNODE.$_heapchk fails with _HEAPBADPTR.$_heapchk fails with unknown return value!$_1
API String ID: 0-510578482
Opcode ID: 15b327a6fa8e12693a207a0a7b33494fdffa5f56c7c2417c86fde08a07b35573
Instruction ID: e5de29cdb7e6540f3a93f62dc344d904e4fa073c69f474baa0be22b51767428d
Opcode Fuzzy Hash: 15b327a6fa8e12693a207a0a7b33494fdffa5f56c7c2417c86fde08a07b35573
Instruction Fuzzy Hash: 82E12C76E1CB5186EB248B65E48072AB7E0FBC6754F500536EA8D83B64EFBCD461CB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000FFC0 Relevance: 15.0, Strings: 11, Instructions: 1219COMMON

Download Yara Rule

Strings

:F&, xrefs: 0000000180010676
kJ, xrefs: 0000000180011662
Y], xrefs: 0000000180010F2D
sg, xrefs: 0000000180010713
Jq-., xrefs: 00000001800107C4
:B), xrefs: 0000000180011CBB
kJ, xrefs: 00000001800100F8
K, xrefs: 0000000180010D55
E, xrefs: 0000000180010000
K, xrefs: 00000001800117C0
#r5|, xrefs: 0000000180011B12

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: E$#r5|$:B)$:F&$Jq-.$K$K$Y]$kJ$kJ$sg
API String ID: 0-2241473280
Opcode ID: cddb9e216d5522f206da78d8fc0cd1a272e9a6010eb05564972df6001c09f508
Instruction ID: 9c682bca3309bc02ed949a6de7aa3bb6d22b0761abc13177b84899e0b503d48e
Opcode Fuzzy Hash: cddb9e216d5522f206da78d8fc0cd1a272e9a6010eb05564972df6001c09f508
Instruction Fuzzy Hash: 73E2E4715047CC8BDBB9DFA4C8897DD3BA1FB44344F10861AEC4EAE250DBB45A89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2723280 Relevance: 12.1, APIs: 8, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E00007FFF7FFFE2723280(void* __eax, signed int __ecx, signed int __edx, signed int __rcx, signed int __rdx, void* __r8) {
				void* _t7;
				void* _t10;
				signed long long _t15;
				signed long long* _t16;
				signed long long _t20;
				signed long long _t24;

				_t7 = __rcx -  *0xe274b018; // 0x6e18f8e0ed60
				if (_t7 != 0) goto 0xe272329a;
				asm("dec eax");
				if ((__ecx & 0x0000ffff) != 0) goto 0xe2723296;
				asm("repe ret");
				asm("dec eax");
				goto 0xe2723720;
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("o16 nop [eax+eax]");
				if (__r8 - 8 < 0) goto 0xe272330c;
				_t20 = __rdx * 0x1010101;
				_t10 = __r8 - 0x40;
				if (_t10 < 0) goto 0xe27232ee;
				_t15 =  ~__rcx;
				if (_t10 == 0) goto 0xe27232de;
				 *__rcx = _t20;
				_t16 = _t15 + __rcx;
				if (_t10 != 0) goto 0xe2723327;
				_t24 = __r8 - _t15 & 7;
				if (_t10 == 0) goto 0xe272330c;
				 *_t16 = _t20;
				if (_t10 != 0) goto 0xe2723300;
				if (_t24 == 0) goto 0xe272331b;
				_t16[1] = __edx & 0x000000ff;
				if (_t24 - 1 != 0) goto 0xe2723311;
				return __eax;
			}

0x7fffe2723280
0x7fffe2723287
0x7fffe2723289
0x7fffe2723292
0x7fffe2723294
0x7fffe2723296
0x7fffe272329a
0x7fffe272329f
0x7fffe27232a0
0x7fffe27232a1
0x7fffe27232a2
0x7fffe27232a3
0x7fffe27232a4
0x7fffe27232a5
0x7fffe27232a6
0x7fffe27232b7
0x7fffe27232c6
0x7fffe27232ca
0x7fffe27232ce
0x7fffe27232d0
0x7fffe27232d6
0x7fffe27232db
0x7fffe27232de
0x7fffe27232ec
0x7fffe27232f1
0x7fffe27232f9
0x7fffe2723300
0x7fffe272330a
0x7fffe272330f
0x7fffe2723311
0x7fffe2723319
0x7fffe272331b

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFFE2723733
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFFE2723752
RtlVirtualUnwind.KERNEL32 ref: 00007FFFE272379E
IsDebuggerPresent.KERNEL32 ref: 00007FFFE2723810
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFFE2723828
UnhandledExceptionFilter.KERNEL32 ref: 00007FFFE2723835
GetCurrentProcess.KERNEL32 ref: 00007FFFE272384E
TerminateProcess.KERNEL32 ref: 00007FFFE272385C

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: c7ac20398f1e0bfcda68d30e042a710a2d00de73d3b00f2192fd5d70b0bf2831
Instruction ID: 4bddbda532d833dc1fe704cf7bd3c9da97d6da41003a651c2144eec94f9b35b7
Opcode Fuzzy Hash: c7ac20398f1e0bfcda68d30e042a710a2d00de73d3b00f2192fd5d70b0bf2831
Instruction Fuzzy Hash: E5310776D08B4685EB109B64F84436AB7E0FB8A754F900039DA8D82765FFBCE478C712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272443C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112COMMON

Download Yara Rule

APIs

_unlock.LIBCMTD ref: 00007FFFE27248B9

Strings

Invalid allocation size: %Iu bytes., xrefs: 00007FFFE27245C6
_CrtCheckMemory(), xrefs: 00007FFFE2724455
Client hook allocation failure., xrefs: 00007FFFE2724554
Client hook allocation failure at file %hs line %d., xrefs: 00007FFFE272452F
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE272446A

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _unlock
String ID: Client hook allocation failure at file %hs line %d.$Client hook allocation failure.$Invalid allocation size: %Iu bytes.$_CrtCheckMemory()$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
API String ID: 2480363372-3680694803
Opcode ID: 5582fb477a99f139482b647e65eadd7bcea0024aa5ad3136cc4be02f6e7bf908
Instruction ID: 1b66f64ac480274e9c85e223aa8f1e73e259593a3efb4f6dde6ed46cfade4e48
Opcode Fuzzy Hash: 5582fb477a99f139482b647e65eadd7bcea0024aa5ad3136cc4be02f6e7bf908
Instruction Fuzzy Hash: FD515E72E08692CAE7708B65E45176A73E4FB86354F104135D69DC2BA4FFBCE4A48B02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A758 Relevance: 9.3, Strings: 7, Instructions: 594COMMON

Download Yara Rule

Strings

Fa, xrefs: 000000018000A9DA
#X, xrefs: 000000018000AD41
Mum, xrefs: 000000018000AFAE
, xrefs: 000000018000A787
vQ, xrefs: 000000018000AE4D
A2>, xrefs: 000000018000B065
=D, xrefs: 000000018000AA8F

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$ $A2>$Mum$vQ$=D$Fa
API String ID: 0-1298193321
Opcode ID: 982ab4627d106152f76a325de243923c319ce5c47f351cfe718817436c28ee1d
Instruction ID: 1349cc56659c19f01a369150ff0067e3f34eaebe01bc07430d2f97da03610ed5
Opcode Fuzzy Hash: 982ab4627d106152f76a325de243923c319ce5c47f351cfe718817436c28ee1d
Instruction Fuzzy Hash: 24522775A0620CDFCB68DFA8D08A6DDBBF2EF58344F104119F816A7261D7B0D919CB89

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E4AC Relevance: 9.1, Strings: 7, Instructions: 371COMMON

Download Yara Rule

Strings

@4<, xrefs: 000000018001E879
t, xrefs: 000000018001E945
8%Y, xrefs: 000000018001E6CA
R1, xrefs: 000000018001E7F4
F+}, xrefs: 000000018001E7B6
._, xrefs: 000000018001E654
xy, xrefs: 000000018001EA69

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ._$8%Y$@4<$F+}$R1$t$xy
API String ID: 0-3078009748
Opcode ID: 7cd976f9c86f50bd1c1ca064b29a615496490d447d7d5288ee1f6aa5414266f6
Instruction ID: 0e1afbee3b71ea3b5863fe80692b11929ebce18e29255cef2241f67d7a77c22f
Opcode Fuzzy Hash: 7cd976f9c86f50bd1c1ca064b29a615496490d447d7d5288ee1f6aa5414266f6
Instruction Fuzzy Hash: 0402E1B1504649DFCB98DF28C489ADE3BE1FB48318F41812AFC4A9B764D770DA98CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272BE50 Relevance: 9.1, APIs: 6, Instructions: 79
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 33%

			E00007FFF7FFFE272BE50(intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esp, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24) {
				intOrPtr _v4;
				void* _v12;
				signed long long _v24;
				signed int _v36;
				long long _v180;
				long long _v184;
				intOrPtr _v192;
				char _v196;
				intOrPtr _v204;
				long _v212;
				long long _v220;
				long long _v228;
				long long _v1212;
				long long _v1308;
				char _v1460;
				char _v1476;
				char _v1484;
				int _v1492;
				long long _v1500;
				long long _v1508;
				long long _v1516;
				long long _v1524;
				long long _v1532;
				long long _v1540;
				void* _t51;
				signed long long _t80;
				long long _t85;
				void* _t100;

				_a24 = r8d;
				_a16 = __edx;
				_a8 = __ecx;
				_t80 =  *0xe274b018; // 0x6e18f8e0ed60
				_v24 = _t80 ^ _t100 - 0x00000610;
				if (_a8 == 0xffffffff) goto 0xe272be8d;
				E00007FFF7FFFE2728D90(_t51, _a8);
				_v184 = 0;
				memset(__edi, 0, 0x94 << 0);
				_v1508 =  &_v196;
				_v1500 =  &_v1460;
				_v1492 = 0;
				_v212 = 0;
				__imp__RtlCaptureContext();
				_t85 = _v1212;
				_v220 = _t85;
				r8d = 0;
				0xe2740e28();
				_v228 = _t85;
				if (_v228 == 0) goto 0xe272bf64;
				_v1516 = 0;
				_v1524 =  &_v1476;
				_v1532 =  &_v1484;
				_v1540 =  &_v1460;
				0xe2740e22();
				goto 0xe272bf84;
				_v1212 = _v12;
				_v1308 =  &_v12;
				_v196 = _a4;
				_v192 = _a12;
				_v180 = _v12;
				_v1492 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(??);
				_v212 = UnhandledExceptionFilter(??);
				if (_v212 != 0) goto 0xe272bffb;
				if (_v1492 != 0) goto 0xe272bffb;
				if (_v4 == 0xffffffff) goto 0xe272bffb;
				return E00007FFF7FFFE2723280(E00007FFF7FFFE2728D90(_t59, _v4), _v4, __edx, _v36 ^ _t100 - 0x00000610, _v204, _v220);
			}

0x7fffe272be50
0x7fffe272be55
0x7fffe272be59
0x7fffe272be65
0x7fffe272be6f
0x7fffe272be7f
0x7fffe272be88
0x7fffe272be8d
0x7fffe272beaa
0x7fffe272beb4
0x7fffe272bebe
0x7fffe272bec3
0x7fffe272becb
0x7fffe272bedb
0x7fffe272bee1
0x7fffe272bee9
0x7fffe272bef1
0x7fffe272bf04
0x7fffe272bf09
0x7fffe272bf1a
0x7fffe272bf1c
0x7fffe272bf2a
0x7fffe272bf34
0x7fffe272bf3e
0x7fffe272bf5d
0x7fffe272bf62
0x7fffe272bf6c
0x7fffe272bf7c
0x7fffe272bf8b
0x7fffe272bf99
0x7fffe272bfa8
0x7fffe272bfb6
0x7fffe272bfbc
0x7fffe272bfcd
0x7fffe272bfdc
0x7fffe272bfe3
0x7fffe272bfed
0x7fffe272c013

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFFE272BEDB
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFFE272BF04
RtlVirtualUnwind.KERNEL32 ref: 00007FFFE272BF5D
IsDebuggerPresent.KERNEL32 ref: 00007FFFE272BFB0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFFE272BFBC
UnhandledExceptionFilter.KERNEL32 ref: 00007FFFE272BFC7

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 3c99f19865488fa949415da8e2229a8dc4eaaacedc1a65a8015e4c0ea1d70d8e
Instruction ID: 2116391bb2588c92bd9098ca2c3eb0b4f7670838758881049cb12cdc551a0e78
Opcode Fuzzy Hash: 3c99f19865488fa949415da8e2229a8dc4eaaacedc1a65a8015e4c0ea1d70d8e
Instruction Fuzzy Hash: 0B41CE72918BC48AE670DB14E8443ABB7A5F7C9355F401229D68D82BA8EF7DD0A5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B3A4 Relevance: 8.2, Strings: 6, Instructions: 685COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018001BE03
of?, xrefs: 000000018001BCC0
=`, xrefs: 000000018001B4ED
M@, xrefs: 000000018001BD49
!Iv;, xrefs: 000000018001BDA7
uzxY, xrefs: 000000018001B986

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$!Iv;$=`$M@$of?$uzxY
API String ID: 0-1910763920
Opcode ID: 9693a8ffcd6589fd3dbfdbad085aa322119c3f1a6317bc180f44839f00dc24fe
Instruction ID: 7899ed511868268ad7aea3719dccceda62fd29fa6bb16e154aa46d1db7c43d79
Opcode Fuzzy Hash: 9693a8ffcd6589fd3dbfdbad085aa322119c3f1a6317bc180f44839f00dc24fe
Instruction Fuzzy Hash: F172047190478C8BDB58DF68C88A69E7FE1FB84384F20461DF95A9B260D770D989CF81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000BC98 Relevance: 8.0, Strings: 6, Instructions: 487COMMON

Download Yara Rule

Strings

;*v(, xrefs: 000000018000C23C
F9p, xrefs: 000000018000C348
;3, xrefs: 000000018000C590
*I, xrefs: 000000018000C3C7
ef~j, xrefs: 000000018000C484
#X, xrefs: 000000018000BD53

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$*I$;*v($;3$F9p$ef~j
API String ID: 0-950528966
Opcode ID: 9500c32e6f155eacac3cfe5a03c267215382f5440a46099a8d521f2441a56deb
Instruction ID: 5057aee1002f2822c724537f3f36740fe0594223e2d956511feddf479ded4ebe
Opcode Fuzzy Hash: 9500c32e6f155eacac3cfe5a03c267215382f5440a46099a8d521f2441a56deb
Instruction Fuzzy Hash: 6A42E771144BCA8BCBB9CF24CC85BEF7BA0FB44306F145529D89A8A291DBB89745CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F554 Relevance: 7.9, Strings: 6, Instructions: 447COMMON

Download Yara Rule

Strings

9w, xrefs: 000000018000F9B1
M?@, xrefs: 000000018000FA5E
jS<, xrefs: 000000018000FD7B
%, xrefs: 000000018000FCB8
IX, xrefs: 000000018000FDD5
M, xrefs: 000000018000FBC1

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$9w$IX$M?@$jS<$M
API String ID: 0-1157581923
Opcode ID: 4886396801a5b693aefa3fa65be42d7051c7ccebe6a69933f9c891aa2fa5d29c
Instruction ID: e375d1c8451a89c96fc0dfbd01d6dda6b37f4c7765b0f9ce143112ad2eac9b8a
Opcode Fuzzy Hash: 4886396801a5b693aefa3fa65be42d7051c7ccebe6a69933f9c891aa2fa5d29c
Instruction Fuzzy Hash: 8A32E4B0A147888BCBB8CF68C8897DD7BF0FB48318F90521DEA0A9B251DB745645CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800053B0 Relevance: 7.8, Strings: 6, Instructions: 305COMMON

Download Yara Rule

Strings

&n, xrefs: 0000000180005658
Oh, xrefs: 00000001800058F7
j/, xrefs: 0000000180005758
%, xrefs: 00000001800054DC
1U, xrefs: 0000000180005931
X, xrefs: 00000001800058D8

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$&n$1U$Oh$j/$X
API String ID: 0-3716166881
Opcode ID: 3ec52770ba243505623e348b6c36d4d02d94aade20e82fe7112f5902b3326bac
Instruction ID: b98437ffb223a44b0e92d10549c73aaa59fdecde54cd589da16d290276777c9c
Opcode Fuzzy Hash: 3ec52770ba243505623e348b6c36d4d02d94aade20e82fe7112f5902b3326bac
Instruction Fuzzy Hash: D9F13C70508B88CFD7B9CF24D48969EBBF4FB84744F204A1EE5A59B260DBB09645CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028D10 Relevance: 7.7, Strings: 6, Instructions: 249COMMON

Download Yara Rule

Strings

G8L, xrefs: 0000000180028E0A
P;, xrefs: 0000000180028F1F
ozq~, xrefs: 0000000180028EC6
J9, xrefs: 0000000180028D50
tiG, xrefs: 0000000180028D62
ss6, xrefs: 0000000180028DBD

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: G8L$J9$ozq~$ss6$tiG$P;
API String ID: 0-1765782432
Opcode ID: c77c4daeda8c59326f72f8188263c488bfcd846ed7a7bd487d849044a826f1d5
Instruction ID: 77e5b6b93cc6977e5a95292e040e55b4553736c218ba0195107264470a30d31c
Opcode Fuzzy Hash: c77c4daeda8c59326f72f8188263c488bfcd846ed7a7bd487d849044a826f1d5
Instruction Fuzzy Hash: FCC1097050064D8FDF89DF28C89A6DE3BA1FB68398F51421DFC4A962A1C778D994CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2728900 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFE272359E), ref: 00007FFFE272893B
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFE272359E), ref: 00007FFFE272894B
GetCurrentThreadId.KERNEL32 ref: 00007FFFE2728963
GetTickCount.KERNEL32 ref: 00007FFFE272897B
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFFE272359E), ref: 00007FFFE2728998

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 3c45f80db2f34b613ab4c9fa771cbb066be9ba5f1b7e4cdc55cd1e9c18cefb40
Instruction ID: b7266408f5ab2becb4d15edeec19087910e22c1cf397369f1e9e6624635f9498
Opcode Fuzzy Hash: 3c45f80db2f34b613ab4c9fa771cbb066be9ba5f1b7e4cdc55cd1e9c18cefb40
Instruction Fuzzy Hash: A221F721A09F0585DA70CB15F85432A77E0FB8EBA4F041235EA9EC3764EF7CD6A48701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001CF9C Relevance: 7.0, Strings: 5, Instructions: 751COMMON

Download Yara Rule

Strings

-Ie:, xrefs: 000000018001DEBB
jc, xrefs: 000000018001DDA5
_, xrefs: 000000018001D9C0
Y, xrefs: 000000018001DB50
,bF, xrefs: 000000018001DB1D

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,bF$-Ie:$Y$jc$_
API String ID: 0-2562869522
Opcode ID: 13dcfdf2b547f47b8e652e45a129a81bd12d479633329dbfd5d4c9c90b2a7465
Instruction ID: be835d82a8a11271eaf2d0d4144821f845ce411821323c63ff6fa91e08a90877
Opcode Fuzzy Hash: 13dcfdf2b547f47b8e652e45a129a81bd12d479633329dbfd5d4c9c90b2a7465
Instruction Fuzzy Hash: 2F82FC7190478C8BDBBDCF24C8466DE7BE1FB88744F104A1DEA5A8A350D7B49785CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800270C0 Relevance: 6.9, Strings: 5, Instructions: 672COMMON

Download Yara Rule

Strings

3'p, xrefs: 0000000180027483
R@\, xrefs: 0000000180027748
AVx., xrefs: 0000000180027CF1
|7}, xrefs: 0000000180027EB6
%, xrefs: 0000000180027A74

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$3'p$AVx.$R@\$|7}
API String ID: 0-1377184578
Opcode ID: 42416e948d3c9d06b93ab1f3a8ba6bb7b4031ce7609dd7b48ddc645cdcf3989a
Instruction ID: 11bdd15b6fdebef4e4e33012fe2102d5287f0ed75640ad066b8b9400528ec4a7
Opcode Fuzzy Hash: 42416e948d3c9d06b93ab1f3a8ba6bb7b4031ce7609dd7b48ddc645cdcf3989a
Instruction Fuzzy Hash: F0820774604BC88BDBB8DF24DC857CD7BE0FB86305F20561DD95E9AA60CBB89645CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002D28 Relevance: 6.8, Strings: 5, Instructions: 514COMMON

Download Yara Rule

Strings

W0, xrefs: 00000001800031D3
.s, xrefs: 00000001800030F4
89, xrefs: 0000000180002E9E
/$*, xrefs: 0000000180002F2C
j~L, xrefs: 0000000180002EC4

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .s$/$*$89$W0$j~L
API String ID: 0-3680180293
Opcode ID: b1eb1fe3fa88397c885ab509abe1c858ffcdb74bf15ef161dec0971567ed18e8
Instruction ID: f5b8073de7550f00aae71ce47ac4d0d330c984d331b26572373d31fffc6277f7
Opcode Fuzzy Hash: b1eb1fe3fa88397c885ab509abe1c858ffcdb74bf15ef161dec0971567ed18e8
Instruction Fuzzy Hash: 9332237050C7848FC369DF68C58A65EBBF0FB8A744F004A1EF68687260D7B6D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002A5D8 Relevance: 6.6, Strings: 5, Instructions: 339COMMON

Download Yara Rule

Strings

J? , xrefs: 000000018002A763
IE, xrefs: 000000018002A956
:_, xrefs: 000000018002A6AC
DHM, xrefs: 000000018002A941
ioF, xrefs: 000000018002A783

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :_$DHM$J? $ioF$IE
API String ID: 0-1950181368
Opcode ID: 259697ebe02e240ff157c8cb6796f3c563015099138ecee0effd1804923e127d
Instruction ID: dfce06ae3f2776b2053eb0988bfb390665c026a97965fcc171ceda4eb787facd
Opcode Fuzzy Hash: 259697ebe02e240ff157c8cb6796f3c563015099138ecee0effd1804923e127d
Instruction Fuzzy Hash: 4E02F470A0470DEFDB99DF68C089A8EBBF1FB48344F40856AE809EB250D7749A59CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E130 Relevance: 6.6, Strings: 5, Instructions: 305COMMON

Download Yara Rule

Strings

wPT, xrefs: 000000018000E274
5Z3, xrefs: 000000018000E36F
h9&, xrefs: 000000018000E1D6
\=V, xrefs: 000000018000E457
n", xrefs: 000000018000E164

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \=V$h9&$n"$wPT$5Z3
API String ID: 0-226182706
Opcode ID: ce1cfba10c1d8d8dcb7fefef68f5dbb71196a1667c8063e3a43dba33cd0a9cce
Instruction ID: 86bcb4527d36acdb60297ed143c12856cad003a08b6179b63c097fe4f6929213
Opcode Fuzzy Hash: ce1cfba10c1d8d8dcb7fefef68f5dbb71196a1667c8063e3a43dba33cd0a9cce
Instruction Fuzzy Hash: F7E11871A0468C8BDF59CFE8C48ABDDBBF2FB54348F004129D906BB298D774951ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013994 Relevance: 6.5, Strings: 5, Instructions: 278COMMON

Download Yara Rule

Strings

|, xrefs: 0000000180013DF6
5.A, xrefs: 0000000180013AB3
Tv, xrefs: 0000000180013B60
2k, xrefs: 0000000180013C87
h, xrefs: 0000000180013BB0

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 2k$5.A$h$Tv$|
API String ID: 0-899094025
Opcode ID: db2f60ac8ea9c811a7e8a42be398396c7662d8ce257af2786f0ca87739e0812c
Instruction ID: fdc8e1fcc57a9d708ca924da4610569f3fbcb91b13fa75a00635c4e08a114872
Opcode Fuzzy Hash: db2f60ac8ea9c811a7e8a42be398396c7662d8ce257af2786f0ca87739e0812c
Instruction Fuzzy Hash: 2CE1B2B190474C8FDB69CFA8C48969DBFF1FB48348F20421DE869AB262D7749945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A10C Relevance: 6.5, Strings: 5, Instructions: 210COMMON

Download Yara Rule

Strings

TaK, xrefs: 000000018001A1B7
T, xrefs: 000000018001A166
h, xrefs: 000000018001A205
`H, xrefs: 000000018001A2CF
_, xrefs: 000000018001A296

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: `H$h$T$TaK$_
API String ID: 963392458-2145750592
Opcode ID: ffc2d6b317b26a71c8140759e67952dd965db1d69b0c3f8b48f7c1dc501504e9
Instruction ID: 3659a6701c3bc18b063cae63192a65d6a0dab5b7a081606fb1710f1fc1c5873b
Opcode Fuzzy Hash: ffc2d6b317b26a71c8140759e67952dd965db1d69b0c3f8b48f7c1dc501504e9
Instruction Fuzzy Hash: 8FA10771D087188FDB68DFA9D8856CDBBF1FB48308F20421DE45AA7252DB70A945CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002975C Relevance: 5.5, Strings: 4, Instructions: 484COMMON

Download Yara Rule

Strings

{NC, xrefs: 0000000180029C32
Bwu, xrefs: 0000000180029EFD
^K, xrefs: 0000000180029AD7
L>yL, xrefs: 0000000180029A5A

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Bwu$L>yL${NC$^K
API String ID: 0-3175627499
Opcode ID: 50b0aea139128d6f7c402ec74795df524ca4165021b819f0d064fd60e31d3d12
Instruction ID: fbf4dbbb098cc7df43bbc7889590cb4d1f5602d02220e4776b40022e4a41187c
Opcode Fuzzy Hash: 50b0aea139128d6f7c402ec74795df524ca4165021b819f0d064fd60e31d3d12
Instruction Fuzzy Hash: 13322B70908B488FE769CF78C48665EBBF0FB84748F204A1DE6A697270DB749945CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021738 Relevance: 5.5, Strings: 4, Instructions: 483COMMON

Download Yara Rule

Strings

N'}, xrefs: 0000000180021C2C
dS, xrefs: 0000000180021E7D
%, xrefs: 00000001800220F1
Od^v, xrefs: 0000000180021933

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %$N'}$Od^v$dS
API String ID: 0-4183360357
Opcode ID: 3e0f3c17ca57f4ad1f3f1084ac04447848ab7be5cba89c2bccd8803fee9248a0
Instruction ID: 281f3f4e81126c35bb2be7146c604e5ee0be10d432db17f45780181539d507de
Opcode Fuzzy Hash: 3e0f3c17ca57f4ad1f3f1084ac04447848ab7be5cba89c2bccd8803fee9248a0
Instruction Fuzzy Hash: 3342D9B190438C8BDBB8CF64C8896DD7BF1FB48318F50852DDA199B251DBB05685CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800252C0 Relevance: 5.3, Strings: 4, Instructions: 285COMMON

Download Yara Rule

Strings

sH, xrefs: 00000001800254B9
__Z%, xrefs: 000000018002535D
+Gq, xrefs: 0000000180025679
|deb, xrefs: 000000018002537F

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +Gq$__Z%$|deb$sH
API String ID: 0-2072550713
Opcode ID: 094eb7f958d011cdb8ce81038bafb84045d4698861e966cd2ff6582630ea1e3f
Instruction ID: 26b4cb1fb47336c1432c1659c452027cf20818b998f95a2bcb6bb32f36742f2f
Opcode Fuzzy Hash: 094eb7f958d011cdb8ce81038bafb84045d4698861e966cd2ff6582630ea1e3f
Instruction Fuzzy Hash: 0FD1137160270DCBDB68DF28C68A6DE3BE1FF48308F504129FC5A96262D774D929CB49

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000403C Relevance: 5.3, Strings: 4, Instructions: 279COMMON

Download Yara Rule

Strings

5P, xrefs: 00000001800044DE
xX, xrefs: 0000000180004380
:=, xrefs: 000000018000423F
8r, xrefs: 000000018000410D

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 5P$8r$:=$xX
API String ID: 0-2901174047
Opcode ID: 6865726b2104b4eb7ff299f8486c8d696ddfefbd7c25c2068e726a6c762a58db
Instruction ID: 9c4e4b6ab2cee8fe4f9bfbf45665c48137a45671121b1b9ae43ff9fbf3dba1fc
Opcode Fuzzy Hash: 6865726b2104b4eb7ff299f8486c8d696ddfefbd7c25c2068e726a6c762a58db
Instruction Fuzzy Hash: 35E1357191034D9BCB88DF64C8899DD7BF1FB48398F516219FC4AAB260C7789585CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019178 Relevance: 5.3, Strings: 4, Instructions: 258COMMON

Download Yara Rule

Strings

&, xrefs: 0000000180019348
Ro, xrefs: 0000000180019427
X|, xrefs: 000000018001950F
WW, xrefs: 0000000180019528

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: &$Ro$X|$WW
API String ID: 0-419055892
Opcode ID: ca40c88e9c0bb890938dc8e49850b9c6f80446ec0944c9f0783c0d192955d258
Instruction ID: 8aa2c3e6b8818245adabd520600babaa531b4d52059a868131a34f3b668756e0
Opcode Fuzzy Hash: ca40c88e9c0bb890938dc8e49850b9c6f80446ec0944c9f0783c0d192955d258
Instruction Fuzzy Hash: 1EC1FDB150570DCBDB68CF28C58A6DE3BE5FB48308F108129FC5A9B2A0D774EA59CB45

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F0A8 Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

uxX4, xrefs: 000000018001F1AC
6), xrefs: 000000018001F229
tR, xrefs: 000000018001F405
tR, xrefs: 000000018001F0FE

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: tR$tR$uxX4$6)
API String ID: 0-566208085
Opcode ID: c081e77f49af2eaf56923f63e50e632cb9bf55942161f3f8d2179c3bd288189e
Instruction ID: 21dbc208fb27f88b672f000d339ef1a4b78a4386f06e48fd8b1f03ba1e8317ad
Opcode Fuzzy Hash: c081e77f49af2eaf56923f63e50e632cb9bf55942161f3f8d2179c3bd288189e
Instruction Fuzzy Hash: 84D1E5705087CC8BDBFEDF68C8857DA7BA8FB44748F104219EA0A9E269CB745749CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018BDC Relevance: 5.2, Strings: 4, Instructions: 245COMMON

Download Yara Rule

Strings

57, xrefs: 0000000180018BFC
K-~, xrefs: 0000000180018C6B
`by, xrefs: 0000000180018DC2
7|, xrefs: 0000000180018F55

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 57$7|$K-~$`by
API String ID: 0-1764728439
Opcode ID: 3d75101ad2ff9bc1d340fad9c74c74685bf15c99ef7bfcf0826df8ee18983ab7
Instruction ID: 0ef0f182f1da72c174031fc5be9a225670cb57be642fb1d84f9edf9d7426cf45
Opcode Fuzzy Hash: 3d75101ad2ff9bc1d340fad9c74c74685bf15c99ef7bfcf0826df8ee18983ab7
Instruction Fuzzy Hash: 5EC1227510160CCBDBA8DF38C48A6DD3BE1FF58308F605129FC2A9A266C7B4D959CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B350 Relevance: 5.2, Strings: 4, Instructions: 243COMMON

Download Yara Rule

Strings

"*, xrefs: 000000018000B6F1
6i, xrefs: 000000018000B5D1
#X, xrefs: 000000018000B6A4
DgQ, xrefs: 000000018000B714

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$"*$DgQ$6i
API String ID: 0-2770996495
Opcode ID: 820f3a7f2831d7bc6be119a51f5435b60720529f940ec106d6c272ece28fcda8
Instruction ID: 504b32a01a029d54a9cc7c4b79b1c57dce6396aa3b2efbc72770fc67d95dc726
Opcode Fuzzy Hash: 820f3a7f2831d7bc6be119a51f5435b60720529f940ec106d6c272ece28fcda8
Instruction Fuzzy Hash: CCB10871A0870CABDFA9DFA8E4896DDBBF1FB44344F00451DE446A7290DB749A0ECB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028998 Relevance: 5.2, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

p, xrefs: 00000001800289F5
p, xrefs: 0000000180028A07
O:M, xrefs: 0000000180028A0E
iJ"], xrefs: 0000000180028B69

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: O:M$iJ"]$p$p
API String ID: 0-2745201584
Opcode ID: c580725723075c93842e669fadfa9b9fa9ca71e2e3fa7497301af4adcf51def7
Instruction ID: 8b688321e04c0e646b0fc78ee6d67cd940f90a9f6723fb1f8222d7259e9641f4
Opcode Fuzzy Hash: c580725723075c93842e669fadfa9b9fa9ca71e2e3fa7497301af4adcf51def7
Instruction Fuzzy Hash: 8AB10070D143098BCB89DFA8D486AEEBBF0FB48304F14851EE856B7250D7749A44CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2725E01 Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

%hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d)., xrefs: 00007FFFE272617C
HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFFE2725EF9
HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d)., xrefs: 00007FFFE27260C7
HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d)., xrefs: 00007FFFE2725FE7

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID:
String ID: %hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: after %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory after end of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: before %hs block (#%d) at 0x%p.CRT detected that the application wrote to memory before start of heap buffer.Memory allocated at %hs(%d).$HEAP CORRUPTION DETECTED: on top of Free block at 0x%p.CRT detected that the application wrote to a heap buffer that was freed.Memory allocated at %hs(%d).
API String ID: 0-1867057952
Opcode ID: 2a9d8457aa34911385b660402f71547a5181f90184c5f28ce50b42f7ee7f8c58
Instruction ID: 0c2fc75a623e1ae8fd08db6c955e4e523df47d737c97278337af8455493a2493
Opcode Fuzzy Hash: 2a9d8457aa34911385b660402f71547a5181f90184c5f28ce50b42f7ee7f8c58
Instruction Fuzzy Hash: 23811C77A1CB9582DB24CB55E09032AB7A0F7C9794F100536EA8D87B68EFBDD461CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016AF4 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

9\D, xrefs: 0000000180016BDC
OG3, xrefs: 0000000180016D08
8(', xrefs: 0000000180016CE5
6fA, xrefs: 0000000180016CBF

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 8('$6fA$9\D$OG3
API String ID: 0-2292045659
Opcode ID: 075f2f4683c67ac2050461b4b976e23f7824189084b04fb6fcbf6660b49be205
Instruction ID: ef0df636cc5d4b1adb12f513697d006f7e6ff77cbfd46ce7bca5e6c4611c7a17
Opcode Fuzzy Hash: 075f2f4683c67ac2050461b4b976e23f7824189084b04fb6fcbf6660b49be205
Instruction Fuzzy Hash: 6E8166B591130DCFDB98CF28C18A5CA3BA8FF55318F00412AFC1E9A264D3B4E959CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020AA0 Relevance: 5.1, Strings: 4, Instructions: 79COMMON

Download Yara Rule

Strings

w4, xrefs: 0000000180020B7E
!j, xrefs: 0000000180020B50
IzY, xrefs: 0000000180020AE3
0Oa, xrefs: 0000000180020BBD

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !j$IzY$w4$0Oa
API String ID: 0-1210086663
Opcode ID: d22984424f9e842513d0b81fbf00519d97f66b1438588327bee25b78db1a615b
Instruction ID: d6ae16ce1753066c3a100fad89cd7b933425bd3752a83aacc50f13ca8011d066
Opcode Fuzzy Hash: d22984424f9e842513d0b81fbf00519d97f66b1438588327bee25b78db1a615b
Instruction Fuzzy Hash: 4E41CFB090034E8BCF88CF65C48A5DE7FB0FB68358F104619E916A6250D7B896A9CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002AF38 Relevance: 4.1, Strings: 3, Instructions: 363COMMON

Download Yara Rule

Strings

>q, xrefs: 000000018002B162
>q, xrefs: 000000018002B2D9
!fl, xrefs: 000000018002B3C2

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !fl$>q$>q
API String ID: 0-3196423155
Opcode ID: dccb224850b43dda665c2028c8e90cf7ac528c4769e1ed18f59b4bae66e0f67a
Instruction ID: 6e0169028e0bb78a63dbed9d1dbc36ce20ef11fe4735bb4ca27ada0b4c61fd75
Opcode Fuzzy Hash: dccb224850b43dda665c2028c8e90cf7ac528c4769e1ed18f59b4bae66e0f67a
Instruction Fuzzy Hash: 18022574A0670CDBCBA9CFA8E48A69DBBF1FF14388F104119F816A7261C7B49919CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006B24 Relevance: 4.0, Strings: 3, Instructions: 284COMMON

Download Yara Rule

Strings

"Gd, xrefs: 0000000180006E8F
C2, xrefs: 0000000180006EBC
HG, xrefs: 0000000180006E14

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "Gd$C2$HG
API String ID: 0-142661339
Opcode ID: 9dab0733114c64659f8f05551e608b0018560ea730d37400ebf1bc7fe80e5bb8
Instruction ID: f3040b85d87bafdcd4b0814e46a5c4b4479db0c4bbfe4c952327208bca537128
Opcode Fuzzy Hash: 9dab0733114c64659f8f05551e608b0018560ea730d37400ebf1bc7fe80e5bb8
Instruction Fuzzy Hash: 20C112719047CD8FDB89CFA8C88A6ED7BB1FB48354F104229F80697660DBB4D949CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023624 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

QZB, xrefs: 0000000180023706
W1Z, xrefs: 0000000180023A69
Vu9(, xrefs: 0000000180023B25

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: QZB$Vu9($W1Z
API String ID: 0-4157987319
Opcode ID: 1f5c37778751f5a7f2813f46734b265b9b5d3f173c04e1f04c47467fdefc8410
Instruction ID: f699ba934c7511d53ebf66ced97cbd47477d8f387fb8544ab73dfc8f8e8f4cc9
Opcode Fuzzy Hash: 1f5c37778751f5a7f2813f46734b265b9b5d3f173c04e1f04c47467fdefc8410
Instruction Fuzzy Hash: 7DE1E870505B888FDBB9DF24CC897EBBBE1FB84705F10551EE84A9A290DBB49648CF41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000A26C Relevance: 4.0, Strings: 3, Instructions: 277COMMON

Download Yara Rule

Strings

#X, xrefs: 000000018000A546
1c+, xrefs: 000000018000A683
,p, xrefs: 000000018000A3A5

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$1c+$,p
API String ID: 0-4193689514
Opcode ID: 870c2a5dff4c858b49c61e00ad2e43c057056019502a976b576cc033676d3952
Instruction ID: a14642629d5f8cbd2a1e8fb09d7711f81952208659678b8c12dc59c418106fb0
Opcode Fuzzy Hash: 870c2a5dff4c858b49c61e00ad2e43c057056019502a976b576cc033676d3952
Instruction Fuzzy Hash: A0F166B5906749CFCB88DF68C28A58D7BF1BF59304F404129FC1A9A260D3B4E529CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018628 Relevance: 4.0, Strings: 3, Instructions: 203COMMON

Download Yara Rule

Strings

:a, xrefs: 000000018001871C
F, xrefs: 00000001800186FC
o1, xrefs: 0000000180018668

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :a$o1$F
API String ID: 0-2167756397
Opcode ID: 1dc69b1f9148db4d8f727193868d76463b7f9b687988be903e8d180db9dc4b1f
Instruction ID: c7b3f013bdef5c33efa64e5817367d2177fa9b070e37e7fa0e85b95e6b1d5a97
Opcode Fuzzy Hash: 1dc69b1f9148db4d8f727193868d76463b7f9b687988be903e8d180db9dc4b1f
Instruction Fuzzy Hash: 24A10170514609DFCB98DF28C58A6DE3BE1FF58318F40822AFC0A9B264C774DA58DB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C9C Relevance: 3.9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

hso, xrefs: 0000000180009054
"7F, xrefs: 0000000180008FC6
|, xrefs: 0000000180008E82

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "7F$hso$|
API String ID: 0-2223032787
Opcode ID: a1c5852e2975669cd72ae99173752b080c1a60bb39e1eda62f5b8b24312d50f2
Instruction ID: 597be8bf6f8274430a7b1b716aee764a508e33f64a18c5174bbc12e988f7dea5
Opcode Fuzzy Hash: a1c5852e2975669cd72ae99173752b080c1a60bb39e1eda62f5b8b24312d50f2
Instruction Fuzzy Hash: CDA1E7716057888FEB7ADF64C8AA7DE7BA1FF59308F40461DD98E8E250C7B45608CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800090B4 Relevance: 3.9, Strings: 3, Instructions: 158COMMON

Download Yara Rule

Strings

ktw, xrefs: 00000001800091B2
eG, xrefs: 00000001800090E5
l$6, xrefs: 0000000180009270

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: eG$ktw$l$6
API String ID: 0-3696190584
Opcode ID: cfb728ef8011932e57c4461def4d81df8b30877acb09ef5991ab02cb5d25377a
Instruction ID: ec7ece3e5b0c03f4df558a0a1733d02cea5b85f33e09dae2f6683fda9d55fcb2
Opcode Fuzzy Hash: cfb728ef8011932e57c4461def4d81df8b30877acb09ef5991ab02cb5d25377a
Instruction Fuzzy Hash: E47114B0509708EFCB98DF68C089A9E7BB1FB88344F40C52EE849DB264C775DA19CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004B18 Relevance: 3.9, Strings: 3, Instructions: 148COMMON

Download Yara Rule

Strings

%Di|, xrefs: 0000000180004BAF
Z9s, xrefs: 0000000180004C94
6qp, xrefs: 0000000180004CB3

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %Di|$6qp$Z9s
API String ID: 0-2690900941
Opcode ID: 036a56b574e0cc9d8bbe6e2c16f1c72bf3a7a337ff5cb561951f94e63896fd73
Instruction ID: 2c0d7369d6c4e2fe59306caeaa3cf354025216a739d91ba443ab140e2def37b4
Opcode Fuzzy Hash: 036a56b574e0cc9d8bbe6e2c16f1c72bf3a7a337ff5cb561951f94e63896fd73
Instruction Fuzzy Hash: 9C61257191070C9BCB88CF24C8C96DE7BB1FB483A8F556219FC0AAA294C7749985CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007678 Relevance: 3.9, Strings: 3, Instructions: 140COMMON

Download Yara Rule

Strings

Fl, xrefs: 000000018000787C
Fl, xrefs: 0000000180007874
vv5, xrefs: 000000018000780B

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Fl$Fl$vv5
API String ID: 0-3053741108
Opcode ID: 56c6ca64a2739fcec8bf5f3302d493d90fa60cbb6fd5cd63e6a43fd0d8d3c1f6
Instruction ID: 55f6967587c9a541224425d329b03615816d53db549f94b6db3b05c8e91cbb03
Opcode Fuzzy Hash: 56c6ca64a2739fcec8bf5f3302d493d90fa60cbb6fd5cd63e6a43fd0d8d3c1f6
Instruction Fuzzy Hash: FC511A70E4870CAFDB69DFA8E0866DDBBF1FB58344F004519E40AE7291DB74990ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016DA8 Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

H8, xrefs: 0000000180016F99
nn, xrefs: 0000000180016DF3
nn, xrefs: 0000000180017044

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: H8$nn$nn
API String ID: 0-4263809824
Opcode ID: 01947e023cac002b8a0a3e4f78c79794eac0dde5bb4d18b8413bbe4288169ddb
Instruction ID: 3c01ac5d5c2d3476a5cfb8eba6abf236e6c64549312703f260b6bb5002efdfbd
Opcode Fuzzy Hash: 01947e023cac002b8a0a3e4f78c79794eac0dde5bb4d18b8413bbe4288169ddb
Instruction Fuzzy Hash: 5361D67555878CCBEBBADF38CC897D97BB1FB48344F908219D80E8A260DB7457498B41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028348 Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

,7%, xrefs: 0000000180028597
}]{, xrefs: 0000000180028494
%Nz, xrefs: 0000000180028375

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %Nz$,7%$}]{
API String ID: 0-2809531587
Opcode ID: 676dc21c0f372b2db907baa94ef17c562d056d3d3dc12d9c581eeda360082d12
Instruction ID: b36c8970f11ad41429e233920f6dac2517fe43d92b96f19f813f385ea8bb4fb2
Opcode Fuzzy Hash: 676dc21c0f372b2db907baa94ef17c562d056d3d3dc12d9c581eeda360082d12
Instruction Fuzzy Hash: B771E470448788CBEBB5DF24C8856DEBBE4FB88744F60451DE9598B260DB749688CF01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ACB4 Relevance: 3.9, Strings: 3, Instructions: 124COMMON

Download Yara Rule

Strings

c, xrefs: 000000018001ACDC
,mQ, xrefs: 000000018001AE53
f41, xrefs: 000000018001ACEA

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,mQ$f41$c
API String ID: 0-1594525360
Opcode ID: 7f89cf11389eafb96d04b6400e87a1f2a1e5a7f99f0c72ab3958d5ee7197d732
Instruction ID: ca916729033610084f534c396dc33c1afc583cc00ddec4c12c7a73cc6334aceb
Opcode Fuzzy Hash: 7f89cf11389eafb96d04b6400e87a1f2a1e5a7f99f0c72ab3958d5ee7197d732
Instruction Fuzzy Hash: AD51C071D0424C8BCB48DFA9E98A9DDBBF0FB48348F11820DE85AB7261C7749905CF69

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001370C Relevance: 3.8, Strings: 3, Instructions: 99COMMON

Download Yara Rule

Strings

$q~, xrefs: 0000000180013787
%s, xrefs: 0000000180013864
R3, xrefs: 0000000180013876

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: $q~$%s$R3
API String ID: 0-2520873970
Opcode ID: 3d3ced99ac42584346b8bad3007d62ef26daa4ae2805a0976e45a495c47b2b96
Instruction ID: 49708784934b6f27b099c9a4c0d62a5c340693359db0e98dd39e1096da177659
Opcode Fuzzy Hash: 3d3ced99ac42584346b8bad3007d62ef26daa4ae2805a0976e45a495c47b2b96
Instruction Fuzzy Hash: 2D414870508784DBD398CF18C0DA65EBBF1FB853A4FA0691DF583862A4DB75D9898B03

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800061A0 Relevance: 3.8, Strings: 3, Instructions: 89COMMON

Download Yara Rule

Strings

|', xrefs: 00000001800061CE
s, xrefs: 0000000180006277
[/, xrefs: 000000018000623E

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: [/$s$|'
API String ID: 0-508247755
Opcode ID: 7345308087df3ea52099129a82f0c3ea94bf5dab89828cea5ac59a44806af735
Instruction ID: 494a7eb40676bfcc00c7fdba1f25141f52c7cc4812b1f7e8e8b884a852a0e06c
Opcode Fuzzy Hash: 7345308087df3ea52099129a82f0c3ea94bf5dab89828cea5ac59a44806af735
Instruction Fuzzy Hash: 1841D4B090038E8FCB48DFA9D88A5DEBBB1FB48348F10461DEC25A6250D7B49554CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012378 Relevance: 3.8, Strings: 3, Instructions: 85COMMON

Download Yara Rule

Strings

fq, xrefs: 0000000180012423
_#>, xrefs: 000000018001241C
`cb{, xrefs: 000000018001248C

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: _#>$`cb{$fq
API String ID: 0-41881557
Opcode ID: 6dffa8c73f5f57da7de5f12e066b229d1e4dd53f1b7788c47ce25402a50e5fa7
Instruction ID: 8d8b26aa43ab9a83d147a377112b64bfb8255cca975d25c3e902dea97d059722
Opcode Fuzzy Hash: 6dffa8c73f5f57da7de5f12e066b229d1e4dd53f1b7788c47ce25402a50e5fa7
Instruction Fuzzy Hash: 2941C0B180078E8FCF48CF64C88A5DE7FB0FB58358F104619E86AA6250D3B89665CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012680 Relevance: 3.8, Strings: 3, Instructions: 73COMMON

Download Yara Rule

Strings

[U, xrefs: 00000001800126F5
=Z8, xrefs: 00000001800126B2
{To, xrefs: 000000018001273E

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: =Z8$[U${To
API String ID: 0-582923006
Opcode ID: 510822f7632221338f4787e6ba9fbd6d482cd1ebd2bab9e95bda9979d09408e7
Instruction ID: dd1ba70993956fe5376c9027ab0fa5dab7ea2e8642491db667c41f00a9894f6d
Opcode Fuzzy Hash: 510822f7632221338f4787e6ba9fbd6d482cd1ebd2bab9e95bda9979d09408e7
Instruction Fuzzy Hash: DA31AFB090074ECBCB88DF64C88A4DF7FB4FB68398F104219E855A6250D3B896A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000968C Relevance: 2.8, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

|8W, xrefs: 000000018000999A
v^, xrefs: 00000001800096A3

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: v^$|8W
API String ID: 0-4274756280
Opcode ID: e8f720407405c8f842976055ebfe5a961945bc41caeca3a3e9e3a1284d36038d
Instruction ID: eb46043f5dfd862e599a3e1f0545fc92660674d3eece30cf186a2abccef00301
Opcode Fuzzy Hash: e8f720407405c8f842976055ebfe5a961945bc41caeca3a3e9e3a1284d36038d
Instruction Fuzzy Hash: 23D11171A0630CCBDB68DF68C58AA9D7BE1FF59348F104129FC1A9B261C770E919CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001E88 Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`:, xrefs: 000000018000222C
u5\, xrefs: 0000000180001FE0

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: `:$u5\
API String ID: 0-1141760586
Opcode ID: de639cec483ce4a43014a1f68f5d3fafad908dcfa8fcc167b954aac45c8ab292
Instruction ID: 309421123f437f89acc2771e6a55141bc20ba277e2d56715f434ec53ca724750
Opcode Fuzzy Hash: de639cec483ce4a43014a1f68f5d3fafad908dcfa8fcc167b954aac45c8ab292
Instruction Fuzzy Hash: 69C1207150574DCBDB99CF28C58A6D93BE5FF98348F104129FC0E862A1CBB4EA18CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180022AAC Relevance: 2.8, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

0Au, xrefs: 0000000180022F34
]6, xrefs: 0000000180022FF9

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 0Au$]6
API String ID: 0-775207805
Opcode ID: 41d6d67fb4784ff97a0c8e7ec9a302166e0b0c9de4538925550087b6d031b924
Instruction ID: 6edab2825e6f92fa7d6d5649e6783b0aef41eda7633721283519dacdcc01bd9d
Opcode Fuzzy Hash: 41d6d67fb4784ff97a0c8e7ec9a302166e0b0c9de4538925550087b6d031b924
Instruction Fuzzy Hash: 2DE1D7706047889FCBBEDF24CC897DA7BA8FB46704F904619E9C98E250DB745748CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026B98 Relevance: 2.7, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

S9, xrefs: 0000000180026D05
qrd, xrefs: 0000000180026C88

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: S9$qrd
API String ID: 0-2332744662
Opcode ID: dccb7ee8ec7dfb8e0809544b932b2caf2d93c57dd19aa3a9b169f23ded853006
Instruction ID: d3a666ff84b181fad27f9c2352a1e83f1b6bb5c561d3220c9e7978bd2dadc88f
Opcode Fuzzy Hash: dccb7ee8ec7dfb8e0809544b932b2caf2d93c57dd19aa3a9b169f23ded853006
Instruction Fuzzy Hash: 6EB1357590660CCFCB69DFA4C08A6DDBBF1EF68344F104519E812AB262CBB0D919CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180023C14 Relevance: 2.7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

Strings

hw}2, xrefs: 0000000180023DCB
4&t, xrefs: 0000000180023F04

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: hw}2$4&t
API String ID: 0-1169878757
Opcode ID: 858c4deae444743a57c26792a91effe053d1d8b489a12bfa541918911fc2fcd6
Instruction ID: fd20564dcf1a671b287a6600624e9fb92dead2187b8d5629211a6de17e7e6b55
Opcode Fuzzy Hash: 858c4deae444743a57c26792a91effe053d1d8b489a12bfa541918911fc2fcd6
Instruction Fuzzy Hash: AEB168B590420CCFDB68CF78C45A5DD7BF1FB08308F60612AE826AA262D774D919CF54

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001EBA0 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

JMWd, xrefs: 000000018001EF78
a[, xrefs: 000000018001EECA

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JMWd$a[
API String ID: 0-3276560754
Opcode ID: 94f2740beabb4555a63fe109c076897c128458c56f4cbcfe5625600f94c775f6
Instruction ID: 3b54873520b9a846c0abc3e4022efff23af49e59c185cad729b6d512d224c3a2
Opcode Fuzzy Hash: 94f2740beabb4555a63fe109c076897c128458c56f4cbcfe5625600f94c775f6
Instruction Fuzzy Hash: D5A106706047889FDBBACF18CC857DE3BA8FB46748F504229E8CA8E254CB745749CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015494 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

%[, xrefs: 00000001800156E0
-, xrefs: 000000018001574A

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %[$-
API String ID: 0-2535708364
Opcode ID: 65f60e6b5a076c6be367ab0f8efb072c07a091d19f07b8aff3e0ecb4ccd985c8
Instruction ID: a7604732bdc10a899b7b050bfde45695c0722dd065d5eed74db0117fa162c574
Opcode Fuzzy Hash: 65f60e6b5a076c6be367ab0f8efb072c07a091d19f07b8aff3e0ecb4ccd985c8
Instruction Fuzzy Hash: 1F81627050074ECBDB99DF14C88A7DE3BA0FB28389F114219FC85962A0D778C699CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000DB4C Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

i:O:, xrefs: 000000018000DE23
/Mr, xrefs: 000000018000DD1E

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: /Mr$i:O:
API String ID: 0-3426536595
Opcode ID: 8fba9de9c6c3b1e5047e1d7641fef574ac2ea6f46defdcfa8fbb4029ea408963
Instruction ID: 3eba081f804be6fa3a9d4fb4db8c82f5607d3411af965209965460f3089a80c7
Opcode Fuzzy Hash: 8fba9de9c6c3b1e5047e1d7641fef574ac2ea6f46defdcfa8fbb4029ea408963
Instruction Fuzzy Hash: 7C91087050438C8FDBBADF24C8AA7DE7BA1FB5A304F50461EEA4E8E250DB749644CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017E2C Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

;|-, xrefs: 0000000180017FAB
6|4, xrefs: 0000000180017EA9

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 6|4$;|-
API String ID: 0-2897245347
Opcode ID: 35605434c5429477d06d2e5b9b1bfa34856c77736f87f3e727847c01dfef7208
Instruction ID: 839a7c11e172a9a14e1c367a044feafa9aab422ef7ede3a919e78660e0b6ca0a
Opcode Fuzzy Hash: 35605434c5429477d06d2e5b9b1bfa34856c77736f87f3e727847c01dfef7208
Instruction Fuzzy Hash: C0714B7090474D8FCF88DFA4C8866EEBBF0FB48308F114619E88AA7251D7789645CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000F328 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

U, xrefs: 000000018000F44E
U#, xrefs: 000000018000F446

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: U$U#
API String ID: 0-861755185
Opcode ID: 2086c1731bcfc2cec1958e1d1a3f8cb927817e2dd584414818c7a6dfab91bab1
Instruction ID: 3d07f47d2f6b9c27b0e4fe7d5859b29f381f1ada24735b7dc646a2f801c86eef
Opcode Fuzzy Hash: 2086c1731bcfc2cec1958e1d1a3f8cb927817e2dd584414818c7a6dfab91bab1
Instruction Fuzzy Hash: 0C515C7150C7449FC7A8DF18D4C67AAB7E0FB88310F90991DF8CAC7251EB70A9598B82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180007EB4 Relevance: 2.7, Strings: 2, Instructions: 152COMMON

Download Yara Rule

Strings

fK, xrefs: 0000000180007F95
Pr, xrefs: 0000000180007FC1

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: fK$Pr
API String ID: 0-2696692655
Opcode ID: 9489b844c734f0d344b598ec7bcb8736a735df1c6bae6eaa62d1b735c6b442f4
Instruction ID: dfe3628fe45c31a405763d5fff7ed8f4d77ec04c4bb6b45016b3f1679df2575b
Opcode Fuzzy Hash: 9489b844c734f0d344b598ec7bcb8736a735df1c6bae6eaa62d1b735c6b442f4
Instruction Fuzzy Hash: 907116B090474E8FDB88CF28C88A6DE7BF0FB18358F515219FC4AA6260D774D598CB85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000DEF4 Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

n\, xrefs: 000000018000E000
z+&, xrefs: 000000018000E024

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n\$z+&
API String ID: 0-1414119057
Opcode ID: f24be46eeb560fbb290949dbfd7d05873455e782ddfe7ec7ed40b48d6508653b
Instruction ID: eeb2c5940d29436bcd670e7d8a2b521530b450e3042878bcb8e4954d48490cde
Opcode Fuzzy Hash: f24be46eeb560fbb290949dbfd7d05873455e782ddfe7ec7ed40b48d6508653b
Instruction Fuzzy Hash: 22612070A04B0C8BCBA9DF98D48AADDB7F1FB58344F00411DE846A7390DBB8950ACB85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800015C0 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

., xrefs: 00000001800017B7
50, xrefs: 00000001800016DE

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .$50
API String ID: 0-2436285167
Opcode ID: 84d2de074a5e6e1a5d921b58512406c284d81fdc35452f42d6b6a069db9f8ad4
Instruction ID: 63debb9af518b5fca5d59737c01840b12b974a655eea7ff458552c4fa6b671e5
Opcode Fuzzy Hash: 84d2de074a5e6e1a5d921b58512406c284d81fdc35452f42d6b6a069db9f8ad4
Instruction Fuzzy Hash: 3671DF705087848FD769CF28C58965ABBF0FBC6344F008A1DF68686260CBB6D949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002ADC Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

uC, xrefs: 0000000180002C87
,{, xrefs: 0000000180002C7D

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ,{$uC
API String ID: 0-1099860252
Opcode ID: 2af00e218d12abdb99ef7e76f2ba815a0f7da0c0d962cc97f106519d062cd6fe
Instruction ID: df29777c25f03bc51b29c5e68a382a2b48421fa47568a9dd7f4acde699563025
Opcode Fuzzy Hash: 2af00e218d12abdb99ef7e76f2ba815a0f7da0c0d962cc97f106519d062cd6fe
Instruction Fuzzy Hash: 28612D71A04B0C8FDBA9DF98D08A7DEB7F1FB48344F004119E406E7291DBB8990ADB85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004E3C Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

*6TO, xrefs: 0000000180004F9B
"C, xrefs: 0000000180005084

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: "C$*6TO
API String ID: 0-2251823003
Opcode ID: 11a52743e991166c772ae58171141d3b918ce8d4020b5bd660e65aa41626bcf5
Instruction ID: 1108d3b1afe4df31317b10417d35e55e698c36e02fd161062712c06e930ceb12
Opcode Fuzzy Hash: 11a52743e991166c772ae58171141d3b918ce8d4020b5bd660e65aa41626bcf5
Instruction Fuzzy Hash: 598166B550130DCFCB98DF28C58A59D3BA8FB49308F40812AFC1E9A264D3B4E659DB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015264 Relevance: 2.6, Strings: 2, Instructions: 137COMMON

Download Yara Rule

Strings

_ N, xrefs: 00000001800153D5
nkz, xrefs: 000000018001533E

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: _ N$nkz
API String ID: 0-4083044659
Opcode ID: a2e505ed0ed44acca9d37efa5475ae9917bfda84fefcb3a28f95bfb4043916ce
Instruction ID: b07831c94fe2cbd7ac58294498593f0ee6961182af88fd212fccb4805bec53d6
Opcode Fuzzy Hash: a2e505ed0ed44acca9d37efa5475ae9917bfda84fefcb3a28f95bfb4043916ce
Instruction Fuzzy Hash: 39513971D04A1D8BDF99CFA8C5457EEBBB1FB48344F108119E415BB250CBB89A09CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000B834 Relevance: 2.6, Strings: 2, Instructions: 102COMMON

Download Yara Rule

Strings

?, xrefs: 000000018000B945
LiD+, xrefs: 000000018000B96C

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: LiD+$?
API String ID: 0-3739020763
Opcode ID: bc963e11fa834f262c09c021a462739b615030ee8f9d2598156052fa386473db
Instruction ID: 2f7d624153028320349e4a0adb7356b45dc1f3746b227896fac10cb383cb0630
Opcode Fuzzy Hash: bc963e11fa834f262c09c021a462739b615030ee8f9d2598156052fa386473db
Instruction Fuzzy Hash: F35191B590034E8FCB48DF64D48A8DE7FB0FB68398F214619E815A7210D7B496A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800085BC Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

\o, xrefs: 0000000180008613
%&Iv, xrefs: 00000001800086E6

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: %&Iv$\o
API String ID: 0-2950252169
Opcode ID: e3b847a27b1fdf8219116b43965b4243214bd6bbc489cbb0191219741f6e6deb
Instruction ID: 7d8516b09fccf329ce1ee45da69bc8f76dfc96f1b67d05b04ebb17f55f6537e3
Opcode Fuzzy Hash: e3b847a27b1fdf8219116b43965b4243214bd6bbc489cbb0191219741f6e6deb
Instruction Fuzzy Hash: 7041C2B090074E8FCB48DF28C88A4DE7FB1FB68398F514619EC56A7250D7B496A4CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180009408 Relevance: 2.6, Strings: 2, Instructions: 95COMMON

Download Yara Rule

Strings

|<, xrefs: 0000000180009540
P;, xrefs: 00000001800094F1

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: |<$P;
API String ID: 0-71676942
Opcode ID: d8b30cb9b0bbde5f967eaf6e88493efae150f481542faaeeec2b89fd53c9bf9b
Instruction ID: b926ab4478da67f81816527f76e4a4189747c2b1a61b322854fb240660ec53f5
Opcode Fuzzy Hash: d8b30cb9b0bbde5f967eaf6e88493efae150f481542faaeeec2b89fd53c9bf9b
Instruction Fuzzy Hash: 0F41F4B190078ECFCF48DF68C88A5DE7BB0FB58318F10461DE82AA6250D3B49665CF84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A524 Relevance: 2.6, Strings: 2, Instructions: 94COMMON

Download Yara Rule

Strings

< @, xrefs: 000000018001A5D7
#X, xrefs: 000000018001A554

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #X$< @
API String ID: 0-1734357072
Opcode ID: efe0763d8a7a245e8cb996b606fb90cb3ba626e454cc1a7dd4141ea463f73824
Instruction ID: 53d5526a666e2e4b0aa3df313d94281727ef5dde582db7952040e92a2ea044da
Opcode Fuzzy Hash: efe0763d8a7a245e8cb996b606fb90cb3ba626e454cc1a7dd4141ea463f73824
Instruction Fuzzy Hash: E241C3B090078E8FCF48DF68C95A5DE7BB0FB58348F104A1DEC6AA6250D3B49665CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800234D8 Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

X&x, xrefs: 00000001800235CE
.B, xrefs: 00000001800235C0

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: .B$X&x
API String ID: 0-2125001607
Opcode ID: b56e4be042cf3e20bfd4171d949980e8bdde88a4c8b77932d249eea416ff403a
Instruction ID: 406be0e8b3d674fc45ad7aec45ce8f3a41fae9dcbe4fb503a73b8d88e4a7390b
Opcode Fuzzy Hash: b56e4be042cf3e20bfd4171d949980e8bdde88a4c8b77932d249eea416ff403a
Instruction Fuzzy Hash: F541C3B190034E8BDF48DF68C98A4DE7BB1FB58358F00461DE866AB350D3B89665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014F50 Relevance: 2.6, Strings: 2, Instructions: 80COMMON

Download Yara Rule

Strings

S1, xrefs: 000000018001504E
D-o, xrefs: 0000000180015024

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D-o$S1
API String ID: 0-2248371139
Opcode ID: b2af9136cfd81d84eb1aedf16953768fff15e9d6dc77d4de408be5ef0b131a39
Instruction ID: c824313cc5550ea8d08e24e936909b38c1116e4b52b8e35a6cfdfb4e8fb0d5b5
Opcode Fuzzy Hash: b2af9136cfd81d84eb1aedf16953768fff15e9d6dc77d4de408be5ef0b131a39
Instruction Fuzzy Hash: 7F418F7090074E8FCF88CF68C48A5DEBFB0FB28398F144619E856A6250D3B496A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021588 Relevance: 2.6, Strings: 2, Instructions: 72COMMON

Download Yara Rule

Strings

kNTY, xrefs: 000000018002166D
")v, xrefs: 0000000180021679

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ")v$kNTY
API String ID: 0-925696221
Opcode ID: 2d468f080be7dc4ac37fbc5ab55ab08a385f91380d02a95960c4866fb202e0cd
Instruction ID: 3d1cde25fc61112586e0ccbc864a2b9889115514f3b9559dcc74a8c2fbc402f5
Opcode Fuzzy Hash: 2d468f080be7dc4ac37fbc5ab55ab08a385f91380d02a95960c4866fb202e0cd
Instruction Fuzzy Hash: 49317CB16187858B8348DF28C45641ABBE1FBCD70CF544B2DF4CAAB251D738D6128B4B

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800025B8 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

O, xrefs: 00000001800025BC
\u, xrefs: 00000001800026CE

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: O$\u
API String ID: 0-3775190597
Opcode ID: 81226de3c00d9588fcdb855554b2562b3d5d50c3db8a2dd8ff0fab91db437570
Instruction ID: b3d17dff366e7d439aca65bd494037a1e9e1cb33d0f26cc5f3c7e2fad645fe6e
Opcode Fuzzy Hash: 81226de3c00d9588fcdb855554b2562b3d5d50c3db8a2dd8ff0fab91db437570
Instruction Fuzzy Hash: 5B31C4B0528781AFC798DF28D09991ABBF1FBC9304F806A1DF98A8B350D774D845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012044 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

:s[, xrefs: 000000018001209B
+N, xrefs: 0000000180012133

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: +N$:s[
API String ID: 0-2992701377
Opcode ID: 59945e4bfd5c1812b410bc992af75b99beb9f24da50121ece688e224e72b4b08
Instruction ID: 2af45dfac4c7ae0da7497fa8c295952f08e7f96bebb69c710dc1a077a3b8364b
Opcode Fuzzy Hash: 59945e4bfd5c1812b410bc992af75b99beb9f24da50121ece688e224e72b4b08
Instruction Fuzzy Hash: 443192B5528381ABC388DF28C48A81FBBE1FBC9359F806A1DF8C696261D734D5458B43

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024370 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

k, xrefs: 0000000180024379
'yN, xrefs: 000000018002441B

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'yN$k
API String ID: 0-35230329
Opcode ID: 664b9cbffe37651652d085acf9af43cce7b6a19192dfc0ee1d7ff8525738b321
Instruction ID: 07b651401a32326000ca6cd35722393aebb0696fbf8e2d5e5a89f081ef8d3ba1
Opcode Fuzzy Hash: 664b9cbffe37651652d085acf9af43cce7b6a19192dfc0ee1d7ff8525738b321
Instruction Fuzzy Hash: DE318FB191478E8BDB48DF68D8494DF3BF0FB58308F004A29EC6A9A250D7B49664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800024C0 Relevance: 2.6, Strings: 2, Instructions: 51COMMON

Download Yara Rule

Strings

lt, xrefs: 000000018000254B
]2F, xrefs: 0000000180002531

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ]2F$lt
API String ID: 0-3307743551
Opcode ID: e35954fd64214c4dc75024e05a92e9afc61a62ba820b5d5e41e037a5dcd882da
Instruction ID: b2e8e3d622355c2c7a8d87ad16832996e77f732c72c2020fcd3ed114b96953d1
Opcode Fuzzy Hash: e35954fd64214c4dc75024e05a92e9afc61a62ba820b5d5e41e037a5dcd882da
Instruction Fuzzy Hash: BC218C70528385ABC798CF24C1CA94BBBE1FBD4758F906A0DF8828B264D774D909CB43

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001667C Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

t2i., xrefs: 000000018001687D

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: t2i.
API String ID: 0-2317288456
Opcode ID: ddf1efb97a931d6c5f3ee8c67c3fa2b44aa9af6db9e4e5e1b98fbf81237c32be
Instruction ID: 45fd1b4f7d9ae1bb3a1595fd0447dfa3858b4c22850e921c91e36994c5fa5290
Opcode Fuzzy Hash: ddf1efb97a931d6c5f3ee8c67c3fa2b44aa9af6db9e4e5e1b98fbf81237c32be
Instruction Fuzzy Hash: F4C17C709197489BD7D6DF18C48579EBBE0FB88344F906A1EF486C72A0CB34DA49CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AEC8 Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

!, xrefs: 000000018001B19C

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: !
API String ID: 0-133318149
Opcode ID: 9a28524a62feba04ad602aea3c6b43a9e37f0bb3cb72c69032c5b680e6eaa856
Instruction ID: 4d490125f0736c0523a0bc8c54046deb818a488a36854fcf26dc18eb231edbc7
Opcode Fuzzy Hash: 9a28524a62feba04ad602aea3c6b43a9e37f0bb3cb72c69032c5b680e6eaa856
Instruction Fuzzy Hash: 94C1277090474D8BDF48DF68C88A6EE7BF1FB48358F15821DE84AA7250C7789949CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001980 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

GP, xrefs: 00000001800019A8

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: GP
API String ID: 0-809347306
Opcode ID: c18687982be6c1a2fdabfac97a268a3404b4fe9754ccd0dba6adaab26aa3d97e
Instruction ID: b8cc07b6ee5f07dffcf88ae53723e0b0b514af2364763fc1c4f878c703b2f424
Opcode Fuzzy Hash: c18687982be6c1a2fdabfac97a268a3404b4fe9754ccd0dba6adaab26aa3d97e
Instruction Fuzzy Hash: 35C18BB190060DCFCF68CF78D55A59D7BF1BB48308F606229F826AA2A2D3B49915CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014484 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

G, xrefs: 00000001800145F6

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: G
API String ID: 0-4067352199
Opcode ID: 571051391216adea76df2afa30ecc8bad161d89b390d9c97388838629c1a5ca4
Instruction ID: 225e36911d9d240547ab15c987b60d96220a9315f181ed6db9e7231e26a901aa
Opcode Fuzzy Hash: 571051391216adea76df2afa30ecc8bad161d89b390d9c97388838629c1a5ca4
Instruction Fuzzy Hash: 54A11871A0460CCFDF59DFA8C44A6DDB7F2FB48344F104529E816BB261CB749909CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018190 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

:d, xrefs: 0000000180018267

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: :d
API String ID: 0-1981401805
Opcode ID: 7e01d6742b691afee721fc3f193522d49c245a6ce31efde50cdf5c406c664d98
Instruction ID: 210e0c3814bb066ec4f0600647a6f8918949d15d236ac433349e910c02a539df
Opcode Fuzzy Hash: 7e01d6742b691afee721fc3f193522d49c245a6ce31efde50cdf5c406c664d98
Instruction Fuzzy Hash: 55B1067150560DDFCB88DF28C089ADE7BE0FF58308F825229F80AA7255D774DA98DB49

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800207BC Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

'NL, xrefs: 00000001800208CD

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: 'NL
API String ID: 0-130891299
Opcode ID: 8a3ed407222c8cc95b4195594c73c0a0709bd4276b41a18d313f15a757072ddc
Instruction ID: bb2c5b98f4e45d76fdff147334347c6d164a6d6c8cf2b5048c0250209dce3a22
Opcode Fuzzy Hash: 8a3ed407222c8cc95b4195594c73c0a0709bd4276b41a18d313f15a757072ddc
Instruction Fuzzy Hash: 08816770900748CFDB99CF68C4896DE7BF0FB48394F609129F94697261C774D989CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001705C Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

ETz, xrefs: 0000000180017234

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ETz
API String ID: 0-3877082699
Opcode ID: a70674ad09814c9e1798ed159b67f00a2b9c82905ce41e3639f5d760caf2f047
Instruction ID: db1a2cf02a49f3c5a1febdf95057c2803ba9c7043f43a3a74a84a847f8708688
Opcode Fuzzy Hash: a70674ad09814c9e1798ed159b67f00a2b9c82905ce41e3639f5d760caf2f047
Instruction Fuzzy Hash: 6281BC34A0674CCBDB65CFA8C0897CDBBF1FF68348F104119E915AA2A6CB70D559CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800261E0 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

#;*z, xrefs: 00000001800264EE

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: #;*z
API String ID: 0-1682342327
Opcode ID: b680f4a085bd44a123493e5971e743dba8c621f53e8aa86b84bd23ce7ca92522
Instruction ID: dbf9c55ae058a2f54c24d1eac6a5ff2fe61b468a3017e99be0a6ffbf3af3057b
Opcode Fuzzy Hash: b680f4a085bd44a123493e5971e743dba8c621f53e8aa86b84bd23ce7ca92522
Instruction Fuzzy Hash: EF91E0715042888FCBB9DF24D88A7DA7BA1FB45348F50C229D88ECE261DFB0564DDB01

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024570 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

dQ, xrefs: 00000001800246B3

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: dQ
API String ID: 0-4190919517
Opcode ID: 97a4412cc2303f28c05fec1f0b2e1d428cb8767c43294622f9f6b74118afce77
Instruction ID: 9d729ecabb7b74207a0fd84f221a36cedb2a9a3a0e5d95724699f54aa2ea8075
Opcode Fuzzy Hash: 97a4412cc2303f28c05fec1f0b2e1d428cb8767c43294622f9f6b74118afce77
Instruction Fuzzy Hash: 3E71E7711187988BDBFDCF28CC857D97BA6FB44744F20811CE84E8E261DB749A89CB02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D7AC Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

)0, xrefs: 000000018000D866

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: )0
API String ID: 0-1029681778
Opcode ID: 40e7eb8740bf53d50ac0b689975ccfd72f61ab29a6f5010a355cdccaad617979
Instruction ID: 121df312e681884aeaf9abe1505228ce9ff72d97cb51e4d07d955d8bff2ee376
Opcode Fuzzy Hash: 40e7eb8740bf53d50ac0b689975ccfd72f61ab29a6f5010a355cdccaad617979
Instruction Fuzzy Hash: 6851673861660CCBDB69DF78D4852E93BE0FF69344F20402DFC6687266DB34D52A8B58

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012168 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

Uerm, xrefs: 0000000180012269

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Uerm
API String ID: 0-3179360214
Opcode ID: 9ac54ab8c90a486f4441a78f79c66deafdf79af98abc137c17ed1b11debabc8b
Instruction ID: 041d59295089493447bb19a8378e04636211af5195b78f50b28b80e802418f55
Opcode Fuzzy Hash: 9ac54ab8c90a486f4441a78f79c66deafdf79af98abc137c17ed1b11debabc8b
Instruction Fuzzy Hash: AD6103B190061A8FCF48DFA8C48A5EEBBB1FB58344F10822DE815AB365C7749A55CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015774 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

n?,#, xrefs: 0000000180015826

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: n?,#
API String ID: 0-1323099997
Opcode ID: 26b976f19a01f89e53d4e797cc3bc9c5337180b5ac8f28c70c7e0350769e597c
Instruction ID: 565b854ac311e8ede55e0f860d8d3b50ebc6ea35409b62ec986654d35b43713b
Opcode Fuzzy Hash: 26b976f19a01f89e53d4e797cc3bc9c5337180b5ac8f28c70c7e0350769e597c
Instruction Fuzzy Hash: 4461F97054878DCBEBBADE38C8897D937B0FB48344F908529E94E8E290DB749A458B45

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800059AC Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

NRx, xrefs: 0000000180005B20

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: NRx
API String ID: 0-1393999616
Opcode ID: b4a4ba5d31bb0dbda5b37bf156645da5abce175ef766aa9e7dc128ab78272a52
Instruction ID: 7c3eed2061eb3ea8b6bf0d1c70d9a16e0a2e2a77544f255897bb26607a47427d
Opcode Fuzzy Hash: b4a4ba5d31bb0dbda5b37bf156645da5abce175ef766aa9e7dc128ab78272a52
Instruction Fuzzy Hash: 46416C706197489BD3E5DF28C08679FBAE0FB88745F90A92DF585C32A1CB74C9488B43

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180029134 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

hT, xrefs: 0000000180029140

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: hT
API String ID: 0-434349927
Opcode ID: 6dc475388242e87dfd02804309664708b9ba0169bf98e34e56dbb37a95c1b731
Instruction ID: 79a86a43dda6c0bf54cad5f70c675ce2074b99fb8c760d3b3e2f6daa19ea02a9
Opcode Fuzzy Hash: 6dc475388242e87dfd02804309664708b9ba0169bf98e34e56dbb37a95c1b731
Instruction Fuzzy Hash: 2A5190B190038E8BCB48DF68C88A5DE7BB0FB58308F104A19FC65A6250D7B4D669CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800135A6 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

w., xrefs: 0000000180013634

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: w.
API String ID: 0-4252102657
Opcode ID: 775cc355a8dd2b6f1bc8d8548c4489e17c5a54c9aeae587b6d573d3d7a9b0f7e
Instruction ID: ff83c9861e3aef96e788ade2e95c5d31a765335f039db5447ff320373d52f62b
Opcode Fuzzy Hash: 775cc355a8dd2b6f1bc8d8548c4489e17c5a54c9aeae587b6d573d3d7a9b0f7e
Instruction Fuzzy Hash: 524127B190434A8BCF48DF64C88A4DE7FB1FB58348F10861DEC5AA7250D7749659CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800079EC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

\>, xrefs: 0000000180007A45

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: \>
API String ID: 0-4115654482
Opcode ID: ec85be460c7c8dfb7cf3a46c57a1e14dcdd929cba8cf803056f6d038e5aaf727
Instruction ID: c8bfe62f06df19f0db5cc8e5fd5c20be0a97c60a2c34a345c5b0509f61aa275d
Opcode Fuzzy Hash: ec85be460c7c8dfb7cf3a46c57a1e14dcdd929cba8cf803056f6d038e5aaf727
Instruction Fuzzy Hash: 5041B0B490038E8FDB48DF65D8895DE7BB0FB48358F104A1AEC25A6250D7B4D664CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F6DC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

UfMm, xrefs: 000000018001F81D

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: UfMm
API String ID: 0-3877223347
Opcode ID: dec106b4a764423c6080cde6e3c380fc2c4206b9dd3c84e9483206ca750e3b76
Instruction ID: c77ef5b6f515275834e01b5fcfcfc22ffe1a93dbca634ff8363d49e0f941db2a
Opcode Fuzzy Hash: dec106b4a764423c6080cde6e3c380fc2c4206b9dd3c84e9483206ca750e3b76
Instruction Fuzzy Hash: A1519EB190474E8BCF49CF64C48A5DE7FB0FB68398F214219E85A96250D3B8D6A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800173DC Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

^I%, xrefs: 0000000180017487

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ^I%
API String ID: 0-4091345571
Opcode ID: 3f12ff418f07ff0dffb22bdd7eb3939b0fd24fdb2c19c7287af7d17ae91e7243
Instruction ID: 24279a7f0b8a810ed47d94a020ccddcda864278dcc3d62ea9a1aafd37f1cc870
Opcode Fuzzy Hash: 3f12ff418f07ff0dffb22bdd7eb3939b0fd24fdb2c19c7287af7d17ae91e7243
Instruction Fuzzy Hash: D641C2B090074E8BCB48DF68C58A4DE7FF0FB68398F204219EC16A6250D3B496A4CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008370 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

E, xrefs: 0000000180008443

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: E
API String ID: 0-4189953480
Opcode ID: 6b2582ab6db5c886dc2d719d00820c997d2b994a7b2935478f04cfa12a5363ce
Instruction ID: 97bb68eb89739962e45bd832e2874dcd633b22f5609a7b84b761109d701c7c23
Opcode Fuzzy Hash: 6b2582ab6db5c886dc2d719d00820c997d2b994a7b2935478f04cfa12a5363ce
Instruction Fuzzy Hash: B341D5B491038E8FCF88DF69D8495DE7BB0FB18358F104A19EC2AA6250D3B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002582C Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

JLq, xrefs: 0000000180025857

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: JLq
API String ID: 0-4186083495
Opcode ID: 8d9a50e123908ca919991315c6f3e14c53aa3b8bc44063858183d3498e4e8681
Instruction ID: 27128c2ca0a5d288d3179379bf0eddb2aee49c7a11679c2610c242e98f2fdc84
Opcode Fuzzy Hash: 8d9a50e123908ca919991315c6f3e14c53aa3b8bc44063858183d3498e4e8681
Instruction Fuzzy Hash: 3C41D5B090064E8FDF48CF68C4865EE7BF1FB58358F114229E846AA254C7789A95CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800150F0 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

vYa-, xrefs: 0000000180015210

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: vYa-
API String ID: 0-893662192
Opcode ID: 035fd408088c0482a5a9e27521314a342b14366a032dbf1fe9b8c33d69753ec7
Instruction ID: ed719b7027dd4d7706803f37edca27847d3dc95415a6febebb675a1e15796353
Opcode Fuzzy Hash: 035fd408088c0482a5a9e27521314a342b14366a032dbf1fe9b8c33d69753ec7
Instruction Fuzzy Hash: 0741C0B090034E8FCF48CF64D88A5DE7FB0FB68398F104619E856A6250D7B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015BB8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

< dA, xrefs: 0000000180015C3D

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: < dA
API String ID: 0-2747138368
Opcode ID: 207b38533736b510735db2aca9d27c508cf70737fe24697ea278d93009114e66
Instruction ID: 677e9d37894352eedc94dfbe70e1d5a5f16f85bbcaa69aa355918790c22682b0
Opcode Fuzzy Hash: 207b38533736b510735db2aca9d27c508cf70737fe24697ea278d93009114e66
Instruction Fuzzy Hash: 2741A0B180074E8FCB49CF64D48A4DE7FB0FB68388F204619E856A6254D7B496A8CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800135B4 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

w., xrefs: 0000000180013634

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: w.
API String ID: 0-4252102657
Opcode ID: 8dc8ab0dff87e9b75af9bc87b01f2b240cfc8c73fd94611f7c31912defe47775
Instruction ID: 9835b62cc5c81bb08ffa4c0ed138b56601e81b85f9b16a4ced47218125f66503
Opcode Fuzzy Hash: 8dc8ab0dff87e9b75af9bc87b01f2b240cfc8c73fd94611f7c31912defe47775
Instruction Fuzzy Hash: FC41E4B090434A8BCF48DF64C88A4DE7FB1FB58348F11861DEC5AA6250D7B496A9CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001F878 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

}]T*, xrefs: 000000018001F95B

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: }]T*
API String ID: 0-3642313528
Opcode ID: 7849323620c58637c1544052bb138ebef222585afcb74db7dd86457f284b6379
Instruction ID: a9b4d124700f7192ec0ffbe58db6f2cedd89af67995077d1789eaf9c0a4fefb8
Opcode Fuzzy Hash: 7849323620c58637c1544052bb138ebef222585afcb74db7dd86457f284b6379
Instruction Fuzzy Hash: 624191B191074E9FCF48DF64D48A4DE7FB0FB68388F214619E816A6210D3B496A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180013568 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

w., xrefs: 0000000180013634

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: w.
API String ID: 0-4252102657
Opcode ID: da61243a15702063775777e79984a8309a15a56a41d8ca6f71a856d03373fb1d
Instruction ID: 13a44cd4838b071505596f301d9460f32b91f3f909068c68e30d7ec81fe075ae
Opcode Fuzzy Hash: da61243a15702063775777e79984a8309a15a56a41d8ca6f71a856d03373fb1d
Instruction Fuzzy Hash: 194104B090434A8BCF48CF64C88A4DE7FB1FB58348F10861DEC5AA6250D7B496A8CFC4

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E5D4 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

N8$, xrefs: 000000018000E64E

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: N8$
API String ID: 0-2933465586
Opcode ID: 0eb94b4c30cdf64432c8dd49aa40656dc32a215d341cf791ffb885c3adf2427e
Instruction ID: 297b3d980fd839d27da657b87e2df8633a1b9c783a0b67fb1012bddc2283f9fe
Opcode Fuzzy Hash: 0eb94b4c30cdf64432c8dd49aa40656dc32a215d341cf791ffb885c3adf2427e
Instruction Fuzzy Hash: 0241827180078E8FCB45CF64D88A4CE7FB0FB18358F105A19F865A7260D3B49664CF95

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002B564 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

wk, xrefs: 000000018002B5A3

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: wk
API String ID: 0-1447520534
Opcode ID: 0a0edc96079985f20ed57ef59bebf533c7b67d56244039d22a088e51808c84b4
Instruction ID: ed1e7f9bc21f483ed76e74f249cc539d96e15df8e9c5d2752f3a18cd8a4680c8
Opcode Fuzzy Hash: 0a0edc96079985f20ed57ef59bebf533c7b67d56244039d22a088e51808c84b4
Instruction Fuzzy Hash: A041C4B180074E8BCB48DF68D48A4CE7FF0FB68398F10461DE859A6250D7B49AA4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180025180 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

D7 , xrefs: 000000018002519E

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: D7
API String ID: 0-599489778
Opcode ID: 0decf5b59288eb500aae667ac6c9b4e4dce6b838f673c5fc17c927a6ca0452b7
Instruction ID: 9ff7da26f915c3fd9b9081bc776a27ba1207aebd425a4d5bef8b93ab939ca450
Opcode Fuzzy Hash: 0decf5b59288eb500aae667ac6c9b4e4dce6b838f673c5fc17c927a6ca0452b7
Instruction Fuzzy Hash: 4541B0B090074E8BCF48DF68D4965DE7FB0FB68388F20421DE816A6250D7B496A5CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800048B0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

-, xrefs: 00000001800048BC

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547686586
Opcode ID: 39f87b108b025f322a4fb09bf0250602f0777b0869fb0748bb25e5d88246fb72
Instruction ID: fb4667ec304b728e9739446c3b2210f9efd75ae712771165d94948b9d3b69a1a
Opcode Fuzzy Hash: 39f87b108b025f322a4fb09bf0250602f0777b0869fb0748bb25e5d88246fb72
Instruction Fuzzy Hash: E641D2B181038ECFCB48CFA4D88A5CE7BB1FB48358F115A09FC65A6224D3B49665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015A64 Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

Q, xrefs: 0000000180015A70

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Q
API String ID: 0-2885194100
Opcode ID: bdb98b8b2c0f07edeaa2617f1c602c347d51b8d3ebd884f46db44bb476cabbd3
Instruction ID: a9705b719f6d6278401c973a571993bf085652b79919a3d293b183e1acac7421
Opcode Fuzzy Hash: bdb98b8b2c0f07edeaa2617f1c602c347d51b8d3ebd884f46db44bb476cabbd3
Instruction Fuzzy Hash: 9141F5B180434E8FCF48CFA4C84A4DE7FB1FB18318F004619EC5AA6250D7B49664CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016054 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

UA;k, xrefs: 0000000180016115

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: UA;k
API String ID: 0-1243451539
Opcode ID: 9dbe3c72688dc078ed354c07d057a6794037f82480b8e2a0bdd9448b7935877c
Instruction ID: 446a4ee04f98266578c7fdeec7750357e9914a8a062f983f2ae732e753f3f9f0
Opcode Fuzzy Hash: 9dbe3c72688dc078ed354c07d057a6794037f82480b8e2a0bdd9448b7935877c
Instruction Fuzzy Hash: AC31E2B090034E8FCB48DF65C48A4DE7FB0FB68398F104619E859A6250D3B896A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017638 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

BHj, xrefs: 0000000180017725

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: BHj
API String ID: 0-429444599
Opcode ID: b2d81b77ec5a3d92ed60f1e2a925d42953c8b0d81e9e004bfe4218ede8c6c85b
Instruction ID: 88d82d5a62f7e83910e755dc00f06a4804c179e3d48da98a41081325a3075538
Opcode Fuzzy Hash: b2d81b77ec5a3d92ed60f1e2a925d42953c8b0d81e9e004bfe4218ede8c6c85b
Instruction Fuzzy Hash: 2F31B2B190078E8FCF84DF64C88A5DE7BB0FB58358F010A09E869A6250D7B8D665CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800078A4 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

h, xrefs: 0000000180007961

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: h
API String ID: 0-130632579
Opcode ID: d5fc1072884fae1f5b57c471a7f51524b23a4deaf3d031234e0c0be062cfd6f2
Instruction ID: cf3c4ac770fe2f70a1efbbc55b0bf253fcb3f834dda7a796d3e0b8f6df5914ba
Opcode Fuzzy Hash: d5fc1072884fae1f5b57c471a7f51524b23a4deaf3d031234e0c0be062cfd6f2
Instruction Fuzzy Hash: 803102705187C48BD789CFA8C48965EFBE1FB94384F50492DF486867A0C7F8D948CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800050D4 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

?%4, xrefs: 00000001800050F0

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ?%4
API String ID: 0-422666221
Opcode ID: 9a50b58e01a5729271d6177eeb6adb68723f1c473c55e35b3503dad5704e2603
Instruction ID: a7a624d76b7a6b6a49308da5d267df16e75217d08dbc55e4173753466c7a619f
Opcode Fuzzy Hash: 9a50b58e01a5729271d6177eeb6adb68723f1c473c55e35b3503dad5704e2603
Instruction Fuzzy Hash: 0721A470628780AB878CDF28D49981BBBE1FBC9304F906A1CF9C68B364D7749445CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180001870 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

ve, xrefs: 0000000180001922

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: ve
API String ID: 0-2619166483
Opcode ID: 0af36e16279e0b52c57c96dd2be3cf2d778334959a734097dc29c8b03be7ea9c
Instruction ID: bd1518f744f48cc188204749d08526443734dde3f23549b257c943e1dafbc1e4
Opcode Fuzzy Hash: 0af36e16279e0b52c57c96dd2be3cf2d778334959a734097dc29c8b03be7ea9c
Instruction Fuzzy Hash: 3B217BB16187858BC748DF28C55951ABBE1FBCC318F404B5DF8CAAA360D378D645CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800026DC Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Hk, xrefs: 000000018000270F

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: Hk
API String ID: 0-2736353058
Opcode ID: f042022579c6dc077ee2635b55382d47991fd87e705928ebfd6682ca687bc5a7
Instruction ID: 887fdeaeec6620913bccc1519bb94b7ab545cc472d3a2f82c737665b3ebe67cb
Opcode Fuzzy Hash: f042022579c6dc077ee2635b55382d47991fd87e705928ebfd6682ca687bc5a7
Instruction Fuzzy Hash: 20319CB4628384AB8388DF28C49981ABBF1FBC9304F806A1DF8868A260D775D445CB03

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000529C Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

@Bp!, xrefs: 00000001800052BA

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: @Bp!
API String ID: 0-2853746471
Opcode ID: ef82bde12d532e04876809b878463bf9d85bf8adc7e5172117a9a71904663532
Instruction ID: a42def5e4906ba5408d95fb28ee36c9633a666dd8c6a1d0dabe2f17b10b73553
Opcode Fuzzy Hash: ef82bde12d532e04876809b878463bf9d85bf8adc7e5172117a9a71904663532
Instruction Fuzzy Hash: 8831F37080034E8BCB44DF64D48A4DE7FB0FB28398F11461AE869A6210D3B48694CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006308 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

_&%, xrefs: 0000000180006314

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: _&%
API String ID: 0-276555772
Opcode ID: 8f3b61786a1347c07c3d5db82c2bc2daa848de2eab2d644bf824955350391771
Instruction ID: 84b034befa84842a6d26d9f5413634863003efd6eec9a48b68f2958c9e87747a
Opcode Fuzzy Hash: 8f3b61786a1347c07c3d5db82c2bc2daa848de2eab2d644bf824955350391771
Instruction Fuzzy Hash: C3217BB06187848B8748DF28D45A51ABBE1FBCC308F404B5DF4CAAA360D3789609CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800295C8 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

V, xrefs: 00000001800295DC

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: V
API String ID: 0-2990084971
Opcode ID: 1782258294aa137d61fe32651e2643f77913c71ff09afc5f450ca4bece25d7e7
Instruction ID: 19a784c3393b647e1d02845cf9d1e0035701b9012461bc7b4b972f754d4b287b
Opcode Fuzzy Hash: 1782258294aa137d61fe32651e2643f77913c71ff09afc5f450ca4bece25d7e7
Instruction Fuzzy Hash: E021ADB4529780AFD788DF28D09981FBBF0FB89304F806A1CF9868B360E3759445CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800229CC Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

fe_, xrefs: 0000000180022A54

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID: fe_
API String ID: 0-1346747655
Opcode ID: 656de1a6cae0373b094f44c9878c04d225c006d82b161423a6aec508986bcc20
Instruction ID: 9f8913945123cb4278df7be958afc5fc5d749fa594805d3e5c5ffa2821aade6f
Opcode Fuzzy Hash: 656de1a6cae0373b094f44c9878c04d225c006d82b161423a6aec508986bcc20
Instruction Fuzzy Hash: 25215DB55183818B9348EF28D44A51BBBE1BB8D34CF404B5DF4CEAA260D778D615CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180022290 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690f928848312d3e50bce6c98363679f754364b802b69089bfd2d1cc95353951
Instruction ID: f4bbdddc4ebc6fe898ddfb3184844cd7ab88b5746f894e32bccfd4327ba112cf
Opcode Fuzzy Hash: 690f928848312d3e50bce6c98363679f754364b802b69089bfd2d1cc95353951
Instruction Fuzzy Hash: F751247152078DABDBC9DF28C8CAA9C3BA1FB44754F806219FC468A261D774D5C9CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008134 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7876522931334601bd90a80625b7f157024bfeead9eee4300288ec184fcbc12
Instruction ID: d7e3191637b78f1be9ff87ab698ad538cd7d2d45c46478ba59590cd585685a95
Opcode Fuzzy Hash: a7876522931334601bd90a80625b7f157024bfeead9eee4300288ec184fcbc12
Instruction Fuzzy Hash: 5761B1B490078E8FCF48DF68D8595DE7BB0FB48318F014A19FC6696250D7B49A25CB84

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E2F4 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88e65efb6d3fa20939ff192da4dfa840d39aac14346873756c43568c41f67993
Instruction ID: f17689cc06c9532d3252f7dc5abd3373f404a3f8166a5e21e79f0a6996b359c5
Opcode Fuzzy Hash: 88e65efb6d3fa20939ff192da4dfa840d39aac14346873756c43568c41f67993
Instruction Fuzzy Hash: 0B41B870608B488FC768DF19D08976ABBF1FB89711F40856EE68AC7351DB319848CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800280C8 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 485b6be602952e656e1e94650c6f168335af82f45d0d0f5b4aa22a8c646e7c56
Instruction ID: 9422144e28ecc4a9930a11d21f18f8515329dd70f686b1b52883d16e1825d5f7
Opcode Fuzzy Hash: 485b6be602952e656e1e94650c6f168335af82f45d0d0f5b4aa22a8c646e7c56
Instruction Fuzzy Hash: 2A414D34509B588FD768DF28918A75ABBE0FF99310F004A5EE58EC7362D770D949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180006954 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92699b14e6c2b4fd34943bfb19e45adab91cb197e26a720392e823bcd093906
Instruction ID: bbd244a3cf3555809e115011e05a98a3e8d5fd40b217627e69400f11bfb30a94
Opcode Fuzzy Hash: c92699b14e6c2b4fd34943bfb19e45adab91cb197e26a720392e823bcd093906
Instruction Fuzzy Hash: 745193B590434ACFCF48CF64D48A5CE7FB0FB68398F214219E856A6250D3B496A4CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180012500 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22d6ccee6f38bff831197d2bb081fadbeca5e8b7e3ae62232a51f5952ffcfbdb
Instruction ID: 8b5374169f69602128bd3032aff790cb1f354843cf4962b6e845d1f3af7287dc
Opcode Fuzzy Hash: 22d6ccee6f38bff831197d2bb081fadbeca5e8b7e3ae62232a51f5952ffcfbdb
Instruction Fuzzy Hash: 9741A0B180078E8BCB44CFA8D84A5DE7BF0FB18358F104A19F865A6250D3B89668CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180022140 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c574afae7ba18edac7d834e0abd82c8c7458f2e927091ead9319fe9aa7316d5f
Instruction ID: c15f1aaae4e4e13c906589d5588e8395ab5dda45948680e718f465f07a8a5b6e
Opcode Fuzzy Hash: c574afae7ba18edac7d834e0abd82c8c7458f2e927091ead9319fe9aa7316d5f
Instruction Fuzzy Hash: EC41C4B190038E8FDF48CF64C84A4DE7BB0FB58358F104619E86AA7250D3B8D665CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180020E40 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afcbbeb8beafd70164a818e9f41371ad943d797e3468922fcea1c7c9f2e7631
Instruction ID: c896a4b3abc40741a1500648b31ed7fd3e584cfdc10005e9d212c87c64feccae
Opcode Fuzzy Hash: 4afcbbeb8beafd70164a818e9f41371ad943d797e3468922fcea1c7c9f2e7631
Instruction Fuzzy Hash: 2541C1B181035E8BDB48CFA8D48A5DE7FB0FB68398F204619E855A6214D3B496A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C1B8 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edc2e1e82c131bcdf0495892124b6f46e3b6b242b9e6d8eacab558a4eb6cfc8
Instruction ID: db142853bc0ceb5379a440845187b42230294cb0dc3411c083ed269e5703ce5c
Opcode Fuzzy Hash: 6edc2e1e82c131bcdf0495892124b6f46e3b6b242b9e6d8eacab558a4eb6cfc8
Instruction Fuzzy Hash: E831AFB090034E8FCB48CF68C4865DE7FB0FB58398F114219E85AA6210D3B496A5CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800162BC Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c455d63c0866516b303eef6870e820fc06907d5cf01b5e138b1643b6a977dfc
Instruction ID: 032a8ed253072f6fd1b05e82d0325949fdf78283cb4c6b9cd1929990fdaa7975
Opcode Fuzzy Hash: 6c455d63c0866516b303eef6870e820fc06907d5cf01b5e138b1643b6a977dfc
Instruction Fuzzy Hash: F93195B050078A8BCF48DF68C85A5AE3BB1FB48308B404A2DFD269A350D7B49664CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180021444 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91382f82a540e9ea2bbfb40e05a393f87671ab464d1f075959bb3f3378a52dce
Instruction ID: 9b1437c5de0cc84ebb9c914bb54d42d7cbbf0eefc466e3cb3beb54b329be6ed5
Opcode Fuzzy Hash: 91382f82a540e9ea2bbfb40e05a393f87671ab464d1f075959bb3f3378a52dce
Instruction Fuzzy Hash: E631D5B190034E8FCF48DF68C48A4DE7FB1FB68398F100619E816A6250D3B896A4CFC5

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180015F24 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76bccbb128cfcb22620bb2b416fc3ca44309eaef87c6278072ef16f6a50a05e8
Instruction ID: e5161e45e20286f18a7c233b2d95f7c6d50d739ad8bc374cfda940a225cf7d0d
Opcode Fuzzy Hash: 76bccbb128cfcb22620bb2b416fc3ca44309eaef87c6278072ef16f6a50a05e8
Instruction Fuzzy Hash: DD315C305187849BC3999B24C4C925EBEE1FB85399FA0682CF1C3C6264D774C98A8B06

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026A90 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d7533839bea32518041b6ca5f29ea3ef2f9d4ceb6278032ee9dcaf63ac5804
Instruction ID: e62117077ddfbae32c834d069a9ab80343e2b26cefae081dcf738b8df2b77597
Opcode Fuzzy Hash: 33d7533839bea32518041b6ca5f29ea3ef2f9d4ceb6278032ee9dcaf63ac5804
Instruction Fuzzy Hash: B22148B56183848BD749DF28D44A41ABBE1FB9C74CF400B6DF4CAAB250D378D649CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A988 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecf74b073e9749c9a707f8928f85ed0a2f8ff40eefc5cc2f6539f01074e035d
Instruction ID: 503aa3927fff6e4ad3ec536c6aa42fcab205a0bd32951b21a7cd1c91f46ab624
Opcode Fuzzy Hash: 8ecf74b073e9749c9a707f8928f85ed0a2f8ff40eefc5cc2f6539f01074e035d
Instruction Fuzzy Hash: 3F2150B46187848BD748DF28C45641ABBE1FB9C358F804B2DF4CAA7350D7789A05CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001DEFC Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.276495182.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180001000_regsvr32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9daa26d15846afd04c30d9d8c23f2645a3612f544d511007b76009de9b77635d
Instruction ID: bec49874bf3906a1a9314e610e6330a75ea1af3aa415f07e7967bd5f7b72e726
Opcode Fuzzy Hash: 9daa26d15846afd04c30d9d8c23f2645a3612f544d511007b76009de9b77635d
Instruction Fuzzy Hash: 61215CB16187848BD748DF28D05941FBBE0BB8D358F405B2DF8CAA6351D7789644CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272F7F1 Relevance: 79.1, APIs: 23, Strings: 22, Instructions: 376COMMON

Download Yara Rule

APIs

_itow_s.LIBCMTD ref: 00007FFFE272F828
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272F855
OutputDebugStringA.KERNEL32 ref: 00007FFFE272F861
OutputDebugStringA.KERNEL32 ref: 00007FFFE272F89B
OutputDebugStringA.KERNEL32 ref: 00007FFFE272F8A8
OutputDebugStringA.KERNEL32 ref: 00007FFFE272F8B6
OutputDebugStringA.KERNEL32 ref: 00007FFFE272F8C3
_wcsftime_l.LIBCMTD ref: 00007FFFE272F939
_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE272F991
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272F9EF
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272FA6B
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272FAB2
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272FB1F
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272FB65
_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE272FC34
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272FC92
_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE272FD69
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272FDB6
_unlock.LIBCMTD ref: 00007FFFE272FEFE

Strings

strcat_s(szLineMessage, 4096, "\r"), xrefs: 00007FFFE272FB16
wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String"), xrefs: 00007FFFE272FDAD
strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 00007FFFE272F9E6
_itoa_s(nLine, szLineMessage, 4096, 10), xrefs: 00007FFFE272F84C, 00007FFFE2730084
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 00007FFFE272FC89
e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1)), xrefs: 00007FFFE272FD50
_VCrtDbgReportA, xrefs: 00007FFFE272F845, 00007FFFE272F971, 00007FFFE272F9DF, 00007FFFE272FA5B, 00007FFFE272FAA2, 00007FFFE272FB0F, 00007FFFE272FB55, 00007FFFE272FC14, 00007FFFE272FC82, 00007FFFE272FD44, 00007FFFE272FDA6, 00007FFFE273007D
<file unknown>, xrefs: 00007FFFE272F884
_CrtDbgReport: String too long or IO Error, xrefs: 00007FFFE272F9AE, 00007FFFE272FC51
_CrtDbgReport: String too long or Invalid characters in String, xrefs: 00007FFFE272FD78
Second Chance Assertion Failed: File , xrefs: 00007FFFE272F85A
(*_errno()), xrefs: 00007FFFE272F97D, 00007FFFE272FC20
strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!"), xrefs: 00007FFFE272FA62
6o, xrefs: 00007FFFE272FA85
strcat_s(szLineMessage, 4096, "\n"), xrefs: 00007FFFE272FB5C
, Line , xrefs: 00007FFFE272F8A1
Assertion failed: , xrefs: 00007FFFE272FA09
Assertion failed!, xrefs: 00007FFFE272FA1A
Pl, xrefs: 00007FFFE272FD1B
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrptt.c, xrefs: 00007FFFE272F83E, 00007FFFE272F965, 00007FFFE272F9D8, 00007FFFE272FA54, 00007FFFE272FA9B, 00007FFFE272FB08, 00007FFFE272FB4E, 00007FFFE272FC08, 00007FFFE272FC7B, 00007FFFE272FD38, 00007FFFE272FD9F, 00007FFFE2730076
strcat_s(szLineMessage, 4096, szUserMessage), xrefs: 00007FFFE272FAA9
%s(%d) : %s, xrefs: 00007FFFE272FBC2

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invoke_watson_if_error$DebugOutputString$_invoke_watson_if_oneof$_itow_s_unlock_wcsftime_l
String ID: %s(%d) : %s$(*_errno())$, Line $<file unknown>$Assertion failed!$Assertion failed: $Second Chance Assertion Failed: File $_CrtDbgReport: String too long or IO Error$_CrtDbgReport: String too long or Invalid characters in String$_VCrtDbgReportA$_itoa_s(nLine, szLineMessage, 4096, 10)$e = mbstowcs_s(&ret, szOutMessage2, 4096, szOutMessage, ((size_t)-1))$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrptt.c$strcat_s(szLineMessage, 4096, "\n")$strcat_s(szLineMessage, 4096, "\r")$strcat_s(szLineMessage, 4096, szUserMessage)$strcpy_s(szLineMessage, 4096, szFormat ? "Assertion failed: " : "Assertion failed!")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$strcpy_s(szUserMessage, 4096, "_CrtDbgReport: String too long or IO Error")$wcscpy_s(szOutMessage2, 4096, L"_CrtDbgReport: String too long or Invalid characters in String")$6o$Pl
API String ID: 242677333-579931786
Opcode ID: 90fb5dc47a0cb7e52882a682e6518eda47d2e5e2933cc617357387334d7819cd
Instruction ID: b51d9871416b141bc90fa3afa037973b2b58511db0316d9b1a34d9fc00a852d4
Opcode Fuzzy Hash: 90fb5dc47a0cb7e52882a682e6518eda47d2e5e2933cc617357387334d7819cd
Instruction Fuzzy Hash: 1332DB72D0CA8695E730CB10E8547EE73A1FB86345F800135D68D87A99EFBCE559CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272B470 Relevance: 40.5, APIs: 7, Strings: 16, Instructions: 260COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FFFE272B4E8
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272B533
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272B5ED

Strings

Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application), xrefs: 00007FFFE272B921
memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3), xrefs: 00007FFFE272B5E4
__crtMessageWindowW, xrefs: 00007FFFE272B523, 00007FFFE272B5DD, 00007FFFE272B973, 00007FFFE272B9E1
Expression: , xrefs: 00007FFFE272B6BE
(*_errno()), xrefs: 00007FFFE272B97F
_CrtDbgReport: String too long or IO Error, xrefs: 00007FFFE272B9B0
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts., xrefs: 00007FFFE272B655
Line: , xrefs: 00007FFFE272B744
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c, xrefs: 00007FFFE272B51C, 00007FFFE272B5D6, 00007FFFE272B967, 00007FFFE272B9DA
Module: , xrefs: 00007FFFE272B84A
wcscpy_s(szExeName, 260, L"<program name unknown>"), xrefs: 00007FFFE272B52A
<program name unknown>, xrefs: 00007FFFE272B4F2
wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 00007FFFE272B9E8
File: , xrefs: 00007FFFE272B79B
Microsoft Visual C++ Debug Library, xrefs: 00007FFFE272B9FC
..., xrefs: 00007FFFE272B81F

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invoke_watson_if_error$FileModuleName
String ID: For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts.$File: $Line: $Module: $(*_errno())$...$<program name unknown>$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Expression: $Microsoft Visual C++ Debug Library$_CrtDbgReport: String too long or IO Error$__crtMessageWindowW$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c$memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)$wcscpy_s(szExeName, 260, L"<program name unknown>")$wcscpy_s(szOutMessage, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 1949418964-1840610800
Opcode ID: 44b701395b3347ba89d33a25413c6d043cef3cadf6afd38b3a3e0c178ea01b00
Instruction ID: b1ac10587714e0bf8e3956392fd9c84ecf07ab4df6324ad1ad4400dd3bfa786e
Opcode Fuzzy Hash: 44b701395b3347ba89d33a25413c6d043cef3cadf6afd38b3a3e0c178ea01b00
Instruction Fuzzy Hash: 8AF1FC7690CBC695E630CB54F4543AAB3E5FB89780F504136DA8D82B69EFBCD1A4CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272AE40 Relevance: 38.7, APIs: 5, Strings: 17, Instructions: 207COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFFE272D490: _invalid_parameter.LIBCMTD ref: 00007FFFE272D541

_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272AE81
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272AF35

Strings

For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts., xrefs: 00007FFFE272AF9D
memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3), xrefs: 00007FFFE272AF2C
strcpy_s(szExeName, 260, "<program name unknown>"), xrefs: 00007FFFE272AE78
Module: , xrefs: 00007FFFE272B192
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 00007FFFE272B330
_CrtDbgReport: String too long or IO Error, xrefs: 00007FFFE272B2F8
m*, xrefs: 00007FFFE272AE9E
(*_errno()), xrefs: 00007FFFE272B2C7
Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application), xrefs: 00007FFFE272B269
..., xrefs: 00007FFFE272B167
<program name unknown>, xrefs: 00007FFFE272AE40
File: , xrefs: 00007FFFE272B0E3
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c, xrefs: 00007FFFE272AE6A, 00007FFFE272AF1E, 00007FFFE272B2AF, 00007FFFE272B322
__crtMessageWindowA, xrefs: 00007FFFE272AE71, 00007FFFE272AF25, 00007FFFE272B2BB, 00007FFFE272B329
Line: , xrefs: 00007FFFE272B08C
Expression: , xrefs: 00007FFFE272B006
Microsoft Visual C++ Debug Library, xrefs: 00007FFFE272B344

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invoke_watson_if_error$_invalid_parameter
String ID: For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts.$File: $Line: $Module: $(*_errno())$...$<program name unknown>$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Expression: $Microsoft Visual C++ Debug Library$_CrtDbgReport: String too long or IO Error$__crtMessageWindowA$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c$memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot, sizeof(TCHAR) * 3)$strcpy_s(szExeName, 260, "<program name unknown>")$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")$m*
API String ID: 2356156361-2279852085
Opcode ID: 2e784d19664e5a95b58b990f67b4737f05373876c1930d3c64995b1a0c69d3f2
Instruction ID: 5dc0d4f6eb621fe3ca9bb9775c182a53abb26e66563380dbc9df5ad44413210b
Opcode Fuzzy Hash: 2e784d19664e5a95b58b990f67b4737f05373876c1930d3c64995b1a0c69d3f2
Instruction Fuzzy Hash: 64C1DA7290CAC695E730CB11E4403EA67E5FBCA784F504135DA8D82BA9EFBCD165CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272CB4F Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 174fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 00007FFFE272CBF0
WriteFile.KERNEL32 ref: 00007FFFE272CC8E

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00007FFFE272CEEC
wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3), xrefs: 00007FFFE272CE50
2H, xrefs: 00007FFFE272CDB9
Runtime Error!Program: , xrefs: 00007FFFE272CCF8
0I, xrefs: 00007FFFE272CD0B
_, xrefs: 00007FFFE272CE71
wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: "), xrefs: 00007FFFE272CD2F
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0msg.c, xrefs: 00007FFFE272CD21, 00007FFFE272CD95, 00007FFFE272CE42, 00007FFFE272CE87, 00007FFFE272CECA
wcscpy_s(progname, progname_size, L"<program name unknown>"), xrefs: 00007FFFE272CDA3
<program name unknown>, xrefs: 00007FFFE272CD68
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n"), xrefs: 00007FFFE272CE95
_NMSG_WRITE, xrefs: 00007FFFE272CD28, 00007FFFE272CD9C, 00007FFFE272CE49, 00007FFFE272CE8E, 00007FFFE272CED1
wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text), xrefs: 00007FFFE272CED8
..., xrefs: 00007FFFE272CE1A

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: FileHandleWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $_NMSG_WRITE$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crt0msg.c$wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"\n\n")$wcscat_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), error_text)$wcscpy_s(outmsg, (sizeof(outmsg) / sizeof(outmsg[0])), L"Runtime Error!\n\nProgram: ")$wcscpy_s(progname, progname_size, L"<program name unknown>")$wcsncpy_s(pch, progname_size - (pch - progname), L"...", 3)$_$0I$2H
API String ID: 3320372497-2837547082
Opcode ID: b64be2a8eca497eb38ff52dc13b3436bc691d1b4503f9f72973df8eece0bc5fb
Instruction ID: 9346ee24c20edad9d0a5636fbd3e3da20a6b66d3f052b7a8c9feefe2ddd1bd64
Opcode Fuzzy Hash: b64be2a8eca497eb38ff52dc13b3436bc691d1b4503f9f72973df8eece0bc5fb
Instruction Fuzzy Hash: 05916372E1C68285EB60CB14E4943BA63E1FBD6744F80013AE68D836A5EFBDD155CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2730CC0 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 140libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFFE2723D00: RtlEncodePointer.NTDLL ref: 00007FFFE2723D06

LoadLibraryW.KERNEL32 ref: 00007FFFE2730D2A
GetProcAddress.KERNEL32 ref: 00007FFFE2730D50
DecodePointer.KERNEL32 ref: 00007FFFE2730E40
DecodePointer.KERNEL32 ref: 00007FFFE2730E52
DecodePointer.KERNEL32 ref: 00007FFFE2730F67

Strings

GetUserObjectInformationA, xrefs: 00007FFFE2730DC0
USER32.DLL, xrefs: 00007FFFE2730D23
MessageBoxA, xrefs: 00007FFFE2730D44
GetProcessWindowStation, xrefs: 00007FFFE2730DF3
GetActiveWindow, xrefs: 00007FFFE2730D7C
GetLastActivePopup, xrefs: 00007FFFE2730D9E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Pointer$Decode$AddressEncodeLibraryLoadProc
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2256938910-232180764
Opcode ID: 7f66a9951f4a4371a03f8907a7d8dae5388e10f0167802e39e15e0e0cc6986ee
Instruction ID: 10b0393c3ea69530dd072937cbff9610992f9ba176eeaac05d360f67a27af451
Opcode Fuzzy Hash: 7f66a9951f4a4371a03f8907a7d8dae5388e10f0167802e39e15e0e0cc6986ee
Instruction Fuzzy Hash: 6E81C935E1CB8686E6609B15F88436A73E0FB86754F500135DA8DC2668EFFCE468CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27376C0 Relevance: 33.3, APIs: 22, Instructions: 322COMMON

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2737727
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273778E
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE27377C4
wcsncnt.LIBCMTD ref: 00007FFFE2737810
WideCharToMultiByte.KERNEL32 ref: 00007FFFE273786A
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE27378C0
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2737C69

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$ByteCharMultiWidewcsncnt
String ID:
API String ID: 641786319-0
Opcode ID: dd68202ae9e70015e3243afc192c87c9af493ce1bfd3ef4005d4635320cae465
Instruction ID: bd04eaba034bfd3a0ccf8ecac220345953b78a3c903e0651599c6ee03f895453
Opcode Fuzzy Hash: dd68202ae9e70015e3243afc192c87c9af493ce1bfd3ef4005d4635320cae465
Instruction Fuzzy Hash: 7D020832A0CAC581D6609B15E4913AEB7B0FBC6760F504236E69D87BE9EFBCD454CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27340B0 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 341
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E00007FFF7FFFE27340B0(void* __ecx, void* __edi, void* __esi, void* __esp, void* __eflags, void* __rax, long long __rcx, long long __rdx, long long __r8, long long __r9, void* _a8, void* _a16, long long _a24, void* _a32, signed int* _a40, signed int _a48, signed int _a56, long long _a64) {
				long long _v24;
				long long _v32;
				char _v56;
				long long _v64;
				long long _v72;
				char _v80;
				void* _v88;
				void* _v96;
				intOrPtr _v104;
				void* _v112;
				intOrPtr _v120;
				void* _v128;
				char _v132;
				char _v136;
				long long _v144;
				signed int _v152;
				char _v160;
				signed char _v164;
				signed int _v168;
				char _v176;
				char _v184;
				long long _v192;
				signed char _v200;
				long long _v208;
				signed int _v216;
				signed int _v224;
				long long _v232;
				void* _t222;
				void* _t244;
				void* _t295;
				long long _t302;
				long long _t303;
				intOrPtr _t311;
				long long _t312;
				long long _t321;
				intOrPtr _t325;
				long long _t329;
				long long _t330;
				long long _t332;

				_t295 = __rax;
				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_v164 = 0;
				_v152 = 0;
				_v168 = E00007FFF7FFFE2733B40(_a40, _a32);
				E00007FFF7FFFE272E500(_a16, _a32, _a40,  &_v160);
				if (_v168 - E00007FFF7FFFE2733C70(_t295, _a16, _a32, _a40) <= 0) goto 0xe2734176;
				r9d = _v168;
				E00007FFF7FFFE2733BD0(_t217,  &_v160, _a32, _a40);
				r9d = _v168;
				E00007FFF7FFFE2733C00(_v168 - E00007FFF7FFFE2733C70(_t295, _a16, _a32, _a40), _t295, _a16, _a32, _a40);
				goto 0xe2734197;
				_v168 = E00007FFF7FFFE2733C70(_t295, _a16, _a32, _a40);
				if (_v168 - 0xffffffff < 0) goto 0xe27341b1;
				if (_v168 - _a40[1] >= 0) goto 0xe27341b1;
				goto 0xe27341b6;
				_t222 = E00007FFF7FFFE272CF80(_a40);
				if ( *_a8 != 0xe06d7363) goto 0xe2734398;
				if ( *((intOrPtr*)(_a8 + 0x18)) != 4) goto 0xe2734398;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930520) goto 0xe2734213;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930521) goto 0xe2734213;
				if ( *((intOrPtr*)(_a8 + 0x20)) != 0x19930522) goto 0xe2734398;
				_t302 = _a8;
				if ( *((long long*)(_t302 + 0x30)) != 0) goto 0xe2734398;
				0xe2724000();
				if ( *((long long*)(_t302 + 0xf0)) != 0) goto 0xe273423a;
				goto 0xe2734862;
				0xe2724000();
				_t303 =  *((intOrPtr*)(_t302 + 0xf0));
				_a8 = _t303;
				0xe2724000();
				_a24 =  *((intOrPtr*)(_t303 + 0xf8));
				_v164 = 1;
				E00007FFF7FFFE272E6E0(_t222, _a8,  *((intOrPtr*)(_a8 + 0x38)));
				if (E00007FFF7FFFE273D2C0(1, _a8) == 0) goto 0xe2734290;
				goto 0xe2734295;
				E00007FFF7FFFE272CF80(_a8);
				if ( *_a8 != 0xe06d7363) goto 0xe27342fa;
				if ( *((intOrPtr*)(_a8 + 0x18)) != 4) goto 0xe27342fa;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930520) goto 0xe27342e6;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930521) goto 0xe27342e6;
				if ( *((intOrPtr*)(_a8 + 0x20)) != 0x19930522) goto 0xe27342fa;
				_t311 = _a8;
				if ( *((long long*)(_t311 + 0x30)) != 0) goto 0xe27342fa;
				E00007FFF7FFFE272CF80(_t311);
				0xe2724000();
				if ( *((long long*)(_t311 + 0x108)) == 0) goto 0xe2734398;
				0xe2724000();
				_t312 =  *((intOrPtr*)(_t311 + 0x108));
				_v144 = _t312;
				0xe2724000();
				 *((long long*)(_t312 + 0x108)) = 0;
				if ((E00007FFF7FFFE2735BB0(_t312, _a8, _v144) & 0x000000ff) == 0) goto 0xe2734349;
				goto 0xe2734398;
				if ((E00007FFF7FFFE2735CC0(_v144) & 0x000000ff) == 0) goto 0xe2734393;
				E00007FFF7FFFE2735AB0(1, _a8);
				E00007FFF7FFFE2734870( &_v56, "bad exception");
				E00007FFF7FFFE273D320(__edi, __esi, __esp,  &_v56, 0xe274a180);
				goto 0xe2734398;
				E00007FFF7FFFE272CF50(_t312);
				if ( *_a8 != 0xe06d7363) goto 0xe27347d9;
				if ( *((intOrPtr*)(_a8 + 0x18)) != 4) goto 0xe27347d9;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930520) goto 0xe27343f5;
				if ( *((intOrPtr*)(_a8 + 0x20)) == 0x19930521) goto 0xe27343f5;
				if ( *((intOrPtr*)(_a8 + 0x20)) != 0x19930522) goto 0xe27347d9;
				if (_a40[3] <= 0) goto 0xe273466c;
				_v216 = _a32;
				_v224 =  &_v132;
				_t321 =  &_v136;
				_v232 = _t321;
				r9d = _v168;
				r8d = _a56;
				E00007FFF7FFFE272EA30(_a16, _a40);
				_v128 = _t321;
				goto 0xe273447e;
				_v136 = _v136 + 1;
				_v128 = _v128 + 0x14;
				if (_v136 - _v132 >= 0) goto 0xe273466c;
				if ( *_v128 - _v168 > 0) goto 0xe27344b3;
				_t325 = _v128;
				if (_v168 -  *((intOrPtr*)(_t325 + 4)) <= 0) goto 0xe27344b5;
				goto 0xe273445a;
				E00007FFF7FFFE272E680( *((intOrPtr*)(_t325 + 4)), _t325);
				_v112 = _t325 +  *((intOrPtr*)(_v128 + 0x10));
				_v120 =  *((intOrPtr*)(_v128 + 0xc));
				_v120 = _v120 - 1;
				_t329 = _v112 + 0x14;
				_v112 = _t329;
				if (_v120 <= 0) goto 0xe2734667;
				_t244 = E00007FFF7FFFE272E6A0(_v120 - 1, _t329);
				_t330 = _t329 +  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x30)) + 0xc)) + 4;
				_v96 = _t330;
				E00007FFF7FFFE272E6A0(_t244, _t330);
				_v104 =  *((intOrPtr*)(_t330 +  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x30)) + 0xc))));
				goto 0xe273457e;
				_v104 = _v104 - 1;
				_t332 = _v96 + 4;
				_v96 = _t332;
				if (_v104 <= 0) goto 0xe2734662;
				E00007FFF7FFFE272E6A0(_v104 - 1, _t332);
				_v88 = _t332 +  *_v96;
				if (E00007FFF7FFFE2734CD0(_v112, _v88,  *((intOrPtr*)(_a8 + 0x30))) != 0) goto 0xe27345ce;
				goto 0xe273455a;
				_v152 = 1;
				_v176 = _a48 & 0x000000ff;
				_v184 = _v164 & 0x000000ff;
				_v192 = _a64;
				_v200 = _a56;
				_v208 = _v128;
				_v216 = _v88;
				_v224 = _v112;
				_v232 = _a40;
				E00007FFF7FFFE2735180(__edi, __esi, __esp, E00007FFF7FFFE2734CD0(_v112, _v88,  *((intOrPtr*)(_a8 + 0x30))), _a8, _a16, _a24, _a32);
				goto 0xe2734667;
				goto 0xe273455a;
				goto L1;
				goto 0xe273445a;
				__eax = _v152 & 0x000000ff;
				__eflags = _v152 & 0x000000ff;
				if ((_v152 & 0x000000ff) != 0) goto 0xe27347d7;
				__rax = _a40;
				__eax =  *_a40;
				__eax =  *_a40 & 0x1fffffff;
				__eflags = __eax - 0x19930521;
				if (__eax - 0x19930521 < 0) goto 0xe27347d7;
				__rax = _a40;
				__eflags =  *(__rax + 0x20);
				if ( *(__rax + 0x20) == 0) goto 0xe27346bf;
				__eax = E00007FFF7FFFE272E680(__eax, __rax);
				_a40 = _a40[8];
				_v32 = __rax;
				goto 0xe27346cb;
				_v32 = 0;
				__eflags = _v32;
				if (_v32 == 0) goto 0xe27347d7;
				__rax = _a40;
				__eflags =  *(__rax + 0x20);
				if ( *(__rax + 0x20) == 0) goto 0xe2734706;
				__eax = E00007FFF7FFFE272E680(__eax, __rax);
				_a40 = _a40[8];
				__rax = __rax + _a40[8];
				_v24 = __rax;
				goto 0xe2734712;
				_v24 = 0;
				__rdx = _v24;
				__rcx = _a8;
				E00007FFF7FFFE2735BB0(__rax, _a8, _v24) = __al & 0x000000ff;
				__eflags = __al & 0x000000ff;
				if ((__al & 0x000000ff) != 0) goto 0xe27347d7;
				__rax = _a16;
				_v64 = _a16;
				__r9 =  &_v80;
				__r8 = _a40;
				__rdx = _a32;
				__rcx = _a16;
				__eax = E00007FFF7FFFE272E500(_a16, _a32, _a40,  &_v80);
				_v64 = __rax;
				_v72 = 0;
				__eax = _a48 & 0x000000ff;
				_v200 = __al;
				__rax = _a32;
				_v208 = _a32;
				__rax = _a40;
				_v216 = _a40;
				_v224 = 0xffffffff;
				_v232 = 0;
				__r9 = _v64;
				__r8 = _a24;
				__rdx = _a8;
				__rcx = _a16;
				__eax = E00007FFF7FFFE272EDC0(__edi, __esi, __esp, _a16, _a8, _a24, _v64);
				goto 0xe273484c;
				__rax = _a40;
				__eflags =  *(__rax + 0xc);
				if ( *(__rax + 0xc) <= 0) goto 0xe273484c;
				__eax = _a48 & 0x000000ff;
				__eflags = _a48 & 0x000000ff;
				if ((_a48 & 0x000000ff) != 0) goto 0xe2734847;
				__rax = _a64;
				_v208 = _a64;
				__eax = _a56;
				_v216 = _a56;
				__eax = _v168;
				_v224 = _v168;
				__rax = _a40;
				_v232 = _a40;
				__r9 = _a32;
				__r8 = _a24;
				__rdx = _a16;
				__rcx = _a8;
				__eax = E00007FFF7FFFE2734960(__ecx, _a8, _a16, _a24, _a32);
				goto 0xe273484c;
				__eax = E00007FFF7FFFE272CF50(__rax);
				0xe2724000();
				__eflags =  *((long long*)(__rax + 0x108));
				if ( *((long long*)(__rax + 0x108)) != 0) goto 0xe273485d;
				goto 0xe2734862;
				return E00007FFF7FFFE272CF80(__rax);
			}

0x7fffe27340b0
0x7fffe27340b0
0x7fffe27340b5
0x7fffe27340ba
0x7fffe27340bf
0x7fffe27340cb
0x7fffe27340d0
0x7fffe27340ea
0x7fffe273410b
0x7fffe2734131
0x7fffe2734133
0x7fffe273414d
0x7fffe2734152
0x7fffe273416f
0x7fffe2734174
0x7fffe2734193
0x7fffe273419c
0x7fffe27341ad
0x7fffe27341af
0x7fffe27341b1
0x7fffe27341c4
0x7fffe27341d6
0x7fffe27341eb
0x7fffe27341fc
0x7fffe273420d
0x7fffe2734213
0x7fffe2734220
0x7fffe2734226
0x7fffe2734233
0x7fffe2734235
0x7fffe273423a
0x7fffe273423f
0x7fffe2734246
0x7fffe273424e
0x7fffe273425a
0x7fffe2734262
0x7fffe2734273
0x7fffe273428c
0x7fffe273428e
0x7fffe2734290
0x7fffe27342a3
0x7fffe27342b1
0x7fffe27342c2
0x7fffe27342d3
0x7fffe27342e4
0x7fffe27342e6
0x7fffe27342f3
0x7fffe27342f5
0x7fffe27342fa
0x7fffe2734307
0x7fffe273430d
0x7fffe2734312
0x7fffe2734319
0x7fffe273431e
0x7fffe2734323
0x7fffe2734345
0x7fffe2734347
0x7fffe2734358
0x7fffe2734364
0x7fffe2734378
0x7fffe273438c
0x7fffe2734391
0x7fffe2734393
0x7fffe27343a6
0x7fffe27343b8
0x7fffe27343cd
0x7fffe27343de
0x7fffe27343ef
0x7fffe2734401
0x7fffe273440f
0x7fffe273441c
0x7fffe2734421
0x7fffe2734429
0x7fffe273442e
0x7fffe2734433
0x7fffe273444b
0x7fffe2734450
0x7fffe2734458
0x7fffe2734463
0x7fffe2734476
0x7fffe273448c
0x7fffe27344a0
0x7fffe27344a2
0x7fffe27344b1
0x7fffe27344b3
0x7fffe27344b5
0x7fffe27344c9
0x7fffe27344dc
0x7fffe27344ee
0x7fffe27344fd
0x7fffe2734501
0x7fffe2734511
0x7fffe2734517
0x7fffe273452c
0x7fffe2734531
0x7fffe2734539
0x7fffe2734551
0x7fffe2734558
0x7fffe2734563
0x7fffe2734572
0x7fffe2734576
0x7fffe2734586
0x7fffe273458c
0x7fffe273459f
0x7fffe27345ca
0x7fffe27345cc
0x7fffe27345ce
0x7fffe27345db
0x7fffe27345e4
0x7fffe27345f0
0x7fffe27345fc
0x7fffe2734608
0x7fffe2734615
0x7fffe2734622
0x7fffe273462f
0x7fffe2734654
0x7fffe273465b
0x7fffe273465d
0x7fffe2734662
0x7fffe2734667
0x7fffe273466c
0x7fffe2734671
0x7fffe2734673
0x7fffe2734679
0x7fffe2734681
0x7fffe2734683
0x7fffe2734688
0x7fffe273468d
0x7fffe2734693
0x7fffe273469b
0x7fffe273469f
0x7fffe27346a1
0x7fffe27346ae
0x7fffe27346b5
0x7fffe27346bd
0x7fffe27346bf
0x7fffe27346cb
0x7fffe27346d4
0x7fffe27346da
0x7fffe27346e2
0x7fffe27346e6
0x7fffe27346e8
0x7fffe27346f5
0x7fffe27346f9
0x7fffe27346fc
0x7fffe2734704
0x7fffe2734706
0x7fffe2734712
0x7fffe273471a
0x7fffe2734727
0x7fffe273472a
0x7fffe273472c
0x7fffe2734732
0x7fffe273473a
0x7fffe2734742
0x7fffe273474a
0x7fffe2734752
0x7fffe273475a
0x7fffe2734762
0x7fffe2734767
0x7fffe273476f
0x7fffe273477b
0x7fffe2734783
0x7fffe2734787
0x7fffe273478f
0x7fffe2734794
0x7fffe273479c
0x7fffe27347a1
0x7fffe27347a9
0x7fffe27347b2
0x7fffe27347ba
0x7fffe27347c2
0x7fffe27347ca
0x7fffe27347d2
0x7fffe27347d7
0x7fffe27347d9
0x7fffe27347e1
0x7fffe27347e5
0x7fffe27347e7
0x7fffe27347ef
0x7fffe27347f1
0x7fffe27347f3
0x7fffe27347fb
0x7fffe2734800
0x7fffe2734807
0x7fffe273480b
0x7fffe273480f
0x7fffe2734813
0x7fffe273481b
0x7fffe2734820
0x7fffe2734828
0x7fffe2734830
0x7fffe2734838
0x7fffe2734840
0x7fffe2734845
0x7fffe2734847
0x7fffe273484c
0x7fffe2734851
0x7fffe2734859
0x7fffe273485b
0x7fffe2734869

APIs

__StateFromControlPc.LIBCMTD ref: 00007FFFE27340E5

Part of subcall function 00007FFFE272E500: __StateFromControlPc.LIBCMTD ref: 00007FFFE272E534
Part of subcall function 00007FFFE272E500: RtlLookupFunctionEntry.KERNEL32 ref: 00007FFFE272E5D2

__GetUnwindTryBlock.LIBCMTD ref: 00007FFFE2734128
__SetState.LIBCMTD ref: 00007FFFE273414D
__SetUnwindTryBlock.LIBCMTD ref: 00007FFFE273416F
__GetUnwindTryBlock.LIBCMTD ref: 00007FFFE273418E
_inconsistency.LIBCMTD ref: 00007FFFE27341B1

Part of subcall function 00007FFFE272CF80: DecodePointer.KERNEL32 ref: 00007FFFE272CF8B
Part of subcall function 00007FFFE272CF80: terminate.LIBCMTD ref: 00007FFFE272CFA4

_SetThrowImageBase.LIBCMTD ref: 00007FFFE2734273
_ValidateRead.LIBCMTD ref: 00007FFFE2734285
_inconsistency.LIBCMTD ref: 00007FFFE2734290
_inconsistency.LIBCMTD ref: 00007FFFE27342F5

Part of subcall function 00007FFFE2735CC0: type_info::operator==.LIBCMTD ref: 00007FFFE2735D5F

std::bad_exception::bad_exception.LIBCMTD ref: 00007FFFE2734378

Part of subcall function 00007FFFE2734870: std::exception::exception.LIBCMTD ref: 00007FFFE2734888

Part of subcall function 00007FFFE273D320: RaiseException.KERNEL32 ref: 00007FFFE273D3CC

terminate.LIBCMTD ref: 00007FFFE2734393

Strings

csm, xrefs: 00007FFFE27341BE
csm, xrefs: 00007FFFE27343A0
bad exception, xrefs: 00007FFFE2734369
csm, xrefs: 00007FFFE273429D

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: BlockStateUnwind_inconsistency$ControlFromterminate$BaseDecodeEntryExceptionFunctionImageLookupPointerRaiseReadThrowValidatestd::bad_exception::bad_exceptionstd::exception::exceptiontype_info::operator==
String ID: bad exception$csm$csm$csm
API String ID: 3498492519-820278400
Opcode ID: e25f8e0578bfe9456fb08d8cd94b15df4ac81620a0b1491193f50dcc2ec7c96e
Instruction ID: 12d42bc24ceddb54631b006d89a67aa2464e8176eb9bdea17d6aead2b568fa04
Opcode Fuzzy Hash: e25f8e0578bfe9456fb08d8cd94b15df4ac81620a0b1491193f50dcc2ec7c96e
Instruction Fuzzy Hash: 2012E67690CBC585DA749B15E0913EAB7E0FB8A740F404136DA8D87B99EFBCD490CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273B580 Relevance: 31.8, APIs: 11, Strings: 7, Instructions: 318COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273B6A5
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273B6BA
_invalid_parameter.LIBCMTD ref: 00007FFFE273B87C
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273B891

Part of subcall function 00007FFFE273AFB0: _invalid_parameter.LIBCMTD ref: 00007FFFE273B046

_invalid_parameter.LIBCMTD ref: 00007FFFE273B944
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273B959
_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E

Strings

(stream != NULL), xrefs: 00007FFFE273B63E, 00007FFFE273B69E
("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
( (_Stream->_flag & _IOSTRG) || ( fn = _fileno(_Stream), ( (_textmode_safe(fn) == __IOINFO_TM_ANSI) && !_tm_unicode_safe(fn)))), xrefs: 00007FFFE273B815, 00007FFFE273B875
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273B653, 00007FFFE273B690, 00007FFFE273B82A, 00007FFFE273B867, 00007FFFE273B8F2, 00007FFFE273B92F, 00007FFFE273BAB7, 00007FFFE273BAF4, 00007FFFE273CCEC, 00007FFFE273CD29
_output_s_l, xrefs: 00007FFFE273B697, 00007FFFE273B86E, 00007FFFE273B936, 00007FFFE273BAFB, 00007FFFE273CD30
(format != NULL), xrefs: 00007FFFE273B8DD, 00007FFFE273B93D
((state == ST_NORMAL) || (state == ST_TYPE)), xrefs: 00007FFFE273CCD7, 00007FFFE273CD37

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$_invalid_parameter$UpdateUpdate::~_
String ID: ( (_Stream->_flag & _IOSTRG) || ( fn = _fileno(_Stream), ( (_textmode_safe(fn) == __IOINFO_TM_ANSI) && !_tm_unicode_safe(fn))))$("Incorrect format specifier", 0)$((state == ST_NORMAL) || (state == ST_TYPE))$(format != NULL)$(stream != NULL)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 4023976971-2293733425
Opcode ID: 418e75de3b5502e14211c5140618c90997ad4f56b588356074338880c32fc633
Instruction ID: af4032cdb58cd06e0f5358127ae75ddc1f95460057875d242dbb903189e86149
Opcode Fuzzy Hash: 418e75de3b5502e14211c5140618c90997ad4f56b588356074338880c32fc633
Instruction Fuzzy Hash: 1F026E72D0C6C686E770DB14E4843AAB7E4FB86344F401136D28D86AA9EFBCE555CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2735EA0 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2735F9D
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273603F

Strings

_mbstowcs_l_helper, xrefs: 00007FFFE2735F8F
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbstowcs.c, xrefs: 00007FFFE2735F4E, 00007FFFE2735F88
s != NULL, xrefs: 00007FFFE2735F39, 00007FFFE2735F96

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameter
String ID: _mbstowcs_l_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbstowcs.c$s != NULL
API String ID: 530996419-3695252689
Opcode ID: 1f2dbb67bc1f08ab970a747115c78d639e8f09549dde5f83a97e8aad344e67fd
Instruction ID: 13eff0359fe436b46f97ccbce9f9907dcfdf98dd77c4d4d9ad5207b32fa33894
Opcode Fuzzy Hash: 1f2dbb67bc1f08ab970a747115c78d639e8f09549dde5f83a97e8aad344e67fd
Instruction Fuzzy Hash: 7ED1E732A1CAC585E6609B15E4803AEB7A0FB85790F405636E69E83BE9EF7CD454CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273B090 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273B197
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273B226
_invalid_parameter.LIBCMTD ref: 00007FFFE273B2DC
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273B2EE
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273B334

Strings

", xrefs: 00007FFFE273B496
("Buffer too small", 0), xrefs: 00007FFFE273B42D, 00007FFFE273B48A
", xrefs: 00007FFFE273B2E1
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wctomb.c, xrefs: 00007FFFE273B148, 00007FFFE273B182, 00007FFFE273B28D, 00007FFFE273B2C7, 00007FFFE273B442, 00007FFFE273B47C
sizeInBytes > 0, xrefs: 00007FFFE273B278, 00007FFFE273B2D5
sizeInBytes <= INT_MAX, xrefs: 00007FFFE273B133, 00007FFFE273B190
_wctomb_s_l, xrefs: 00007FFFE273B189, 00007FFFE273B2CE, 00007FFFE273B483

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: "$"$("Buffer too small", 0)$_wctomb_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wctomb.c$sizeInBytes <= INT_MAX$sizeInBytes > 0
API String ID: 2192614184-1854130327
Opcode ID: aa152b01a59852e776b44a3c5c58d1ae4cb5e6b33e85f9a53a8f9bb433ba7f1c
Instruction ID: 575c2ab62cec4033f8761e25ee20284e4687f7909bebdf5b7c789846fafa4416
Opcode Fuzzy Hash: aa152b01a59852e776b44a3c5c58d1ae4cb5e6b33e85f9a53a8f9bb433ba7f1c
Instruction Fuzzy Hash: C9C11B72D0C68686E7709B14E4947BA77E0FB86344F405136E68EC7A99EFBCE454CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273D830 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 225COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273D955
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273D96A
_invalid_parameter.LIBCMTD ref: 00007FFFE273DA1D
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DA32
_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9
_invalid_parameter.LIBCMTD ref: 00007FFFE273ED4C
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273ED61
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273ED82

Strings

(stream != NULL), xrefs: 00007FFFE273D8EE, 00007FFFE273D94E
("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273D903, 00007FFFE273D940, 00007FFFE273D9CB, 00007FFFE273DA08, 00007FFFE273DB92, 00007FFFE273DBCF, 00007FFFE273ECFA, 00007FFFE273ED37
_woutput_s_l, xrefs: 00007FFFE273D947, 00007FFFE273DA0F, 00007FFFE273DBD6, 00007FFFE273ED3E
(format != NULL), xrefs: 00007FFFE273D9B6, 00007FFFE273DA16
((state == ST_NORMAL) || (state == ST_TYPE)), xrefs: 00007FFFE273ECE5, 00007FFFE273ED45

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: ("Incorrect format specifier", 0)$((state == ST_NORMAL) || (state == ST_TYPE))$(format != NULL)$(stream != NULL)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2192614184-1870338870
Opcode ID: 6ca64bf4fa78d85cba0345094e3509d1db8362709fbf7feea33e231a459a9eed
Instruction ID: c6332c275059d980b5e0bde5aeff69b2f725979eed45d72510517c8db9511eeb
Opcode Fuzzy Hash: 6ca64bf4fa78d85cba0345094e3509d1db8362709fbf7feea33e231a459a9eed
Instruction Fuzzy Hash: 97D10BB2D0DAC686E7709B14E8843AB76E0FB86348F400135D68D87A99EFBDD455CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273C6D6 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 332
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00007FFF7FFFE273C6D6(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, char _a85, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a688, intOrPtr _a704, intOrPtr _a708, signed char _a816, signed int _a824, signed int _a832, intOrPtr _a840, signed short* _a848, signed char _a856, char _a860, char _a864, long long _a872, intOrPtr _a876, intOrPtr _a912, intOrPtr _a916, signed int _a1040, long long _a1048, signed short _a1056, long long _a1060, signed int _a1064, intOrPtr _a1088, char _a1112) {
				signed int _t223;
				signed char _t228;
				intOrPtr _t263;
				signed int _t338;
				signed int _t339;
				signed long long _t342;
				intOrPtr* _t365;
				signed long long _t390;

				_t338 = __rax;
				_a80 = _a80 | 0x00000040;
				_a72 = 0xa;
				_a72 = 0xa;
				_a116 = 0x10;
				asm("bts eax, 0xf");
				_a708 = 7;
				_a708 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0xe273c754;
				_a84 = 0x30;
				_a85 = _a708 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0xe273c777;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0xe273c79e;
				E00007FFF7FFFE2731EA0( &_a1112);
				_a824 = _t338;
				goto 0xe273c84b;
				if ((_a80 & 0x00001000) == 0) goto 0xe273c7c5;
				E00007FFF7FFFE2731EA0( &_a1112);
				_a824 = _t338;
				goto 0xe273c84b;
				if ((_a80 & 0x00000020) == 0) goto 0xe273c810;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c7f6;
				_t339 = E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t339;
				goto 0xe273c80e;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t339;
				goto 0xe273c84b;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c834;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t339;
				goto 0xe273c84b;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t339;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c882;
				if (_a824 >= 0) goto 0xe273c882;
				_a832 =  ~_a824;
				asm("bts eax, 0x8");
				goto 0xe273c892;
				_t342 = _a824;
				_a832 = _t342;
				if ((_a80 & 0x00008000) != 0) goto 0xe273c8c7;
				if ((_a80 & 0x00001000) != 0) goto 0xe273c8c7;
				_a832 = _a832 & _t342;
				if (_a116 >= 0) goto 0xe273c8d8;
				_a116 = 1;
				goto 0xe273c8f5;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0xe273c8f5;
				_a116 = 0x200;
				if (_a832 != 0) goto 0xe273c908;
				_a92 = 0;
				_a64 =  &_a687;
				_t223 = _a116;
				_a116 = _a116 - 1;
				if (_t223 > 0) goto 0xe273c936;
				if (_a832 == 0) goto 0xe273c9d3;
				_a1040 = _a72;
				_a816 = _t223 / _a1040 + 0x30;
				_a1048 = _a72;
				if (_a816 - 0x39 <= 0) goto 0xe273c9b2;
				_t228 = _a816 + _a708;
				_a816 = _t228;
				 *_a64 = _a816 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0xe273c915;
				_a104 = _t228;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0xe273ca31;
				if (_a104 == 0) goto 0xe273ca12;
				if ( *_a64 == 0x30) goto 0xe273ca31;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0xe273cc6e;
				if ((_a80 & 0x00000040) == 0) goto 0xe273ca95;
				if ((_a80 & 0x00000100) == 0) goto 0xe273ca63;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0xe273ca95;
				if ((_a80 & 0x00000001) == 0) goto 0xe273ca7d;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0xe273ca95;
				if ((_a80 & 0x00000002) == 0) goto 0xe273ca95;
				_a84 = 0x20;
				_a92 = 1;
				_a840 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0xe273cad5;
				E00007FFF7FFFE273CF10(0x20, _a840, _a1088,  &_a688);
				E00007FFF7FFFE273CF60(_a92, _a64,  &_a84, _a1088,  &_a688);
				if ((_a80 & 0x00000008) == 0) goto 0xe273cb27;
				if ((_a80 & 0x00000004) != 0) goto 0xe273cb27;
				E00007FFF7FFFE273CF10(0x30, _a840, _a1088,  &_a688);
				if (_a76 == 0) goto 0xe273cc1d;
				if (_a104 <= 0) goto 0xe273cc1d;
				_a872 = 0;
				_a848 = _a64;
				_a856 = _a104;
				_a856 = _a856 - 1;
				if (_a856 == 0) goto 0xe273cc1b;
				_a1056 =  *_a848 & 0x0000ffff;
				r9d = _a1056 & 0x0000ffff;
				r8d = 6;
				_a872 = E00007FFF7FFFE273B530( &_a860,  &_a864, _a1088);
				_a848 =  &(_a848[1]);
				if (_a872 != 0) goto 0xe273cbe5;
				if (_a860 != 0) goto 0xe273cbf2;
				_a688 = 0xffffffff;
				goto 0xe273cc1b;
				E00007FFF7FFFE273CF60(_a860,  &(_a848[1]),  &_a864, _a1088,  &_a688);
				goto 0xe273cb60;
				goto 0xe273cc3b;
				E00007FFF7FFFE273CF60(_a104,  &(_a848[1]), _a64, _a1088,  &_a688);
				if (_a688 < 0) goto 0xe273cc6e;
				if ((_a80 & 0x00000004) == 0) goto 0xe273cc6e;
				E00007FFF7FFFE273CF10(0x20, _a840, _a1088,  &_a688);
				if (_a96 == 0) goto 0xe273cc8e;
				0xe2725330();
				_a96 = 0;
				goto 0xe273b99c;
				if (_a704 == 0) goto 0xe273ccb4;
				if (_a704 == 7) goto 0xe273ccb4;
				_a1060 = 0;
				goto 0xe273ccbf;
				_a1060 = 1;
				_t263 = _a1060;
				_a876 = _t263;
				if (_a876 != 0) goto 0xe273cd05;
				_t365 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t365;
				r9d = 0;
				r8d = 0x8f5;
				0xe272b3b0();
				if (_t263 != 1) goto 0xe273cd05;
				asm("int3");
				if (_a876 != 0) goto 0xe273cd61;
				0xe272ab30();
				 *_t365 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFF7FFFE272BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a912 = 0xffffffff;
				E00007FFF7FFFE2726800( &_a120);
				goto 0xe273cd80;
				_a916 = _a688;
				E00007FFF7FFFE2726800( &_a120);
				return E00007FFF7FFFE2723280(_a916, 2, 2, _a1064 ^ _t390, L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}

0x7fffe273c6d6
0x7fffe273c6dd
0x7fffe273c6e1
0x7fffe273c6ee
0x7fffe273c6f8
0x7fffe273c704
0x7fffe273c70c
0x7fffe273c719
0x7fffe273c724
0x7fffe273c737
0x7fffe273c739
0x7fffe273c748
0x7fffe273c74c
0x7fffe273c756
0x7fffe273c769
0x7fffe273c76f
0x7fffe273c782
0x7fffe273c78c
0x7fffe273c791
0x7fffe273c799
0x7fffe273c7a9
0x7fffe273c7b3
0x7fffe273c7b8
0x7fffe273c7c0
0x7fffe273c7ce
0x7fffe273c7d9
0x7fffe273c7e8
0x7fffe273c7ec
0x7fffe273c7f4
0x7fffe273c7fe
0x7fffe273c806
0x7fffe273c80e
0x7fffe273c819
0x7fffe273c823
0x7fffe273c82a
0x7fffe273c832
0x7fffe273c83c
0x7fffe273c843
0x7fffe273c854
0x7fffe273c85f
0x7fffe273c86c
0x7fffe273c878
0x7fffe273c880
0x7fffe273c882
0x7fffe273c88a
0x7fffe273c89d
0x7fffe273c8aa
0x7fffe273c8bf
0x7fffe273c8cc
0x7fffe273c8ce
0x7fffe273c8d6
0x7fffe273c8df
0x7fffe273c8eb
0x7fffe273c8ed
0x7fffe273c8fe
0x7fffe273c900
0x7fffe273c910
0x7fffe273c915
0x7fffe273c91f
0x7fffe273c925
0x7fffe273c930
0x7fffe273c93b
0x7fffe273c95e
0x7fffe273c96a
0x7fffe273c997
0x7fffe273c9a9
0x7fffe273c9ab
0x7fffe273c9bf
0x7fffe273c9c9
0x7fffe273c9ce
0x7fffe273c9e0
0x7fffe273c9ec
0x7fffe273c9fc
0x7fffe273ca03
0x7fffe273ca10
0x7fffe273ca1a
0x7fffe273ca24
0x7fffe273ca2d
0x7fffe273ca36
0x7fffe273ca45
0x7fffe273ca52
0x7fffe273ca54
0x7fffe273ca59
0x7fffe273ca61
0x7fffe273ca6c
0x7fffe273ca6e
0x7fffe273ca73
0x7fffe273ca7b
0x7fffe273ca86
0x7fffe273ca88
0x7fffe273ca8d
0x7fffe273caa5
0x7fffe273cab5
0x7fffe273cad0
0x7fffe273caee
0x7fffe273cafc
0x7fffe273cb07
0x7fffe273cb22
0x7fffe273cb2c
0x7fffe273cb37
0x7fffe273cb3d
0x7fffe273cb4d
0x7fffe273cb59
0x7fffe273cb70
0x7fffe273cb79
0x7fffe273cb8a
0x7fffe273cb92
0x7fffe273cb9b
0x7fffe273cbb6
0x7fffe273cbc9
0x7fffe273cbd9
0x7fffe273cbe3
0x7fffe273cbe5
0x7fffe273cbf0
0x7fffe273cc11
0x7fffe273cc16
0x7fffe273cc1b
0x7fffe273cc36
0x7fffe273cc43
0x7fffe273cc4e
0x7fffe273cc69
0x7fffe273cc74
0x7fffe273cc80
0x7fffe273cc85
0x7fffe273cc8e
0x7fffe273cc9b
0x7fffe273cca5
0x7fffe273cca7
0x7fffe273ccb2
0x7fffe273ccb4
0x7fffe273ccbf
0x7fffe273ccc6
0x7fffe273ccd5
0x7fffe273ccd7
0x7fffe273ccde
0x7fffe273cce3
0x7fffe273cce6
0x7fffe273ccf8
0x7fffe273cd00
0x7fffe273cd02
0x7fffe273cd0d
0x7fffe273cd0f
0x7fffe273cd14
0x7fffe273cd1a
0x7fffe273cd23
0x7fffe273cd3e
0x7fffe273cd43
0x7fffe273cd53
0x7fffe273cd5f
0x7fffe273cd68
0x7fffe273cd74
0x7fffe273cd97

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273C78C
get_int64_arg.LIBCMTD ref: 00007FFFE273C7B3
wctomb_s.LIBCMTD ref: 00007FFFE273CBB1

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
9, xrefs: 00007FFFE273C98F
_output_s_l, xrefs: 00007FFFE273BAFB
-, xrefs: 00007FFFE273CA54

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: get_int64_arg$wctomb_s
String ID: ("Incorrect format specifier", 0)$-$9$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2984758162-268265396
Opcode ID: cb04687210e10a40ff2e156ef9e98a018461938d26ba5bbfa7ecca48610614c7
Instruction ID: cc545148359a2db5af68c7170c9020c6b2df9f9088d796140b0fe3d07f00d846
Opcode Fuzzy Hash: cb04687210e10a40ff2e156ef9e98a018461938d26ba5bbfa7ecca48610614c7
Instruction Fuzzy Hash: E102F87290CBC68AE771CB15E4853AAB7E4F786750F100139E689C6A98EFBCE550CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27363E0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 260COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE27364BD
_invalid_parameter.LIBCMTD ref: 00007FFFE273666E
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2736680
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2736772
_invalid_parameter.LIBCMTD ref: 00007FFFE27368E8
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE27368FA
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2736959

Strings

(pwcs == NULL && sizeInWords == 0) || (pwcs != NULL && sizeInWords > 0), xrefs: 00007FFFE2736459, 00007FFFE27364B6
retsize <= sizeInWords, xrefs: 00007FFFE2736884, 00007FFFE27368E1
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbstowcs.c, xrefs: 00007FFFE273646E, 00007FFFE27364A8, 00007FFFE273661F, 00007FFFE2736659, 00007FFFE2736899, 00007FFFE27368D3
_mbstowcs_s_l, xrefs: 00007FFFE27364AF, 00007FFFE2736660, 00007FFFE27368DA
", xrefs: 00007FFFE27368ED
bufferSize <= INT_MAX, xrefs: 00007FFFE273660A, 00007FFFE2736667
P, xrefs: 00007FFFE2736912

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: "$(pwcs == NULL && sizeInWords == 0) || (pwcs != NULL && sizeInWords > 0)$P$_mbstowcs_s_l$bufferSize <= INT_MAX$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbstowcs.c$retsize <= sizeInWords
API String ID: 2192614184-660564692
Opcode ID: 195fbd3003f3c87b3f41f90d73ab024ba3d25bb3ae880b5a9c818d30aa2f9b48
Instruction ID: 7a2dfbe81a27327922b1f1889681c7fc3dceac4efd57bdc4dc88e6b98402ea0a
Opcode Fuzzy Hash: 195fbd3003f3c87b3f41f90d73ab024ba3d25bb3ae880b5a9c818d30aa2f9b48
Instruction Fuzzy Hash: FFE10832D0CBC685E7709B14E4843AA63E0FB86754F504636D69D83AD9EFBCD4A4CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27355F0 Relevance: 24.2, APIs: 16, Instructions: 206
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 57%

			E00007FFF7FFFE27355F0(void* __ecx, long long __rcx, long long __rdx, signed int* __r8, signed int* __r9, long long _a8, void* _a16, signed int* _a24, signed int* _a32) {
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				void* _v64;
				long long _v72;
				void* _t88;
				void* _t89;
				void* _t107;
				void* _t109;
				signed int* _t158;
				signed int* _t160;
				long long _t175;
				long long _t186;
				signed int* _t187;
				signed int* _t193;

				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_v72 = 0;
				_t158 = _a24;
				if ( *((intOrPtr*)(_t158 + 4)) == 0) goto 0xe2735639;
				_t89 = E00007FFF7FFFE272E680(_t88, _t158);
				_v56 = _t158 + _a24[1];
				goto 0xe2735642;
				_v56 = 0;
				if (_v56 == 0) goto 0xe27356aa;
				_t160 = _a24;
				if ( *((intOrPtr*)(_t160 + 4)) == 0) goto 0xe2735673;
				E00007FFF7FFFE272E680(_t89, _t160);
				_v48 = _t160 + _a24[1];
				goto 0xe273567c;
				_v48 = 0;
				if ( *((char*)(_v48 + 0x10)) == 0) goto 0xe27356aa;
				if (_a24[2] != 0) goto 0xe27356b1;
				if (( *_a24 & 0x80000000) != 0) goto 0xe27356b1;
				goto 0xe2735966;
				if (( *_a24 & 0x80000000) == 0) goto 0xe27356d0;
				_v64 = _a16;
				goto 0xe27356e9;
				_v64 = _a24[2] +  *_a16;
				if (( *_a24 & 0x00000008) == 0) goto 0xe2735765;
				if (E00007FFF7FFFE273D2C0(1,  *((intOrPtr*)(_a8 + 0x28))) == 0) goto 0xe273575b;
				if (E00007FFF7FFFE273D2C0(1, _v64) == 0) goto 0xe273575b;
				 *_v64 =  *((intOrPtr*)(_a8 + 0x28));
				_t175 = _v64;
				E00007FFF7FFFE2735B30(_t100,  *_t175,  &(_a32[2]));
				 *_v64 = _t175;
				goto 0xe2735760;
				E00007FFF7FFFE272CF80(_t175);
				goto 0xe273595a;
				if (( *_a32 & 0x00000001) == 0) goto 0xe2735813;
				if (E00007FFF7FFFE273D2C0(1,  *((intOrPtr*)(_a8 + 0x28))) == 0) goto 0xe2735809;
				if (E00007FFF7FFFE273D2C0(1, _v64) == 0) goto 0xe2735809;
				_t107 = E00007FFF7FFFE272C410(__ecx, E00007FFF7FFFE273D2C0(1, _v64), _v64,  *((intOrPtr*)(_a8 + 0x28)), _a32[5]);
				if (_a32[5] != 8) goto 0xe2735807;
				if ( *_v64 == 0) goto 0xe2735807;
				_t186 = _v64;
				E00007FFF7FFFE2735B30(_t107,  *_t186,  &(_a32[2]));
				 *_v64 = _t186;
				goto 0xe273580e;
				_t109 = E00007FFF7FFFE272CF80(_t186);
				goto 0xe273595a;
				_t187 = _a32;
				if ( *((intOrPtr*)(_t187 + 0x18)) == 0) goto 0xe273583c;
				E00007FFF7FFFE272E6A0(_t109, _t187);
				_v40 = _t187 + _a32[6];
				goto 0xe2735845;
				_v40 = 0;
				if (_v40 != 0) goto 0xe27358c6;
				if (E00007FFF7FFFE273D2C0(1,  *((intOrPtr*)(_a8 + 0x28))) == 0) goto 0xe27358bc;
				if (E00007FFF7FFFE273D2C0(1, _v64) == 0) goto 0xe27358bc;
				_t191 = _a32[5];
				_v32 = _a32[5];
				E00007FFF7FFFE2735B30(_t112,  *((intOrPtr*)(_a8 + 0x28)),  &(_a32[2]));
				E00007FFF7FFFE272C410(__ecx, E00007FFF7FFFE273D2C0(1, _v64), _v64, _a32[5], _v32);
				goto 0xe27358c1;
				E00007FFF7FFFE272CF80(_t191);
				goto 0xe273595a;
				if (E00007FFF7FFFE273D2C0(1,  *((intOrPtr*)(_a8 + 0x28))) == 0) goto 0xe2735955;
				if (E00007FFF7FFFE273D2C0(1, _v64) == 0) goto 0xe2735955;
				_t193 = _a32;
				if ( *((intOrPtr*)(_t193 + 0x18)) == 0) goto 0xe2735919;
				E00007FFF7FFFE272E6A0(_t117, _t193);
				_v24 = _t193 + _a32[6];
				goto 0xe2735922;
				_v24 = 0;
				if (E00007FFF7FFFE273D2F0(_v24) == 0) goto 0xe2735955;
				_t195 = _a32;
				if (( *_a32 & 0x00000004) == 0) goto 0xe273594b;
				_v72 = 2;
				goto 0xe2735953;
				_v72 = 1;
				goto 0xe273595a;
				E00007FFF7FFFE272CF80(_a32);
				E00007FFF7FFFE272CF50(_t195);
				return _v72;
			}

0x7fffe27355f0
0x7fffe27355f5
0x7fffe27355fa
0x7fffe27355ff
0x7fffe2735608
0x7fffe2735610
0x7fffe273561c
0x7fffe273561e
0x7fffe2735632
0x7fffe2735637
0x7fffe2735639
0x7fffe2735648
0x7fffe273564a
0x7fffe2735656
0x7fffe2735658
0x7fffe273566c
0x7fffe2735671
0x7fffe2735673
0x7fffe2735687
0x7fffe2735695
0x7fffe27356a8
0x7fffe27356ac
0x7fffe27356c2
0x7fffe27356c9
0x7fffe27356ce
0x7fffe27356e4
0x7fffe27356f8
0x7fffe273570f
0x7fffe2735722
0x7fffe2735732
0x7fffe2735744
0x7fffe273574c
0x7fffe2735756
0x7fffe2735759
0x7fffe273575b
0x7fffe2735760
0x7fffe2735774
0x7fffe273578f
0x7fffe27357a2
0x7fffe27357c1
0x7fffe27357d6
0x7fffe27357e1
0x7fffe27357f2
0x7fffe27357fa
0x7fffe2735804
0x7fffe2735807
0x7fffe2735809
0x7fffe273580e
0x7fffe2735813
0x7fffe273581f
0x7fffe2735821
0x7fffe2735835
0x7fffe273583a
0x7fffe273583c
0x7fffe273584b
0x7fffe2735862
0x7fffe2735875
0x7fffe273587f
0x7fffe2735883
0x7fffe27358a0
0x7fffe27358b5
0x7fffe27358ba
0x7fffe27358bc
0x7fffe27358c1
0x7fffe27358db
0x7fffe27358ee
0x7fffe27358f0
0x7fffe27358fc
0x7fffe27358fe
0x7fffe2735912
0x7fffe2735917
0x7fffe2735919
0x7fffe273592e
0x7fffe2735930
0x7fffe273593f
0x7fffe2735941
0x7fffe2735949
0x7fffe273594b
0x7fffe2735953
0x7fffe2735955
0x7fffe273595c
0x7fffe273596a

APIs

_ValidateRead.LIBCMTD ref: 00007FFFE2735708
_ValidateRead.LIBCMTD ref: 00007FFFE273571B
__AdjustPointer.LIBCMTD ref: 00007FFFE273574C
_ValidateRead.LIBCMTD ref: 00007FFFE2735788
_ValidateRead.LIBCMTD ref: 00007FFFE273579B
__AdjustPointer.LIBCMTD ref: 00007FFFE27357FA
_inconsistency.LIBCMTD ref: 00007FFFE2735809
_ValidateRead.LIBCMTD ref: 00007FFFE273585B
_ValidateRead.LIBCMTD ref: 00007FFFE273586E
__AdjustPointer.LIBCMTD ref: 00007FFFE27358A0
_inconsistency.LIBCMTD ref: 00007FFFE27358BC
_ValidateRead.LIBCMTD ref: 00007FFFE27358D4
_ValidateRead.LIBCMTD ref: 00007FFFE27358E7
_ValidateExecute.LIBCMTD ref: 00007FFFE2735927
_inconsistency.LIBCMTD ref: 00007FFFE273575B

Part of subcall function 00007FFFE272CF80: DecodePointer.KERNEL32 ref: 00007FFFE272CF8B
Part of subcall function 00007FFFE272CF80: terminate.LIBCMTD ref: 00007FFFE272CFA4

_inconsistency.LIBCMTD ref: 00007FFFE2735955

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Validate$Read$Pointer_inconsistency$Adjust$DecodeExecuteterminate
String ID:
API String ID: 801082872-0
Opcode ID: ac6deabe0a05852b742f22a1b4600818fc4e29af537fcfed8c9e1d4fbe1357d9
Instruction ID: d535bc3ab28e25897a14ec17dcc707e7162657e4bacf3f1146d97bbb696cf67a
Opcode Fuzzy Hash: ac6deabe0a05852b742f22a1b4600818fc4e29af537fcfed8c9e1d4fbe1357d9
Instruction Fuzzy Hash: 9BA12F32E1CA42C2EA608B15E49137A67E0FBC9B94F544131EA8DC77A5EFBCD461CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2738D00 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2738DAA
_invalid_parameter.LIBCMTD ref: 00007FFFE2738E49
_invalid_parameter.LIBCMTD ref: 00007FFFE2738F8C
_invalid_parameter.LIBCMTD ref: 00007FFFE273903D
_invalid_parameter.LIBCMTD ref: 00007FFFE2739205

Strings

2 <= radix && radix <= 36, xrefs: 00007FFFE2738FD9, 00007FFFE2739036
sizeInTChars > 0, xrefs: 00007FFFE2738DE5, 00007FFFE2738E42
sizeInTChars > (size_t)(is_neg ? 2 : 1), xrefs: 00007FFFE2738F28, 00007FFFE2738F85
buf != NULL, xrefs: 00007FFFE2738D46, 00007FFFE2738DA3
xtow_s, xrefs: 00007FFFE2738D9C, 00007FFFE2738E3B, 00007FFFE2738F7E, 00007FFFE273902F, 00007FFFE27391F7
$, xrefs: 00007FFFE2738FA5
length < sizeInTChars, xrefs: 00007FFFE27391A1, 00007FFFE27391FE
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xtoa.c, xrefs: 00007FFFE2738D5B, 00007FFFE2738D95, 00007FFFE2738DFA, 00007FFFE2738E34, 00007FFFE2738F3D, 00007FFFE2738F77, 00007FFFE2738FEE, 00007FFFE2739028, 00007FFFE27391B6, 00007FFFE27391F0

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: $$2 <= radix && radix <= 36$buf != NULL$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xtoa.c$length < sizeInTChars$sizeInTChars > (size_t)(is_neg ? 2 : 1)$sizeInTChars > 0$xtow_s
API String ID: 2123368286-1993839260
Opcode ID: f8a5afe18f34840ee0df28905467ae8a93c47803c1f8068a44ba45b34dbb5592
Instruction ID: 6663aeb6d59a9a722f46eb832b5801b937ddeec077aa30cc9adc2be06b45dca9
Opcode Fuzzy Hash: f8a5afe18f34840ee0df28905467ae8a93c47803c1f8068a44ba45b34dbb5592
Instruction Fuzzy Hash: D5E12D72E1CB85CAE7608B14E48436AB7E1FB86344F505535E68D83B98EFBDD464CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2737030 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 282COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE27370DA
_invalid_parameter.LIBCMTD ref: 00007FFFE2737179
_invalid_parameter.LIBCMTD ref: 00007FFFE27372B6
_invalid_parameter.LIBCMTD ref: 00007FFFE2737367
_invalid_parameter.LIBCMTD ref: 00007FFFE2737523

Strings

2 <= radix && radix <= 36, xrefs: 00007FFFE2737303, 00007FFFE2737360
$, xrefs: 00007FFFE27372CF
sizeInTChars > 0, xrefs: 00007FFFE2737115, 00007FFFE2737172
sizeInTChars > (size_t)(is_neg ? 2 : 1), xrefs: 00007FFFE2737252, 00007FFFE27372AF
xtoa_s, xrefs: 00007FFFE27370CC, 00007FFFE273716B, 00007FFFE27372A8, 00007FFFE2737359, 00007FFFE2737515
buf != NULL, xrefs: 00007FFFE2737076, 00007FFFE27370D3
length < sizeInTChars, xrefs: 00007FFFE27374BF, 00007FFFE273751C
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xtoa.c, xrefs: 00007FFFE273708B, 00007FFFE27370C5, 00007FFFE273712A, 00007FFFE2737164, 00007FFFE2737267, 00007FFFE27372A1, 00007FFFE2737318, 00007FFFE2737352, 00007FFFE27374D4, 00007FFFE273750E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: $$2 <= radix && radix <= 36$buf != NULL$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\xtoa.c$length < sizeInTChars$sizeInTChars > (size_t)(is_neg ? 2 : 1)$sizeInTChars > 0$xtoa_s
API String ID: 2123368286-1853640030
Opcode ID: fd24ae2173ac44ea26de12f4013dd461b82e36f4d48be66e2593e9709099cfaf
Instruction ID: 890885afddeefca4d6d0ba44414d5be57d8c95ede091eb1819f9fdff812fd4b4
Opcode Fuzzy Hash: fd24ae2173ac44ea26de12f4013dd461b82e36f4d48be66e2593e9709099cfaf
Instruction Fuzzy Hash: 4DE14D72D1CB85CAE7608B14E48476AB7E1FB86354F504135E68D83B98EFBDD464CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273E6C6 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 332
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E00007FFF7FFFE273E6C6(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, short _a86, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a1200, signed short _a1212, intOrPtr _a1216, intOrPtr _a1220, signed char _a1296, signed int _a1304, signed int _a1312, intOrPtr _a1320, long long _a1328, signed char _a1336, intOrPtr _a1340, intOrPtr _a1344, intOrPtr _a1376, intOrPtr _a1380, signed int _a1480, long long _a1488, long long _a1496, long long _a1504, signed int _a1512, intOrPtr _a1536, char _a1560) {
				signed int _t224;
				signed char _t229;
				void* _t260;
				intOrPtr _t268;
				signed int _t342;
				signed int _t343;
				signed long long _t346;
				intOrPtr* _t365;
				intOrPtr* _t370;
				signed long long _t400;

				_t342 = __rax;
				_a80 = _a80 | 0x00000040;
				_a72 = 0xa;
				_a72 = 0xa;
				_a116 = 0x10;
				asm("bts eax, 0xf");
				_a1220 = 7;
				_a1220 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0xe273e74d;
				_a84 = 0x30;
				_a86 = _a1220 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0xe273e770;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0xe273e797;
				E00007FFF7FFFE2731EA0( &_a1560);
				_a1304 = _t342;
				goto 0xe273e844;
				if ((_a80 & 0x00001000) == 0) goto 0xe273e7be;
				E00007FFF7FFFE2731EA0( &_a1560);
				_a1304 = _t342;
				goto 0xe273e844;
				if ((_a80 & 0x00000020) == 0) goto 0xe273e809;
				if ((_a80 & 0x00000040) == 0) goto 0xe273e7ef;
				_t343 = E00007FFF7FFFE2731E40( &_a1560);
				_a1304 = _t343;
				goto 0xe273e807;
				E00007FFF7FFFE2731E40( &_a1560);
				_a1304 = _t343;
				goto 0xe273e844;
				if ((_a80 & 0x00000040) == 0) goto 0xe273e82d;
				E00007FFF7FFFE2731E40( &_a1560);
				_a1304 = _t343;
				goto 0xe273e844;
				E00007FFF7FFFE2731E40( &_a1560);
				_a1304 = _t343;
				if ((_a80 & 0x00000040) == 0) goto 0xe273e87b;
				if (_a1304 >= 0) goto 0xe273e87b;
				_a1312 =  ~_a1304;
				asm("bts eax, 0x8");
				goto 0xe273e88b;
				_t346 = _a1304;
				_a1312 = _t346;
				if ((_a80 & 0x00008000) != 0) goto 0xe273e8c0;
				if ((_a80 & 0x00001000) != 0) goto 0xe273e8c0;
				_a1312 = _a1312 & _t346;
				if (_a116 >= 0) goto 0xe273e8d1;
				_a116 = 1;
				goto 0xe273e8ee;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0xe273e8ee;
				_a116 = 0x200;
				if (_a1312 != 0) goto 0xe273e901;
				_a92 = 0;
				_a64 =  &_a687;
				_t224 = _a116;
				_a116 = _a116 - 1;
				if (_t224 > 0) goto 0xe273e92f;
				if (_a1312 == 0) goto 0xe273e9cc;
				_a1480 = _a72;
				_a1296 = _t224 / _a1480 + 0x30;
				_a1488 = _a72;
				if (_a1296 - 0x39 <= 0) goto 0xe273e9ab;
				_t229 = _a1296 + _a1220;
				_a1296 = _t229;
				 *_a64 = _a1296 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0xe273e90e;
				_a104 = _t229;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0xe273ea2a;
				if (_a104 == 0) goto 0xe273ea0b;
				if ( *_a64 == 0x30) goto 0xe273ea2a;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0xe273ec7c;
				if ((_a80 & 0x00000040) == 0) goto 0xe273ea9d;
				if ((_a80 & 0x00000100) == 0) goto 0xe273ea61;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0xe273ea9d;
				if ((_a80 & 0x00000001) == 0) goto 0xe273ea80;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0xe273ea9d;
				if ((_a80 & 0x00000002) == 0) goto 0xe273ea9d;
				_a84 = 0x20;
				_a92 = 1;
				_a1320 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0xe273eadf;
				E00007FFF7FFFE273EEC0(0x20, _a1320, _a1536,  &_a1200);
				E00007FFF7FFFE273EF10(_a92, _a64,  &_a84, _a1536,  &_a1200);
				if ((_a80 & 0x00000008) == 0) goto 0xe273eb33;
				if ((_a80 & 0x00000004) != 0) goto 0xe273eb33;
				E00007FFF7FFFE273EEC0(0x30, _a1320, _a1536,  &_a1200);
				if (_a76 != 0) goto 0xe273ec29;
				if (_a104 <= 0) goto 0xe273ec29;
				_t365 = _a64;
				_a1328 = _t365;
				_a1336 = _a104;
				_a1336 = _a1336 - 1;
				if (_a1336 <= 0) goto 0xe273ec27;
				_t260 = E00007FFF7FFFE2726840(_a1336,  &_a120);
				_a1496 = _t365;
				E00007FFF7FFFE2726840(_t260,  &_a120);
				_a1340 = E00007FFF7FFFE273F000( &_a1212, _a1328,  *((intOrPtr*)( *_t365 + 0x10c)), _a1496);
				if (_a1340 > 0) goto 0xe273ebe7;
				_a1200 = 0xffffffff;
				goto 0xe273ec27;
				E00007FFF7FFFE273EE40(_a1212 & 0x0000ffff, _a1536,  &_a1200);
				_a1328 = _a1328 + _a1340;
				goto 0xe273eb61;
				goto 0xe273ec47;
				E00007FFF7FFFE273EF10(_a104, _a1328 + _a1340, _a64, _a1536,  &_a1200);
				if (_a1200 < 0) goto 0xe273ec7c;
				if ((_a80 & 0x00000004) == 0) goto 0xe273ec7c;
				E00007FFF7FFFE273EEC0(0x20, _a1320, _a1536,  &_a1200);
				if (_a96 == 0) goto 0xe273ec9c;
				0xe2725330();
				_a96 = 0;
				goto 0xe273da75;
				if (_a1216 == 0) goto 0xe273ecc2;
				if (_a1216 == 7) goto 0xe273ecc2;
				_a1504 = 0;
				goto 0xe273eccd;
				_a1504 = 1;
				_t268 = _a1504;
				_a1344 = _t268;
				if (_a1344 != 0) goto 0xe273ed13;
				_t370 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t370;
				r9d = 0;
				r8d = 0x8f5;
				0xe272b3b0();
				if (_t268 != 1) goto 0xe273ed13;
				asm("int3");
				if (_a1344 != 0) goto 0xe273ed6f;
				0xe272ab30();
				 *_t370 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFF7FFFE272BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a1376 = 0xffffffff;
				E00007FFF7FFFE2726800( &_a120);
				goto 0xe273ed8e;
				_a1380 = _a1200;
				E00007FFF7FFFE2726800( &_a120);
				return E00007FFF7FFFE2723280(_a1380, 2, 2, _a1512 ^ _t400, L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}

0x7fffe273e6c6
0x7fffe273e6cd
0x7fffe273e6d1
0x7fffe273e6de
0x7fffe273e6eb
0x7fffe273e6f7
0x7fffe273e6ff
0x7fffe273e70c
0x7fffe273e717
0x7fffe273e72a
0x7fffe273e731
0x7fffe273e740
0x7fffe273e745
0x7fffe273e74f
0x7fffe273e762
0x7fffe273e768
0x7fffe273e77b
0x7fffe273e785
0x7fffe273e78a
0x7fffe273e792
0x7fffe273e7a2
0x7fffe273e7ac
0x7fffe273e7b1
0x7fffe273e7b9
0x7fffe273e7c7
0x7fffe273e7d2
0x7fffe273e7e1
0x7fffe273e7e5
0x7fffe273e7ed
0x7fffe273e7f7
0x7fffe273e7ff
0x7fffe273e807
0x7fffe273e812
0x7fffe273e81c
0x7fffe273e823
0x7fffe273e82b
0x7fffe273e835
0x7fffe273e83c
0x7fffe273e84d
0x7fffe273e858
0x7fffe273e865
0x7fffe273e871
0x7fffe273e879
0x7fffe273e87b
0x7fffe273e883
0x7fffe273e896
0x7fffe273e8a3
0x7fffe273e8b8
0x7fffe273e8c5
0x7fffe273e8c7
0x7fffe273e8cf
0x7fffe273e8d8
0x7fffe273e8e4
0x7fffe273e8e6
0x7fffe273e8f7
0x7fffe273e8f9
0x7fffe273e909
0x7fffe273e90e
0x7fffe273e918
0x7fffe273e91e
0x7fffe273e929
0x7fffe273e934
0x7fffe273e957
0x7fffe273e963
0x7fffe273e990
0x7fffe273e9a2
0x7fffe273e9a4
0x7fffe273e9b8
0x7fffe273e9c2
0x7fffe273e9c7
0x7fffe273e9d9
0x7fffe273e9e5
0x7fffe273e9f5
0x7fffe273e9fc
0x7fffe273ea09
0x7fffe273ea13
0x7fffe273ea1d
0x7fffe273ea26
0x7fffe273ea2f
0x7fffe273ea3e
0x7fffe273ea4b
0x7fffe273ea52
0x7fffe273ea57
0x7fffe273ea5f
0x7fffe273ea6a
0x7fffe273ea71
0x7fffe273ea76
0x7fffe273ea7e
0x7fffe273ea89
0x7fffe273ea90
0x7fffe273ea95
0x7fffe273eaad
0x7fffe273eabd
0x7fffe273eada
0x7fffe273eaf8
0x7fffe273eb06
0x7fffe273eb11
0x7fffe273eb2e
0x7fffe273eb38
0x7fffe273eb43
0x7fffe273eb49
0x7fffe273eb4e
0x7fffe273eb5a
0x7fffe273eb71
0x7fffe273eb7a
0x7fffe273eb85
0x7fffe273eb8a
0x7fffe273eb97
0x7fffe273ebc9
0x7fffe273ebd8
0x7fffe273ebda
0x7fffe273ebe5
0x7fffe273ebff
0x7fffe273ec1a
0x7fffe273ec22
0x7fffe273ec27
0x7fffe273ec42
0x7fffe273ec4f
0x7fffe273ec5a
0x7fffe273ec77
0x7fffe273ec82
0x7fffe273ec8e
0x7fffe273ec93
0x7fffe273ec9c
0x7fffe273eca9
0x7fffe273ecb3
0x7fffe273ecb5
0x7fffe273ecc0
0x7fffe273ecc2
0x7fffe273eccd
0x7fffe273ecd4
0x7fffe273ece3
0x7fffe273ece5
0x7fffe273ecec
0x7fffe273ecf1
0x7fffe273ecf4
0x7fffe273ed06
0x7fffe273ed0e
0x7fffe273ed10
0x7fffe273ed1b
0x7fffe273ed1d
0x7fffe273ed22
0x7fffe273ed28
0x7fffe273ed31
0x7fffe273ed4c
0x7fffe273ed51
0x7fffe273ed61
0x7fffe273ed6d
0x7fffe273ed76
0x7fffe273ed82
0x7fffe273eda5

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273E785
get_int64_arg.LIBCMTD ref: 00007FFFE273E7AC

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
9, xrefs: 00007FFFE273E988
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: get_int64_arg
String ID: ("Incorrect format specifier", 0)$9$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 1967237116-1983305044
Opcode ID: 2a7d659c8e5e6b28fc7c58fcf8e8579ea91b99a8d6af850dbdc893ea63a98b90
Instruction ID: 467077a1275486e8dcd6b373cdb482b1101971230eac7e2a8ee34038a6d8abe9
Opcode Fuzzy Hash: 2a7d659c8e5e6b28fc7c58fcf8e8579ea91b99a8d6af850dbdc893ea63a98b90
Instruction Fuzzy Hash: C0F1E87290DAC58AE7708B15E8813ABB7E0FB96385F100135E689C7A99EFBCD450CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2732D80 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 310COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2732E31
_invalid_parameter.LIBCMTD ref: 00007FFFE2732F63
_invalid_parameter.LIBCMTD ref: 00007FFFE27330E4
_invalid_parameter.LIBCMTD ref: 00007FFFE273327B

Strings

Buffer is too small, xrefs: 00007FFFE27331DB
(L"String is not null terminated" && 0), xrefs: 00007FFFE2733080, 00007FFFE27330DD
String is not null terminated, xrefs: 00007FFFE273304D
(((_Src))) != NULL, xrefs: 00007FFFE2732EFF, 00007FFFE2732F5C
wcscat_s, xrefs: 00007FFFE2732E23, 00007FFFE2732F55, 00007FFFE27330D6, 00007FFFE273326D
((_Dst)) != NULL && ((_SizeInWords)) > 0, xrefs: 00007FFFE2732DCD, 00007FFFE2732E2A
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscat_s.inl, xrefs: 00007FFFE2732DE2, 00007FFFE2732E1C, 00007FFFE2732F14, 00007FFFE2732F4E, 00007FFFE2733095, 00007FFFE27330CF, 00007FFFE273322C, 00007FFFE2733266
(L"Buffer is too small" && 0), xrefs: 00007FFFE2733217, 00007FFFE2733274

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInWords)) > 0$(L"Buffer is too small" && 0)$(L"String is not null terminated" && 0)$Buffer is too small$String is not null terminated$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscat_s.inl$wcscat_s
API String ID: 2123368286-3477667311
Opcode ID: b8fc4c6395d55294f14e808969fd0dde924ec27b835ffc5b45b9a86212572efe
Instruction ID: 8047a366a8be63206f85207445f9f9aba2965f8293bbf98ee4141e865ae95138
Opcode Fuzzy Hash: b8fc4c6395d55294f14e808969fd0dde924ec27b835ffc5b45b9a86212572efe
Instruction Fuzzy Hash: 2DF14E32E1CB8685EB708B15E48436A63E0FB86794F504535DA9EC3B94EFBCD464CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27369C0 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 303COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2736A71
_invalid_parameter.LIBCMTD ref: 00007FFFE2736B9D
_invalid_parameter.LIBCMTD ref: 00007FFFE2736D17
_invalid_parameter.LIBCMTD ref: 00007FFFE2736EA5

Strings

Buffer is too small, xrefs: 00007FFFE2736E05
strcat_s, xrefs: 00007FFFE2736A63, 00007FFFE2736B8F, 00007FFFE2736D09, 00007FFFE2736E97
(L"String is not null terminated" && 0), xrefs: 00007FFFE2736CB3, 00007FFFE2736D10
String is not null terminated, xrefs: 00007FFFE2736C80
(((_Src))) != NULL, xrefs: 00007FFFE2736B39, 00007FFFE2736B96
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscat_s.inl, xrefs: 00007FFFE2736A22, 00007FFFE2736A5C, 00007FFFE2736B4E, 00007FFFE2736B88, 00007FFFE2736CC8, 00007FFFE2736D02, 00007FFFE2736E56, 00007FFFE2736E90
(L"Buffer is too small" && 0), xrefs: 00007FFFE2736E41, 00007FFFE2736E9E
((_Dst)) != NULL && ((_SizeInBytes)) > 0, xrefs: 00007FFFE2736A0D, 00007FFFE2736A6A

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInBytes)) > 0$(L"Buffer is too small" && 0)$(L"String is not null terminated" && 0)$Buffer is too small$String is not null terminated$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscat_s.inl$strcat_s
API String ID: 2123368286-1420200500
Opcode ID: 0735035b45f8f7c7b818c7081b0ef0632545b94255aff591ce5d43235ef3c046
Instruction ID: cf9c5375e0a57e3200cd8fd0c78c0b340026e2de58c3e69bfa40883d40019bd6
Opcode Fuzzy Hash: 0735035b45f8f7c7b818c7081b0ef0632545b94255aff591ce5d43235ef3c046
Instruction Fuzzy Hash: 90F16D32E1CB8685EB708B15E48436A67E0FB86754F504535D69EC3BA4EFBCE464CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273C30D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 231COMMON

Download Yara Rule

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273C315
_get_printf_count_output.LIBCMTD ref: 00007FFFE273C322
_invalid_parameter.LIBCMTD ref: 00007FFFE273C3CC
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273C3E1
wctomb_s.LIBCMTD ref: 00007FFFE273CBB1

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4, 00007FFFE273C37A, 00007FFFE273C3B7
_output_s_l, xrefs: 00007FFFE273BAFB, 00007FFFE273C3BE
-, xrefs: 00007FFFE273CA54
("'n' format specifier disabled", 0), xrefs: 00007FFFE273C365, 00007FFFE273C3C5

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__get_printf_count_output_invalid_parameterget_int64_argwctomb_s
String ID: ("'n' format specifier disabled", 0)$("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2560055391-3497434347
Opcode ID: f7e31fddf96ab2d989b429fa4fac32de28ca989592260db18f40bb78f450a6ea
Instruction ID: e2f3c92686838fb17d854bc6f9a5e43eccfa9c4f7a5c4bff7f4a89e6ff0eb5fa
Opcode Fuzzy Hash: f7e31fddf96ab2d989b429fa4fac32de28ca989592260db18f40bb78f450a6ea
Instruction Fuzzy Hash: BFC12B7290C7C686E7719B14E4853AAB7E4FB86744F400039D689C6A99EFBCE560CF06

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2739290 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 142COMMON

Download Yara Rule

APIs

__doserrno.LIBCMTD ref: 00007FFFE27392B6
__doserrno.LIBCMTD ref: 00007FFFE2739341
_invalid_parameter.LIBCMTD ref: 00007FFFE273937B

Strings

("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 00007FFFE27394D2
(_osfile(fh) & FOPEN), xrefs: 00007FFFE27393DB, 00007FFFE2739443
_lseeki64, xrefs: 00007FFFE273936D, 00007FFFE273943C
(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 00007FFFE273930C, 00007FFFE2739374
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseeki64.c, xrefs: 00007FFFE2739321, 00007FFFE2739366, 00007FFFE27393F0, 00007FFFE2739435, 00007FFFE27394E7

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: __doserrno$_invalid_parameter
String ID: ("Invalid file descriptor. File possibly closed by a different thread",0)$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_lseeki64$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseeki64.c
API String ID: 747159061-1442092225
Opcode ID: ef8329fd12da17d600f4f9f1cced5d5e2c2be82d60747835616dff46824e4e92
Instruction ID: 1d04dc55c8cff15d1540d41fb1673fc9718c7b40d9aa1781b89acb0b8ae8b104
Opcode Fuzzy Hash: ef8329fd12da17d600f4f9f1cced5d5e2c2be82d60747835616dff46824e4e92
Instruction Fuzzy Hash: E6619172D1C646C6E7109B24E88036A72E1FB82760F504735E6AD877D5EFBCE821CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272B12B Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 99COMMON

Download Yara Rule

APIs

_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE272B2DB
_invoke_watson_if_error.LIBCMTD ref: 00007FFFE272B339
_exit.LIBCMTD ref: 00007FFFE272B378

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c, xrefs: 00007FFFE272B2AF, 00007FFFE272B322
Module: , xrefs: 00007FFFE272B192
strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error"), xrefs: 00007FFFE272B330
__crtMessageWindowA, xrefs: 00007FFFE272B2BB, 00007FFFE272B329
_CrtDbgReport: String too long or IO Error, xrefs: 00007FFFE272B2F8
(*_errno()), xrefs: 00007FFFE272B2C7
Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application), xrefs: 00007FFFE272B269
..., xrefs: 00007FFFE272B167
Microsoft Visual C++ Debug Library, xrefs: 00007FFFE272B344

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _exit_invoke_watson_if_error_invoke_watson_if_oneof
String ID: Module: $(*_errno())$...$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Microsoft Visual C++ Debug Library$_CrtDbgReport: String too long or IO Error$__crtMessageWindowA$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgrpt.c$strcpy_s(szOutMessage, 4096, "_CrtDbgReport: String too long or IO Error")
API String ID: 1778837556-2487400587
Opcode ID: 577a98effe66048d1b02d2ce2304ffee9433b0bc14e646f7048145a1ac209acc
Instruction ID: d29abef9cde8815da2ec330de38a3bdabca681e1b6341fbdd2e2cda5b1562e5c
Opcode Fuzzy Hash: 577a98effe66048d1b02d2ce2304ffee9433b0bc14e646f7048145a1ac209acc
Instruction Fuzzy Hash: A151E7B6908AC191E734CB01E4403EAB3E5FB89384F505135EA8D83AA9EFBCD164CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273C435 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 307COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E
DecodePointer.KERNEL32 ref: 00007FFFE273C5C6
DecodePointer.KERNEL32 ref: 00007FFFE273C63A
DecodePointer.KERNEL32 ref: 00007FFFE273C685
wctomb_s.LIBCMTD ref: 00007FFFE273CBB1

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273C4CE
_output_s_l, xrefs: 00007FFFE273BAFB
-, xrefs: 00007FFFE273CA54

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: DecodePointer$Locale$UpdateUpdate::~__invalid_parameterwctomb_s
String ID: ("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 83251219-3442986447
Opcode ID: 001a85c562113ca4b869716a344f10cda0261345211a969ed6127680fca34cae
Instruction ID: 029c0bedf818020992518c21e16497178cb20cd4fccc6293550d630b6a23763d
Opcode Fuzzy Hash: 001a85c562113ca4b869716a344f10cda0261345211a969ed6127680fca34cae
Instruction Fuzzy Hash: 12F1E67290CBC68AE7718B15E4943AAB7E4E786744F10013AE68DC6A99EFBCD550CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27407C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 141COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2740880

Strings

("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 00007FFFE27409E0
(_osfile(filedes) & FOPEN), xrefs: 00007FFFE27408DE, 00007FFFE274093B
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\commit.c, xrefs: 00007FFFE2740831, 00007FFFE274086B, 00007FFFE27408F3, 00007FFFE274092D, 00007FFFE27409F5
(filedes >= 0 && (unsigned)filedes < (unsigned)_nhandle), xrefs: 00007FFFE274081C, 00007FFFE2740879
_commit, xrefs: 00007FFFE2740872, 00007FFFE2740934

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: ("Invalid file descriptor. File possibly closed by a different thread",0)$(_osfile(filedes) & FOPEN)$(filedes >= 0 && (unsigned)filedes < (unsigned)_nhandle)$_commit$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\commit.c
API String ID: 2123368286-2816485415
Opcode ID: a9ecfc86665cfe11dfc030c63538da66c5eec56c542ce672bdc8af4c2c9759d0
Instruction ID: 30f33baf0db836593d01848ad2bd941c3a34e8c3ced8aea9c8a8206d6e5e9641
Opcode Fuzzy Hash: a9ecfc86665cfe11dfc030c63538da66c5eec56c542ce672bdc8af4c2c9759d0
Instruction Fuzzy Hash: 12616172E1C64A86E7149B20E44177A77E1FB82354F405236E55EC6AD5EFFCE860CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2740A20 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 135COMMON

Download Yara Rule

APIs

__doserrno.LIBCMTD ref: 00007FFFE2740A33
__doserrno.LIBCMTD ref: 00007FFFE2740ABC
_invalid_parameter.LIBCMTD ref: 00007FFFE2740AF6

Strings

_close, xrefs: 00007FFFE2740AE8, 00007FFFE2740BB5
("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 00007FFFE2740C32
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\close.c, xrefs: 00007FFFE2740A9C, 00007FFFE2740AE1, 00007FFFE2740B69, 00007FFFE2740BAE, 00007FFFE2740C47
(_osfile(fh) & FOPEN), xrefs: 00007FFFE2740B54, 00007FFFE2740BBC
(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 00007FFFE2740A87, 00007FFFE2740AEF

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: __doserrno$_invalid_parameter
String ID: ("Invalid file descriptor. File possibly closed by a different thread",0)$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_close$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\close.c
API String ID: 747159061-2992490823
Opcode ID: 145745de55703435efe457d343042b6d2b79a4b89ecca71574c94757b3ea27c1
Instruction ID: 6bb085eda453cf35b62a7c25bdc97c7cbfe2ce6fa4e3b8b751af1ca0f69fe7b5
Opcode Fuzzy Hash: 145745de55703435efe457d343042b6d2b79a4b89ecca71574c94757b3ea27c1
Instruction Fuzzy Hash: 8B516E72E18646C6E7209B24E88076A77E1FB82354F505235E15DC76D5EFFCE920CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727640 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 290COMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32 ref: 00007FFFE272764C
_calloc_dbg.LIBCMTD ref: 00007FFFE2727671

Part of subcall function 00007FFFE2724980: _calloc_dbg_impl.LIBCMTD ref: 00007FFFE27249C6

_calloc_dbg.LIBCMTD ref: 00007FFFE2727858

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c, xrefs: 00007FFFE272765A, 00007FFFE2727841

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _calloc_dbg$InfoStartup_calloc_dbg_impl
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c
API String ID: 1930727954-3864165772
Opcode ID: 53ed6c7dc9c3017b6de27dce3b9aec11c1bcaebc47f482f4e33ed4626b187432
Instruction ID: d6e809d0e17665c93a1afa646f4531d29c58fdb4308dd3ae8e513038fc5272e7
Opcode Fuzzy Hash: 53ed6c7dc9c3017b6de27dce3b9aec11c1bcaebc47f482f4e33ed4626b187432
Instruction Fuzzy Hash: 9BF10D72A09BC5C5E7708B19E88076AB7A0F7C6764F104225CA9D877E4EF7CD455CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273E2FC Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273E304
_get_printf_count_output.LIBCMTD ref: 00007FFFE273E311
_invalid_parameter.LIBCMTD ref: 00007FFFE273E3BB
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273E3D0

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF, 00007FFFE273E369, 00007FFFE273E3A6
("'n' format specifier disabled", 0), xrefs: 00007FFFE273E354, 00007FFFE273E3B4
_woutput_s_l, xrefs: 00007FFFE273DBD6, 00007FFFE273E3AD

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__get_printf_count_output_invalid_parameterget_int64_arg
String ID: ("'n' format specifier disabled", 0)$("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 1328470723-1899493600
Opcode ID: f6969a0051e08e9fb172d17dbb699df528c09bf6843d3bd9f9f4304ac6550dc4
Instruction ID: e3ee7b33881b7c335adfb327cd67160009900e2a37d4eada25f060ff08f5c6cf
Opcode Fuzzy Hash: f6969a0051e08e9fb172d17dbb699df528c09bf6843d3bd9f9f4304ac6550dc4
Instruction Fuzzy Hash: 4CC1FB72D0CA8686E7709B15E8817ABB7E0FB95385F400135E689C7A99EFBCE450CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272EFB0 Relevance: 16.7, APIs: 11, Instructions: 200memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFFE272F094
malloc.LIBCMTD ref: 00007FFFE272F0E7
_MarkAllocaS.LIBCMTD ref: 00007FFFE272F0F4
MultiByteToWideChar.KERNEL32 ref: 00007FFFE272F150
LCMapStringW.KERNEL32 ref: 00007FFFE272F18D

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: ByteCharMultiWide$AllocaMarkStringmalloc
String ID:
API String ID: 2352934578-0
Opcode ID: c62487d166d7dca86c557c7a35fedf321effa742b468bc4a62d127ec3f3969a5
Instruction ID: 4dd7afd436d10478c3fd56f78bca270fc76a2bf2966e3339c4b07c0073d7dc38
Opcode Fuzzy Hash: c62487d166d7dca86c557c7a35fedf321effa742b468bc4a62d127ec3f3969a5
Instruction Fuzzy Hash: 44B1C476A0C7818AE7608B55E44476FB7E0FBCA754F104135EA8983B98EBBCE454CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2733380 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 330COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273345E
_invalid_parameter.LIBCMTD ref: 00007FFFE273362A

Strings

Buffer is too small, xrefs: 00007FFFE27336D6, 00007FFFE273384B
wcsncpy_s, xrefs: 00007FFFE2733450, 00007FFFE273361C, 00007FFFE27338D4
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcsncpy_s.inl, xrefs: 00007FFFE273340F, 00007FFFE2733449, 00007FFFE27335DB, 00007FFFE2733615, 00007FFFE27336EB, 00007FFFE2733893, 00007FFFE27338CD
(((_Src))) != NULL, xrefs: 00007FFFE27335C6, 00007FFFE2733623
((_Dst)) != NULL && ((_SizeInWords)) > 0, xrefs: 00007FFFE27333FA, 00007FFFE2733457
(L"Buffer is too small" && 0), xrefs: 00007FFFE273387E, 00007FFFE27338DB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInWords)) > 0$(L"Buffer is too small" && 0)$Buffer is too small$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcsncpy_s.inl$wcsncpy_s
API String ID: 2123368286-322314505
Opcode ID: 3bb9d1a90c7c3446087a29b367bd8117c888f0c96a3fbe465b5df790d7333f4b
Instruction ID: a955fe58bc538bce3e591dca1fb5bb2cfd949093a49756a8c7dca5467b2982f0
Opcode Fuzzy Hash: 3bb9d1a90c7c3446087a29b367bd8117c888f0c96a3fbe465b5df790d7333f4b
Instruction Fuzzy Hash: C3024F32E0CB8585EB708B24E48537A63E0FB86B54F104535DA9DC2BD5EFBCD4A48B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273E424 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 307COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9
DecodePointer.KERNEL32 ref: 00007FFFE273E5B6
DecodePointer.KERNEL32 ref: 00007FFFE273E62A
DecodePointer.KERNEL32 ref: 00007FFFE273E675

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273E4BE
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: DecodePointer$Locale$UpdateUpdate::~__invalid_parameter
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 1139040907-3988320827
Opcode ID: 4175f3561072ab378176a1e1f92056bf5caba3e85f41217d234b1a14ff64e00d
Instruction ID: 6bd43d9f3628e85f9e8351d0a598165e4d12083ca9267c219a553d99e0260e8c
Opcode Fuzzy Hash: 4175f3561072ab378176a1e1f92056bf5caba3e85f41217d234b1a14ff64e00d
Instruction Fuzzy Hash: A7F1DA7290DA858AE7608B15E8803ABB7E0FBD6795F100135E68DC7A99EFBCD450CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2731640 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 233COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE27316F1
_invalid_parameter.LIBCMTD ref: 00007FFFE2731823
_invalid_parameter.LIBCMTD ref: 00007FFFE27319CB

Strings

wcscpy_s, xrefs: 00007FFFE27316E3, 00007FFFE2731815, 00007FFFE27319BD
Buffer is too small, xrefs: 00007FFFE2731934
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscpy_s.inl, xrefs: 00007FFFE27316A2, 00007FFFE27316DC, 00007FFFE27317D4, 00007FFFE273180E, 00007FFFE273197C, 00007FFFE27319B6
(((_Src))) != NULL, xrefs: 00007FFFE27317BF, 00007FFFE273181C
((_Dst)) != NULL && ((_SizeInWords)) > 0, xrefs: 00007FFFE273168D, 00007FFFE27316EA
(L"Buffer is too small" && 0), xrefs: 00007FFFE2731967, 00007FFFE27319C4

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInWords)) > 0$(L"Buffer is too small" && 0)$Buffer is too small$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscpy_s.inl$wcscpy_s
API String ID: 2123368286-3300880850
Opcode ID: 938211b99713ed548de0de10d16fbf2c247e5ceda09f99a66501889bb82a488d
Instruction ID: 638ab53533eadf826c6180ba4c1280b6f672f28214088c6cff4d5f857a46e304
Opcode Fuzzy Hash: 938211b99713ed548de0de10d16fbf2c247e5ceda09f99a66501889bb82a488d
Instruction Fuzzy Hash: 21C14B32E1CB86C5EB608B25E4843AA67E0FB86794F544135D69D83B95EFBCD0648B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272D490 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 228COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE272D541
_invalid_parameter.LIBCMTD ref: 00007FFFE272D66D
_invalid_parameter.LIBCMTD ref: 00007FFFE272D80C

Strings

Buffer is too small, xrefs: 00007FFFE272D775
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscpy_s.inl, xrefs: 00007FFFE272D4F2, 00007FFFE272D52C, 00007FFFE272D61E, 00007FFFE272D658, 00007FFFE272D7BD, 00007FFFE272D7F7
(((_Src))) != NULL, xrefs: 00007FFFE272D609, 00007FFFE272D666
strcpy_s, xrefs: 00007FFFE272D533, 00007FFFE272D65F, 00007FFFE272D7FE
(L"Buffer is too small" && 0), xrefs: 00007FFFE272D7A8, 00007FFFE272D805
((_Dst)) != NULL && ((_SizeInBytes)) > 0, xrefs: 00007FFFE272D4DD, 00007FFFE272D53A

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (((_Src))) != NULL$((_Dst)) != NULL && ((_SizeInBytes)) > 0$(L"Buffer is too small" && 0)$Buffer is too small$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tcscpy_s.inl$strcpy_s
API String ID: 2123368286-3045918802
Opcode ID: ee01400f27967885302bbfc3418a092fc70a607ac75d61aa13826b291406155b
Instruction ID: 64564057947479379630f6799f2795497aad04e28836eb49545040cbfb42414d
Opcode Fuzzy Hash: ee01400f27967885302bbfc3418a092fc70a607ac75d61aa13826b291406155b
Instruction Fuzzy Hash: A2C16C72D0CB8685EB708B25E8443AA67E0F7C6794F504135D69D83BA5EFBCE464CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273F000 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 164
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 15%

			E00007FFF7FFFE273F000(long long __rcx, signed char* __rdx, long long __r8, long long __r9, long long _a8, signed char* _a16, long long _a24, long long _a32) {
				intOrPtr _v24;
				long long _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v88;
				intOrPtr _v96;
				long long _v104;
				void* _t80;
				void* _t81;
				void* _t89;
				void* _t92;
				intOrPtr _t102;
				intOrPtr* _t136;
				intOrPtr* _t137;
				intOrPtr* _t139;
				signed char* _t141;
				intOrPtr* _t142;
				intOrPtr* _t143;
				intOrPtr* _t144;
				intOrPtr* _t148;
				intOrPtr* _t149;

				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				if (_a16 == 0) goto 0xe273f031;
				if (_a24 != 0) goto 0xe273f038;
				goto 0xe273f31a;
				_t136 = _a16;
				if ( *_t136 != 0) goto 0xe273f066;
				if (_a8 == 0) goto 0xe273f05f;
				 *_a8 = 0;
				goto 0xe273f31a;
				0xe27266b0();
				_t80 = E00007FFF7FFFE2726840(0,  &_v88);
				_t137 =  *_t136;
				if ( *((intOrPtr*)(_t137 + 0x10c)) == 1) goto 0xe273f0d2;
				_t81 = E00007FFF7FFFE2726840(_t80,  &_v88);
				if ( *((intOrPtr*)( *_t137 + 0x10c)) == 2) goto 0xe273f0d2;
				_t139 = L"_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2";
				_v104 = _t139;
				r9d = 0;
				r8d = 0x47;
				0xe272b3b0();
				if (_t81 != 1) goto 0xe273f0d2;
				asm("int3");
				E00007FFF7FFFE2726840(0,  &_v88);
				if ( *((intOrPtr*)( *_t139 + 0x14)) != 0) goto 0xe273f121;
				if (_a8 == 0) goto 0xe273f106;
				_t141 = _a16;
				 *_a8 =  *_t141 & 0x000000ff;
				_v56 = 1;
				E00007FFF7FFFE2726800( &_v88);
				goto 0xe273f31a;
				E00007FFF7FFFE2726840(_v56,  &_v88);
				if (E00007FFF7FFFE2732B90( *_a16 & 0x000000ff, _t141, _t141) == 0) goto 0xe273f276;
				_t89 = E00007FFF7FFFE2726840(_t88,  &_v88);
				_t142 =  *_t141;
				if ( *((intOrPtr*)(_t142 + 0x10c)) - 1 <= 0) goto 0xe273f1f3;
				E00007FFF7FFFE2726840(_t89,  &_v88);
				_t143 =  *_t142;
				if (_a24 -  *((intOrPtr*)(_t143 + 0x10c)) < 0) goto 0xe273f1f3;
				if (_a8 == 0) goto 0xe273f191;
				_v36 = 1;
				goto 0xe273f199;
				_v36 = 0;
				_t92 = E00007FFF7FFFE2726840( *((intOrPtr*)(_t143 + 0x10c)),  &_v88);
				_t144 =  *_t143;
				_v32 = _t144;
				E00007FFF7FFFE2726840(_t92,  &_v88);
				_v96 = _v36;
				_v104 = _a8;
				r9d =  *((intOrPtr*)(_v32 + 0x10c));
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) != 0) goto 0xe273f247;
				E00007FFF7FFFE2726840(_t94,  &_v88);
				if (_a24 -  *((intOrPtr*)( *((intOrPtr*)( *_t144)) + 0x10c)) < 0) goto 0xe273f221;
				_t148 = _a16;
				if ( *((char*)(_t148 + 1)) != 0) goto 0xe273f247;
				0xe272ab30();
				 *_t148 = 0x2a;
				_v52 = 0xffffffff;
				E00007FFF7FFFE2726800( &_v88);
				goto 0xe273f31a;
				E00007FFF7FFFE2726840(_v52,  &_v88);
				_t149 =  *_t148;
				_v48 =  *((intOrPtr*)(_t149 + 0x10c));
				E00007FFF7FFFE2726800( &_v88);
				_t102 = _v48;
				goto 0xe273f310;
				if (_a8 == 0) goto 0xe273f28b;
				_v24 = 1;
				goto 0xe273f293;
				_v24 = 0;
				E00007FFF7FFFE2726840(_t102,  &_v88);
				_v96 = _v24;
				_v104 = _a8;
				r9d = 1;
				if (MultiByteToWideChar(??, ??, ??, ??, ??, ??) != 0) goto 0xe273f2f8;
				0xe272ab30();
				 *((intOrPtr*)( *_t149)) = 0x2a;
				_v44 = 0xffffffff;
				E00007FFF7FFFE2726800( &_v88);
				goto 0xe273f31a;
				_v40 = 1;
				E00007FFF7FFFE2726800( &_v88);
				goto 0xe273f31a;
				return E00007FFF7FFFE2726800( &_v88);
			}

0x7fffe273f000
0x7fffe273f005
0x7fffe273f00a
0x7fffe273f00f
0x7fffe273f024
0x7fffe273f02f
0x7fffe273f033
0x7fffe273f038
0x7fffe273f045
0x7fffe273f050
0x7fffe273f05c
0x7fffe273f061
0x7fffe273f073
0x7fffe273f07d
0x7fffe273f082
0x7fffe273f08c
0x7fffe273f093
0x7fffe273f0a2
0x7fffe273f0a4
0x7fffe273f0ab
0x7fffe273f0b0
0x7fffe273f0b3
0x7fffe273f0c5
0x7fffe273f0cd
0x7fffe273f0cf
0x7fffe273f0d7
0x7fffe273f0e3
0x7fffe273f0ee
0x7fffe273f0f0
0x7fffe273f103
0x7fffe273f106
0x7fffe273f113
0x7fffe273f11c
0x7fffe273f126
0x7fffe273f140
0x7fffe273f14b
0x7fffe273f150
0x7fffe273f15a
0x7fffe273f165
0x7fffe273f16a
0x7fffe273f17a
0x7fffe273f185
0x7fffe273f187
0x7fffe273f18f
0x7fffe273f191
0x7fffe273f19e
0x7fffe273f1a3
0x7fffe273f1a6
0x7fffe273f1b0
0x7fffe273f1bc
0x7fffe273f1c8
0x7fffe273f1d2
0x7fffe273f1f1
0x7fffe273f1f8
0x7fffe273f20f
0x7fffe273f211
0x7fffe273f21f
0x7fffe273f221
0x7fffe273f226
0x7fffe273f22c
0x7fffe273f239
0x7fffe273f242
0x7fffe273f24c
0x7fffe273f251
0x7fffe273f25a
0x7fffe273f263
0x7fffe273f268
0x7fffe273f271
0x7fffe273f27f
0x7fffe273f281
0x7fffe273f289
0x7fffe273f28b
0x7fffe273f298
0x7fffe273f2a4
0x7fffe273f2b0
0x7fffe273f2b5
0x7fffe273f2d3
0x7fffe273f2d5
0x7fffe273f2da
0x7fffe273f2e0
0x7fffe273f2ed
0x7fffe273f2f6
0x7fffe273f2f8
0x7fffe273f305
0x7fffe273f30e
0x7fffe273f321

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273F113
MultiByteToWideChar.KERNEL32 ref: 00007FFFE273F1E9
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273F239
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273F263

Strings

_loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2, xrefs: 00007FFFE273F0A4
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbtowc.c, xrefs: 00007FFFE273F0B9

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$ByteCharMultiWide
String ID: _loc_update.GetLocaleT()->locinfo->mb_cur_max == 1 || _loc_update.GetLocaleT()->locinfo->mb_cur_max == 2$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbtowc.c
API String ID: 3162172745-1617866167
Opcode ID: 1f8ba6bd668c859fdc1c929c81f91c7de023d0dcacf149bd6155c41000b32a69
Instruction ID: eb86b3fb0fa29eae916b9ab6e6b0251487206b7cb81828f5c07b66cc8e9f437f
Opcode Fuzzy Hash: 1f8ba6bd668c859fdc1c929c81f91c7de023d0dcacf149bd6155c41000b32a69
Instruction Fuzzy Hash: 2891EA72E1CA8186E760EB14E4917AAB7E0FBD2784F404136E68D83695EFBCD454CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2726BF0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_swprintf_p.LIBCMTD ref: 00007FFFE2726DC2
_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE2726E0D

Part of subcall function 00007FFFE272C170: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE272C20A

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2726E74

Strings

%.2X , xrefs: 00007FFFE2726DAD
Data: <%s> %s, xrefs: 00007FFFE2726E49
, xrefs: 00007FFFE2726D3E
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE2726DE1
(*_errno()), xrefs: 00007FFFE2726DF9
_printMemBlockData, xrefs: 00007FFFE2726DED

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invoke_watson_if_oneof_swprintf_p
String ID: $ Data: <%s> %s$%.2X $(*_errno())$_printMemBlockData$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
API String ID: 792801276-1329727594
Opcode ID: 3bedb609291a4b858326ef236c1a71752733cc22d3f81b148e8b3570f3bc9f75
Instruction ID: abd5a47bbbb15997842a13137b033af73c217a27d1c7b8ab75dc96c566973963
Opcode Fuzzy Hash: 3bedb609291a4b858326ef236c1a71752733cc22d3f81b148e8b3570f3bc9f75
Instruction Fuzzy Hash: D06126B2E0D6C186E7349B11E4913AAB7A0FBC6740F50413ADA8D87B89EFBCD454CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273F900 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMTD ref: 00007FFFE273F913
__doserrno.LIBCMTD ref: 00007FFFE273F99E
_invalid_parameter.LIBCMTD ref: 00007FFFE273F9D8

Strings

_get_osfhandle, xrefs: 00007FFFE273F9CA, 00007FFFE273FA99
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\osfinfo.c, xrefs: 00007FFFE273F97E, 00007FFFE273F9C3, 00007FFFE273FA4D, 00007FFFE273FA92
(_osfile(fh) & FOPEN), xrefs: 00007FFFE273FA38, 00007FFFE273FAA0
(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 00007FFFE273F969, 00007FFFE273F9D1

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: __doserrno$_invalid_parameter
String ID: (_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_get_osfhandle$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\osfinfo.c
API String ID: 747159061-3177431134
Opcode ID: a294e87af6799fd5b40bd152d4ba1c080b88c0b0971c2ee76bd3c9e1fffa8bcc
Instruction ID: cd32c9d4021f0e3860518584dafaf3b7bbebca56b01042bb329975a2725abaa7
Opcode Fuzzy Hash: a294e87af6799fd5b40bd152d4ba1c080b88c0b0971c2ee76bd3c9e1fffa8bcc
Instruction Fuzzy Hash: C2517172D1864A86E710AB10E88136977E1FB827A4F405335E56D877E5EFFCD520CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272BA60 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 78memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE272BAFB
HeapSize.KERNEL32 ref: 00007FFFE272BB40
HeapReAlloc.KERNEL32 ref: 00007FFFE272BB61
_is_LFH_enabled.LIBCMTD ref: 00007FFFE272BB8B

Strings

_expand_base, xrefs: 00007FFFE272BAED
pBlock != NULL, xrefs: 00007FFFE272BA97, 00007FFFE272BAF4
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\expand.c, xrefs: 00007FFFE272BAAC, 00007FFFE272BAE6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Heap$AllocH_enabledSize_invalid_parameter_is_
String ID: _expand_base$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\expand.c$pBlock != NULL
API String ID: 1608253119-1427866139
Opcode ID: b3a6b944d23a3465c4e6046a1e88bc32cc41bb9fe3a320684877be901aeb32e4
Instruction ID: 4e817b8a535bd8bab9b06caab6d417b3a9dde677ec5e8ba7ddb29b2164db7987
Opcode Fuzzy Hash: b3a6b944d23a3465c4e6046a1e88bc32cc41bb9fe3a320684877be901aeb32e4
Instruction Fuzzy Hash: FB416CB2D1CB4686E7109B10F45436A7BE5FBC6740F501135E68E83A98EFBCE4A4CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27386B0 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 282COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273876B
_invalid_parameter.LIBCMTD ref: 00007FFFE273883D
_invalid_parameter.LIBCMTD ref: 00007FFFE2738B4C

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vswprint.c, xrefs: 00007FFFE273871C, 00007FFFE2738756, 00007FFFE27387EE, 00007FFFE2738828, 00007FFFE2738AFD, 00007FFFE2738B37
("Buffer too small", 0), xrefs: 00007FFFE2738AE8, 00007FFFE2738B45
string != NULL && sizeInWords > 0, xrefs: 00007FFFE27387D9, 00007FFFE2738836
format != NULL, xrefs: 00007FFFE2738707, 00007FFFE2738764
_vsnwprintf_s_l, xrefs: 00007FFFE273875D, 00007FFFE273882F, 00007FFFE2738B3E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: ("Buffer too small", 0)$_vsnwprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vswprint.c$format != NULL$string != NULL && sizeInWords > 0
API String ID: 2123368286-2958264153
Opcode ID: ced4706838129b7b95ee409a728acbeff35cdf169ec97d38e23daf610fb20cc8
Instruction ID: 5bbcfcb9b0297276b68f69d9a5cdefd5329b028647f606bf459eda8e3093020a
Opcode Fuzzy Hash: ced4706838129b7b95ee409a728acbeff35cdf169ec97d38e23daf610fb20cc8
Instruction Fuzzy Hash: F6E11D72D1D68A85E6608B24E48436E73E0FB86764F104235E69D83BD5EFBCD465CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273C1A3 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273C1F1

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
_output_s_l, xrefs: 00007FFFE273BAFB
-, xrefs: 00007FFFE273CA54

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: get_int64_arg
String ID: ("Incorrect format specifier", 0)$-$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 1967237116-569934968
Opcode ID: a4b0ff099cb4cab39938a39410f3255722065ce2ff61adb6fbb12e1a083add00
Instruction ID: 12f8bf8aa4e5c449885c9c7263de9e2159a5d830bdbe9a3f6ae5a6d6be8a25c0
Opcode Fuzzy Hash: a4b0ff099cb4cab39938a39410f3255722065ce2ff61adb6fbb12e1a083add00
Instruction Fuzzy Hash: 08D1087290CBC68BE7718B15E4903AAB7E4F786754F100139E689C6A99EFBCE550CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273BFDE Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FFF7FFFE273BFDE(char _a696, char _a976) {

				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0xe273ca31;
				goto __rax;
			}

0x7fffe273bfe6
0x7fffe273bff7
0x7fffe273c006
0x7fffe273c02d

APIs

wctomb_s.LIBCMTD ref: 00007FFFE273CBB1

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
7, xrefs: 00007FFFE273BFFE
, xrefs: 00007FFFE273CA88
_output_s_l, xrefs: 00007FFFE273BAFB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: wctomb_s
String ID: $("Incorrect format specifier", 0)$7$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2215178078-1895985292
Opcode ID: cbe9265cfe95002cd01c633456f4143dcea286b255341fa392fef384a43988b7
Instruction ID: 0ef6a88645f417ced79a3feda15fb464f7c8353cd896ef5c1d211350136955a4
Opcode Fuzzy Hash: cbe9265cfe95002cd01c633456f4143dcea286b255341fa392fef384a43988b7
Instruction Fuzzy Hash: 87B12A7290C7C68AE771CB14E4853AAB7E4F786744F40013AE689C6A99EFBCE550CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2732260 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 185COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2732310
_invalid_parameter.LIBCMTD ref: 00007FFFE27323B4
_invalid_parameter.LIBCMTD ref: 00007FFFE2732505

Strings

("Buffer too small", 0), xrefs: 00007FFFE27324A1, 00007FFFE27324FE
string != NULL && sizeInBytes > 0, xrefs: 00007FFFE2732350, 00007FFFE27323AD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c, xrefs: 00007FFFE27322C1, 00007FFFE27322FB, 00007FFFE2732365, 00007FFFE273239F, 00007FFFE27324B6, 00007FFFE27324F0
_vsprintf_s_l, xrefs: 00007FFFE2732302, 00007FFFE27323A6, 00007FFFE27324F7
format != NULL, xrefs: 00007FFFE27322AC, 00007FFFE2732309

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: ("Buffer too small", 0)$_vsprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c$format != NULL$string != NULL && sizeInBytes > 0
API String ID: 2123368286-348877268
Opcode ID: 2cfb79548520c5644ac56b859ec2257f97161b74a067da09cc3df7a1a7a1eb8b
Instruction ID: d00d9d4f73b971464d58c1e13e7c651da98e7050de23515602251143de6dfc80
Opcode Fuzzy Hash: 2cfb79548520c5644ac56b859ec2257f97161b74a067da09cc3df7a1a7a1eb8b
Instruction Fuzzy Hash: AD916372D0C64286E7608B14E49436A77E0FB86354F501635E69DC3BE8EFBCD864CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273BB66 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFFE2732B90: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2732BD7

_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E
_invalid_parameter.LIBCMTD ref: 00007FFFE273BC75
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BC8A

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4, 00007FFFE273BC23, 00007FFFE273BC60
_output_s_l, xrefs: 00007FFFE273BAFB, 00007FFFE273BC67
(ch != _T('\0')), xrefs: 00007FFFE273BC0E, 00007FFFE273BC6E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: ("Incorrect format specifier", 0)$(ch != _T('\0'))$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2192614184-4087627024
Opcode ID: 129faf18f11d0aee11f016f36c84ee6a14c26cc1d7ed9976eab63fbc1969d985
Instruction ID: 0aaa868294b7defc4b9e7e5266e30a121a2e4844c406e6d979b77969159e7b4f
Opcode Fuzzy Hash: 129faf18f11d0aee11f016f36c84ee6a14c26cc1d7ed9976eab63fbc1969d985
Instruction Fuzzy Hash: F5713E62D0C6C685E7B09B20E4943BE7BE4EB86344F401136D68DC6699EFBCD555CF02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2730FD0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 124COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2731084

Strings

src != NULL, xrefs: 00007FFFE27310E5, 00007FFFE2731142
sizeInBytes >= count, xrefs: 00007FFFE2731185, 00007FFFE27311E2
memcpy_s, xrefs: 00007FFFE2731076, 00007FFFE273113B, 00007FFFE27311DB
dst != NULL, xrefs: 00007FFFE2731020, 00007FFFE273107D
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\memcpy_s.c, xrefs: 00007FFFE2731035, 00007FFFE273106F, 00007FFFE27310FA, 00007FFFE2731134, 00007FFFE273119A, 00007FFFE27311D4

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: dst != NULL$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\memcpy_s.c$memcpy_s$sizeInBytes >= count$src != NULL
API String ID: 2123368286-3692278645
Opcode ID: 55675c40df69ab8a15ad1ce5aa383a74447e024eaeb1f72783c964e483dda9b8
Instruction ID: 5b1f9856db65b562bf7360df7a388092fe207416b6a64f0c16c5bd00641f8e5d
Opcode Fuzzy Hash: 55675c40df69ab8a15ad1ce5aa383a74447e024eaeb1f72783c964e483dda9b8
Instruction Fuzzy Hash: DC510A72D1C686C6E7209B10E4843AA77E1FB86344F501135E68D86A98EFFDE564CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272BC30 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_base.LIBCMTD ref: 00007FFFE272BC55
_free_base.LIBCMTD ref: 00007FFFE272BC6C

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _free_base_malloc_base
String ID:
API String ID: 3824334587-0
Opcode ID: f253414e3849525c296ec210365ea501a1b810d2bb56cf35f247e52024ae0b7b
Instruction ID: 5e0389aacecd739b3fab3a99bb4cbcda37e7b949ab82a0bcee6c814ffe136a95
Opcode Fuzzy Hash: f253414e3849525c296ec210365ea501a1b810d2bb56cf35f247e52024ae0b7b
Instruction Fuzzy Hash: 0B3141B3D1C64281E7209B61E40437EA7E5FBC6354F002535E59EC6695EFFCE4A18B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27263E0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2726476

Strings

_CrtMemCheckpoint, xrefs: 00007FFFE2726468
Bad memory block found at 0x%p.Memory allocated at %hs(%d)., xrefs: 00007FFFE27265D4
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE2726427, 00007FFFE2726461
Bad memory block found at 0x%p., xrefs: 00007FFFE2726603
state != NULL, xrefs: 00007FFFE2726412, 00007FFFE272646F

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: Bad memory block found at 0x%p.$Bad memory block found at 0x%p.Memory allocated at %hs(%d).$_CrtMemCheckpoint$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$state != NULL
API String ID: 2123368286-817335350
Opcode ID: 3b86e21d312907f031a9c3af8c0eef3d8af61768b64ebe8bc9406c081913c3b7
Instruction ID: 914825fecb202122fe689323881d7f76004ce3d1dd1c8c4fba7d9b80aa1f1b35
Opcode Fuzzy Hash: 3b86e21d312907f031a9c3af8c0eef3d8af61768b64ebe8bc9406c081913c3b7
Instruction Fuzzy Hash: 6C61DB76A1CB4586EB10CB19E49132A77A0FBC6794F204136EB8D83BA8DF7DD461CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272CFF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FFF7FFFE272CFF0(intOrPtr _a8) {
				intOrPtr _v24;
				long long _v48;
				long long _v64;
				intOrPtr _t21;

				_a8 = _t21;
				_v48 = 0;
				_v64 = 0;
				_v24 = _a8;
				_v24 = _v24 - 2;
				if (_v24 - 0x14 > 0) goto 0xe272d13e;
				goto __rax;
			}

0x7fffe272cff0
0x7fffe272cff8
0x7fffe272d000
0x7fffe272d010
0x7fffe272d01b
0x7fffe272d024
0x7fffe272d048

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE272D1C9

Strings

raise, xrefs: 00007FFFE272D1BB
("Invalid signal or error", 0), xrefs: 00007FFFE272D165, 00007FFFE272D1C2
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\winsig.c, xrefs: 00007FFFE272D17A, 00007FFFE272D1B4

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: ("Invalid signal or error", 0)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\winsig.c$raise
API String ID: 2123368286-2245755083
Opcode ID: 18adc300c2b93f7eab7b819d563e90f5c41814788a4c43fa347d2340d41b98cd
Instruction ID: 5382b2322bb4abffe25a16e8facebb76caf7e5007f6384a1b566a9082ccb1ded
Opcode Fuzzy Hash: 18adc300c2b93f7eab7b819d563e90f5c41814788a4c43fa347d2340d41b98cd
Instruction Fuzzy Hash: C371D972D1C682CAE7A09B14E44476BB7E1FBC6754F104135E68A83B95EFBCE454CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2725AD9 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

_CrtIsValidHeapPointer.LIBCMTD ref: 00007FFFE2725B35

Strings

_CrtCheckMemory(), xrefs: 00007FFFE2725ADD
LX, xrefs: 00007FFFE2725B5F
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse), xrefs: 00007FFFE2725BB4
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE2725AF2, 00007FFFE2725B53, 00007FFFE2725BC9
L7, xrefs: 00007FFFE2725C0F
_CrtIsValidHeapPointer(pUserData), xrefs: 00007FFFE2725B3E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: HeapPointerValid
String ID: _BLOCK_TYPE_IS_VALID(pHead->nBlockUse)$_CrtCheckMemory()$_CrtIsValidHeapPointer(pUserData)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$L7$LX
API String ID: 299318057-1988567080
Opcode ID: 449abee572b00c001843884aa05b8e5cdaea28f8affc6eceb55751fcc4bbfe52
Instruction ID: 54f051c7b9bfcc9212ce62af4551271011765c69c71bd7e586fc2446e00ecf69
Opcode Fuzzy Hash: 449abee572b00c001843884aa05b8e5cdaea28f8affc6eceb55751fcc4bbfe52
Instruction Fuzzy Hash: 62316FB2E2874685E7A48B15E44132967D4FB86780F501035EA4DC3BA5FF7CD460CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272C7E9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

_realloc_dbg.LIBCMTD ref: 00007FFFE272C86D
_realloc_dbg.LIBCMTD ref: 00007FFFE272C8B8
EncodePointer.KERNEL32 ref: 00007FFFE272C8FF
EncodePointer.KERNEL32 ref: 00007FFFE272C911
EncodePointer.KERNEL32 ref: 00007FFFE272C932

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\onexit.c, xrefs: 00007FFFE272C856, 00007FFFE272C8A1
}, xrefs: 00007FFFE272C84E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: EncodePointer$_realloc_dbg
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\onexit.c$}
API String ID: 429494535-1858280179
Opcode ID: 950a78d59f72efd3ce43bd8456283c625fce50364ef15d6a0f5e845d51c15c3f
Instruction ID: f026b265a5fc75070eaaecb916e0b8086e89157fbe893cac51a71e35bd52c601
Opcode Fuzzy Hash: 950a78d59f72efd3ce43bd8456283c625fce50364ef15d6a0f5e845d51c15c3f
Instruction Fuzzy Hash: 7D41C972A19B8586DA50CB55F45432AB7F0F7C6794F101035FA8E83B68EFBDD0A48B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727280 Relevance: 12.1, APIs: 8, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 00007FFFE27272CE
DecodePointer.KERNEL32 ref: 00007FFFE2727375
DecodePointer.KERNEL32 ref: 00007FFFE27272EC

Part of subcall function 00007FFFE2723D00: RtlEncodePointer.NTDLL ref: 00007FFFE2723D06

DecodePointer.KERNEL32 ref: 00007FFFE2727398
DecodePointer.KERNEL32 ref: 00007FFFE27273AA
_initterm.LIBCMTD ref: 00007FFFE2727408
_initterm.LIBCMTD ref: 00007FFFE272741B
__crtExitProcess.LIBCMTD ref: 00007FFFE272747D

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Pointer$Decode$_initterm$EncodeExitProcess__crt
String ID:
API String ID: 3799933513-0
Opcode ID: c9a1689ff4177d35e5a558f0089bed0cb41f7669401f9128f576ef3edf69137f
Instruction ID: f2e2149491306e43c81337c10ffb58654b7976f9a77924b62ed1162e3e92ddac
Opcode Fuzzy Hash: c9a1689ff4177d35e5a558f0089bed0cb41f7669401f9128f576ef3edf69137f
Instruction Fuzzy Hash: 80510E72D1DA8281E7509B15E58432EB7E4FBC6794F101135EA8D827A9FFBCE464CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273E16F Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 259COMMON

Download Yara Rule

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273E1BC

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: get_int64_arg
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 1967237116-734865713
Opcode ID: c2425827690f07a93f69eb38b450ff2678cd23c1eb01a19a01dfffa3a40938e6
Instruction ID: f3e57193377d8beb5a7171205992642bafa3d13a9e1201d6a23acced2c5f90f3
Opcode Fuzzy Hash: c2425827690f07a93f69eb38b450ff2678cd23c1eb01a19a01dfffa3a40938e6
Instruction Fuzzy Hash: 08D1EC7290CAC68AE7708B15E8807ABB7E0FB95395F100135E699C7A99EFBCD450CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273DF8D Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 218
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FFF7FFFE273DF8D(signed short _a1208, signed int _a1412) {

				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0xe273ea2a;
				goto __rax;
			}

0x7fffe273df95
0x7fffe273dfa6
0x7fffe273dfb5
0x7fffe273dfdc

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
7, xrefs: 00007FFFE273DFAD
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID:
String ID: ("Incorrect format specifier", 0)$7$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 0-1585035072
Opcode ID: 0bf90205098d20be4f4e59ab582b3189e67a2fe65aecfe549d1a450604364a50
Instruction ID: ee2cc1a72556f944df62c28f5790422724b32f253115e45b2b99d18f486a4f54
Opcode Fuzzy Hash: 0bf90205098d20be4f4e59ab582b3189e67a2fe65aecfe549d1a450604364a50
Instruction Fuzzy Hash: 04B1FE7290C6C686E7709B55E8817ABB7E0FB95395F000036EA89C7A99EFBCD450CF05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2738350 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2738420
_invalid_parameter.LIBCMTD ref: 00007FFFE27384CA

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vswprint.c, xrefs: 00007FFFE27383D1, 00007FFFE273840B, 00007FFFE273847B, 00007FFFE27384B5
(count == 0) || (string != NULL), xrefs: 00007FFFE2738466, 00007FFFE27384C3
_vswprintf_helper, xrefs: 00007FFFE2738412, 00007FFFE27384BC
(format != NULL), xrefs: 00007FFFE27383BC, 00007FFFE2738419

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (count == 0) || (string != NULL)$(format != NULL)$_vswprintf_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vswprint.c
API String ID: 2123368286-1876092940
Opcode ID: 9846629aa5f9262a1bee0fdfcec26bb25970a0f61289143976d8b215326cf8ff
Instruction ID: 9dbc88418aa9beaf465aef17d5cf95acc34abf54899ab1ae5059a45d627c320d
Opcode Fuzzy Hash: 9846629aa5f9262a1bee0fdfcec26bb25970a0f61289143976d8b215326cf8ff
Instruction Fuzzy Hash: AC911A72918B89CAE7608B15E48436EB7E0F785794F108535E69E83BA8EFBCD454CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273BE32 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00007FFF7FFFE273BE32(signed int _a80, signed int _a696, intOrPtr _a704, char _a972, signed int _a976, void* _a1096) {

				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0xe273beb7;
				if (_a972 == 0x68) goto 0xe273bfc0;
				if (_a972 == 0x6c) goto 0xe273be76;
				if (_a972 == 0x77) goto 0xe273bfcd;
				goto 0xe273bfd9;
				if ( *_a1096 != 0x6c) goto 0xe273bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0xe273beb2;
				_a80 = _a80 | 0x00000010;
				goto 0xe273bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0xe273bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0xe273bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 != 0x33) goto 0xe273bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0xe273bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 == 0x64) goto 0xe273bfac;
				if ( *_a1096 == 0x69) goto 0xe273bfac;
				if ( *_a1096 == 0x6f) goto 0xe273bfac;
				if ( *_a1096 == 0x75) goto 0xe273bfac;
				if ( *_a1096 == 0x78) goto 0xe273bfac;
				if ( *_a1096 != 0x58) goto 0xe273bfae;
				goto 0xe273bfbe;
				_a704 = 0;
				goto E00007FFF7FFFE273BB66;
				goto 0xe273bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0xe273bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0xe273ca31;
				goto __rax;
			}

0x7fffe273be3a
0x7fffe273be49
0x7fffe273be53
0x7fffe273be61
0x7fffe273be6b
0x7fffe273be71
0x7fffe273be84
0x7fffe273be91
0x7fffe273be9d
0x7fffe273bea5
0x7fffe273beae
0x7fffe273beb2
0x7fffe273bebb
0x7fffe273bed1
0x7fffe273bee2
0x7fffe273bef0
0x7fffe273befc
0x7fffe273bf04
0x7fffe273bf17
0x7fffe273bf28
0x7fffe273bf36
0x7fffe273bf42
0x7fffe273bf4a
0x7fffe273bf5a
0x7fffe273bf6a
0x7fffe273bf7a
0x7fffe273bf8a
0x7fffe273bf9a
0x7fffe273bfaa
0x7fffe273bfac
0x7fffe273bfae
0x7fffe273bfb9
0x7fffe273bfbe
0x7fffe273bfc7
0x7fffe273bfcb
0x7fffe273bfd1
0x7fffe273bfe6
0x7fffe273bff7
0x7fffe273c006
0x7fffe273c02d

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
_output_s_l, xrefs: 00007FFFE273BAFB
w, xrefs: 00007FFFE273BE63

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameter
String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c$w
API String ID: 530996419-3826063230
Opcode ID: 6f4341bf75342723462239bb8ed84b432b5f9ccd09e3c394fa39f7378907594f
Instruction ID: 3fce483c3d395d541d4e7e2cc790a97f291ac19fccf28c9c9e97703942e95ab6
Opcode Fuzzy Hash: 6f4341bf75342723462239bb8ed84b432b5f9ccd09e3c394fa39f7378907594f
Instruction Fuzzy Hash: 1D913D62D0C6C68AE7718B54E0C037EBBE4E786315F40203AD68EC7A59EFACD5518F16

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273DDE0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00007FFF7FFFE273DDE0(signed int _a80, signed int _a1208, intOrPtr _a1216, signed int _a1408, signed int _a1412, signed short* _a1544) {

				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0xe273de66;
				if (_a1408 == 0x68) goto 0xe273df6f;
				if (_a1408 == 0x6c) goto 0xe273de24;
				if (_a1408 == 0x77) goto 0xe273df7c;
				goto 0xe273df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0xe273de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0xe273de61;
				_a80 = _a80 | 0x00000010;
				goto 0xe273df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0xe273deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0xe273deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0xe273defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0xe273defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0xe273df5d;
				goto 0xe273df6d;
				_a1216 = 0;
				goto E00007FFF7FFFE273DC41;
				goto 0xe273df88;
				_a80 = _a80 | 0x00000020;
				goto 0xe273df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0xe273ea2a;
				goto __rax;
			}

0x7fffe273dde8
0x7fffe273ddf7
0x7fffe273de01
0x7fffe273de0f
0x7fffe273de19
0x7fffe273de1f
0x7fffe273de32
0x7fffe273de40
0x7fffe273de4c
0x7fffe273de54
0x7fffe273de5d
0x7fffe273de61
0x7fffe273de6a
0x7fffe273de80
0x7fffe273de91
0x7fffe273de9f
0x7fffe273deab
0x7fffe273deb3
0x7fffe273dec6
0x7fffe273ded7
0x7fffe273dee5
0x7fffe273def1
0x7fffe273def9
0x7fffe273df09
0x7fffe273df19
0x7fffe273df29
0x7fffe273df39
0x7fffe273df49
0x7fffe273df59
0x7fffe273df5b
0x7fffe273df5d
0x7fffe273df68
0x7fffe273df6d
0x7fffe273df76
0x7fffe273df7a
0x7fffe273df80
0x7fffe273df95
0x7fffe273dfa6
0x7fffe273dfb5
0x7fffe273dfdc

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
_woutput_s_l, xrefs: 00007FFFE273DBD6
w, xrefs: 00007FFFE273DE11

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameter
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c$w
API String ID: 530996419-4206863317
Opcode ID: ea911f3e0001a33c00663cb6cc71ee2ff701874ce847a4c399e41a1539880d37
Instruction ID: bb2b161c844e8541a31d686d7aceeafc764bbed2278a54cd9138035b1dfb626e
Opcode Fuzzy Hash: ea911f3e0001a33c00663cb6cc71ee2ff701874ce847a4c399e41a1539880d37
Instruction Fuzzy Hash: B491FA72D0D6C68AE6B08B15E88037BB7E1FB86755F400135E68DC7A94EBBCD861DB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273DCA8 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00007FFF7FFFE273DCA8(signed int _a80, signed int _a88, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1404, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t171;
				char* _t191;
				char* _t192;

				_a1404 = _a1208 & 0x0000ffff;
				if (_a1404 == 0x20) goto 0xe273dd05;
				if (_a1404 == 0x23) goto 0xe273dd12;
				if (_a1404 == 0x2b) goto 0xe273dcf8;
				if (_a1404 == 0x2d) goto 0xe273dceb;
				if (_a1404 == 0x30) goto 0xe273dd20;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000004;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000001;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000002;
				goto 0xe273dd2b;
				asm("bts eax, 0x7");
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000008;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273dd6c;
				_t191 =  &_a1560;
				_a88 = E00007FFF7FFFE2731E40(_t191);
				if (_a88 >= 0) goto 0xe273dd6a;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0xe273dd83;
				_a88 = _t171 + _t191 - 0x30;
				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273ddc4;
				_t192 =  &_a1560;
				_a116 = E00007FFF7FFFE2731E40(_t192);
				if (_a116 >= 0) goto 0xe273ddc2;
				_a116 = 0xffffffff;
				goto 0xe273dddb;
				_a116 = _t171 + _t192 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0xe273de66;
				if (_a1408 == 0x68) goto 0xe273df6f;
				if (_a1408 == 0x6c) goto 0xe273de24;
				if (_a1408 == 0x77) goto 0xe273df7c;
				goto 0xe273df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0xe273de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0xe273de61;
				_a80 = _a80 | 0x00000010;
				goto 0xe273df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0xe273deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0xe273deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0xe273defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0xe273defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0xe273df5d;
				goto 0xe273df6d;
				_a1216 = 0;
				goto E00007FFF7FFFE273DC41;
				goto 0xe273df88;
				_a80 = _a80 | 0x00000020;
				goto 0xe273df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0xe273ea2a;
				goto __rax;
			}

0x7fffe273dcb0
0x7fffe273dcbf
0x7fffe273dcc9
0x7fffe273dcd3
0x7fffe273dcdd
0x7fffe273dce7
0x7fffe273dce9
0x7fffe273dcf2
0x7fffe273dcf6
0x7fffe273dcff
0x7fffe273dd03
0x7fffe273dd0c
0x7fffe273dd10
0x7fffe273dd16
0x7fffe273dd1e
0x7fffe273dd27
0x7fffe273dd3b
0x7fffe273dd3d
0x7fffe273dd4a
0x7fffe273dd53
0x7fffe273dd5c
0x7fffe273dd66
0x7fffe273dd6a
0x7fffe273dd7f
0x7fffe273dd88
0x7fffe273dda0
0x7fffe273dda2
0x7fffe273ddaf
0x7fffe273ddb8
0x7fffe273ddba
0x7fffe273ddc2
0x7fffe273ddd7
0x7fffe273dde8
0x7fffe273ddf7
0x7fffe273de01
0x7fffe273de0f
0x7fffe273de19
0x7fffe273de1f
0x7fffe273de32
0x7fffe273de40
0x7fffe273de4c
0x7fffe273de54
0x7fffe273de5d
0x7fffe273de61
0x7fffe273de6a
0x7fffe273de80
0x7fffe273de91
0x7fffe273de9f
0x7fffe273deab
0x7fffe273deb3
0x7fffe273dec6
0x7fffe273ded7
0x7fffe273dee5
0x7fffe273def1
0x7fffe273def9
0x7fffe273df09
0x7fffe273df19
0x7fffe273df29
0x7fffe273df39
0x7fffe273df49
0x7fffe273df59
0x7fffe273df5b
0x7fffe273df5d
0x7fffe273df68
0x7fffe273df6d
0x7fffe273df76
0x7fffe273df7a
0x7fffe273df80
0x7fffe273df95
0x7fffe273dfa6
0x7fffe273dfb5
0x7fffe273dfdc

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
0, xrefs: 00007FFFE273DCDF
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameter
String ID: ("Incorrect format specifier", 0)$0$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 530996419-1247675978
Opcode ID: dafc102d997b2a6b976dbf7f56485c8afddec954203f225463beab32e96cec62
Instruction ID: 37308ce44e8a24391242606b5d6bae99c6563cd45ecd2736e4dd4862ae7c55f1
Opcode Fuzzy Hash: dafc102d997b2a6b976dbf7f56485c8afddec954203f225463beab32e96cec62
Instruction Fuzzy Hash: 22510EB2D1C6C68AE7709B15E8803BBB7E0FB86345F400136D689C6998EBBCD450DF16

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273BCFA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00007FFF7FFFE273BCFA(signed int _a80, signed int _a88, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a968, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t171;
				char* _t191;
				char* _t192;

				_a968 = _a696 & 0x000000ff;
				if (_a968 == 0x20) goto 0xe273bd57;
				if (_a968 == 0x23) goto 0xe273bd64;
				if (_a968 == 0x2b) goto 0xe273bd4a;
				if (_a968 == 0x2d) goto 0xe273bd3d;
				if (_a968 == 0x30) goto 0xe273bd72;
				goto 0xe273bd7d;
				_a80 = _a80 | 0x00000004;
				goto 0xe273bd7d;
				_a80 = _a80 | 0x00000001;
				goto 0xe273bd7d;
				_a80 = _a80 | 0x00000002;
				goto 0xe273bd7d;
				asm("bts eax, 0x7");
				goto 0xe273bd7d;
				_a80 = _a80 | 0x00000008;
				if (_a696 != 0x2a) goto 0xe273bdbe;
				_t191 =  &_a1112;
				_a88 = E00007FFF7FFFE2731E40(_t191);
				if (_a88 >= 0) goto 0xe273bdbc;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0xe273bdd5;
				_a88 = _t171 + _t191 - 0x30;
				_a116 = 0;
				if (_a696 != 0x2a) goto 0xe273be16;
				_t192 =  &_a1112;
				_a116 = E00007FFF7FFFE2731E40(_t192);
				if (_a116 >= 0) goto 0xe273be14;
				_a116 = 0xffffffff;
				goto 0xe273be2d;
				_a116 = _t171 + _t192 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0xe273beb7;
				if (_a972 == 0x68) goto 0xe273bfc0;
				if (_a972 == 0x6c) goto 0xe273be76;
				if (_a972 == 0x77) goto 0xe273bfcd;
				goto 0xe273bfd9;
				if ( *_a1096 != 0x6c) goto 0xe273bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0xe273beb2;
				_a80 = _a80 | 0x00000010;
				goto 0xe273bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0xe273bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0xe273bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 != 0x33) goto 0xe273bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0xe273bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 == 0x64) goto 0xe273bfac;
				if ( *_a1096 == 0x69) goto 0xe273bfac;
				if ( *_a1096 == 0x6f) goto 0xe273bfac;
				if ( *_a1096 == 0x75) goto 0xe273bfac;
				if ( *_a1096 == 0x78) goto 0xe273bfac;
				if ( *_a1096 != 0x58) goto 0xe273bfae;
				goto 0xe273bfbe;
				_a704 = 0;
				goto E00007FFF7FFFE273BB66;
				goto 0xe273bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0xe273bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0xe273ca31;
				goto __rax;
			}

0x7fffe273bd02
0x7fffe273bd11
0x7fffe273bd1b
0x7fffe273bd25
0x7fffe273bd2f
0x7fffe273bd39
0x7fffe273bd3b
0x7fffe273bd44
0x7fffe273bd48
0x7fffe273bd51
0x7fffe273bd55
0x7fffe273bd5e
0x7fffe273bd62
0x7fffe273bd68
0x7fffe273bd70
0x7fffe273bd79
0x7fffe273bd8d
0x7fffe273bd8f
0x7fffe273bd9c
0x7fffe273bda5
0x7fffe273bdae
0x7fffe273bdb8
0x7fffe273bdbc
0x7fffe273bdd1
0x7fffe273bdda
0x7fffe273bdf2
0x7fffe273bdf4
0x7fffe273be01
0x7fffe273be0a
0x7fffe273be0c
0x7fffe273be14
0x7fffe273be29
0x7fffe273be3a
0x7fffe273be49
0x7fffe273be53
0x7fffe273be61
0x7fffe273be6b
0x7fffe273be71
0x7fffe273be84
0x7fffe273be91
0x7fffe273be9d
0x7fffe273bea5
0x7fffe273beae
0x7fffe273beb2
0x7fffe273bebb
0x7fffe273bed1
0x7fffe273bee2
0x7fffe273bef0
0x7fffe273befc
0x7fffe273bf04
0x7fffe273bf17
0x7fffe273bf28
0x7fffe273bf36
0x7fffe273bf42
0x7fffe273bf4a
0x7fffe273bf5a
0x7fffe273bf6a
0x7fffe273bf7a
0x7fffe273bf8a
0x7fffe273bf9a
0x7fffe273bfaa
0x7fffe273bfac
0x7fffe273bfae
0x7fffe273bfb9
0x7fffe273bfbe
0x7fffe273bfc7
0x7fffe273bfcb
0x7fffe273bfd1
0x7fffe273bfe6
0x7fffe273bff7
0x7fffe273c006
0x7fffe273c02d

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
0, xrefs: 00007FFFE273BD31
_output_s_l, xrefs: 00007FFFE273BAFB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameter
String ID: ("Incorrect format specifier", 0)$0$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 530996419-4087627031
Opcode ID: 287329bbe28ac3486ddbb9e235f19a10cbf988fa35318df4d11335d2ff3f0aeb
Instruction ID: 4ff6752859ca260ce04906066a0d813adfde6cc01de8ba1b24f166190caeef22
Opcode Fuzzy Hash: 287329bbe28ac3486ddbb9e235f19a10cbf988fa35318df4d11335d2ff3f0aeb
Instruction Fuzzy Hash: 82514CB2D1C6C68AE3B19B14E4953BEBBD4E786304F401135D28AC6999EFBCD550CF02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273DD30 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00007FFF7FFFE273DD30(signed int _a80, signed int _a88, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t139;
				char* _t159;
				char* _t160;

				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273dd6c;
				_t159 =  &_a1560;
				_a88 = E00007FFF7FFFE2731E40(_t159);
				if (_a88 >= 0) goto 0xe273dd6a;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0xe273dd83;
				_a88 = _t139 + _t159 - 0x30;
				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273ddc4;
				_t160 =  &_a1560;
				_a116 = E00007FFF7FFFE2731E40(_t160);
				if (_a116 >= 0) goto 0xe273ddc2;
				_a116 = 0xffffffff;
				goto 0xe273dddb;
				_a116 = _t139 + _t160 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0xe273de66;
				if (_a1408 == 0x68) goto 0xe273df6f;
				if (_a1408 == 0x6c) goto 0xe273de24;
				if (_a1408 == 0x77) goto 0xe273df7c;
				goto 0xe273df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0xe273de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0xe273de61;
				_a80 = _a80 | 0x00000010;
				goto 0xe273df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0xe273deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0xe273deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0xe273defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0xe273defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0xe273df5d;
				goto 0xe273df6d;
				_a1216 = 0;
				goto E00007FFF7FFFE273DC41;
				goto 0xe273df88;
				_a80 = _a80 | 0x00000020;
				goto 0xe273df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0xe273ea2a;
				goto __rax;
			}

0x7fffe273dd3b
0x7fffe273dd3d
0x7fffe273dd4a
0x7fffe273dd53
0x7fffe273dd5c
0x7fffe273dd66
0x7fffe273dd6a
0x7fffe273dd7f
0x7fffe273dd88
0x7fffe273dda0
0x7fffe273dda2
0x7fffe273ddaf
0x7fffe273ddb8
0x7fffe273ddba
0x7fffe273ddc2
0x7fffe273ddd7
0x7fffe273dde8
0x7fffe273ddf7
0x7fffe273de01
0x7fffe273de0f
0x7fffe273de19
0x7fffe273de1f
0x7fffe273de32
0x7fffe273de40
0x7fffe273de4c
0x7fffe273de54
0x7fffe273de5d
0x7fffe273de61
0x7fffe273de6a
0x7fffe273de80
0x7fffe273de91
0x7fffe273de9f
0x7fffe273deab
0x7fffe273deb3
0x7fffe273dec6
0x7fffe273ded7
0x7fffe273dee5
0x7fffe273def1
0x7fffe273def9
0x7fffe273df09
0x7fffe273df19
0x7fffe273df29
0x7fffe273df39
0x7fffe273df49
0x7fffe273df59
0x7fffe273df5b
0x7fffe273df5d
0x7fffe273df68
0x7fffe273df6d
0x7fffe273df76
0x7fffe273df7a
0x7fffe273df80
0x7fffe273df95
0x7fffe273dfa6
0x7fffe273dfb5
0x7fffe273dfdc

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9
get_int_arg.LIBCMTD ref: 00007FFFE273DD45

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameterget_int_arg
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2576288505-734865713
Opcode ID: 73e6b479e683be5ecb6b5fbd55da46f8fdb801a5518f0397c70b55b6842a44e9
Instruction ID: da311b698b3d08ca7c022df6caf63318a6c69549805fac17a6a57d22862649f1
Opcode Fuzzy Hash: 73e6b479e683be5ecb6b5fbd55da46f8fdb801a5518f0397c70b55b6842a44e9
Instruction Fuzzy Hash: 2451EBB2D0D6C68AE7709B14E8803BAB7E4FB86345F400136E689C7995EBBCD450CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273BD82 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E00007FFF7FFFE273BD82(signed int _a80, signed int _a88, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t139;
				char* _t159;
				char* _t160;

				if (_a696 != 0x2a) goto 0xe273bdbe;
				_t159 =  &_a1112;
				_a88 = E00007FFF7FFFE2731E40(_t159);
				if (_a88 >= 0) goto 0xe273bdbc;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0xe273bdd5;
				_a88 = _t139 + _t159 - 0x30;
				_a116 = 0;
				if (_a696 != 0x2a) goto 0xe273be16;
				_t160 =  &_a1112;
				_a116 = E00007FFF7FFFE2731E40(_t160);
				if (_a116 >= 0) goto 0xe273be14;
				_a116 = 0xffffffff;
				goto 0xe273be2d;
				_a116 = _t139 + _t160 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0xe273beb7;
				if (_a972 == 0x68) goto 0xe273bfc0;
				if (_a972 == 0x6c) goto 0xe273be76;
				if (_a972 == 0x77) goto 0xe273bfcd;
				goto 0xe273bfd9;
				if ( *_a1096 != 0x6c) goto 0xe273bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0xe273beb2;
				_a80 = _a80 | 0x00000010;
				goto 0xe273bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0xe273bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0xe273bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 != 0x33) goto 0xe273bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0xe273bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 == 0x64) goto 0xe273bfac;
				if ( *_a1096 == 0x69) goto 0xe273bfac;
				if ( *_a1096 == 0x6f) goto 0xe273bfac;
				if ( *_a1096 == 0x75) goto 0xe273bfac;
				if ( *_a1096 == 0x78) goto 0xe273bfac;
				if ( *_a1096 != 0x58) goto 0xe273bfae;
				goto 0xe273bfbe;
				_a704 = 0;
				goto E00007FFF7FFFE273BB66;
				goto 0xe273bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0xe273bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0xe273ca31;
				goto __rax;
			}

0x7fffe273bd8d
0x7fffe273bd8f
0x7fffe273bd9c
0x7fffe273bda5
0x7fffe273bdae
0x7fffe273bdb8
0x7fffe273bdbc
0x7fffe273bdd1
0x7fffe273bdda
0x7fffe273bdf2
0x7fffe273bdf4
0x7fffe273be01
0x7fffe273be0a
0x7fffe273be0c
0x7fffe273be14
0x7fffe273be29
0x7fffe273be3a
0x7fffe273be49
0x7fffe273be53
0x7fffe273be61
0x7fffe273be6b
0x7fffe273be71
0x7fffe273be84
0x7fffe273be91
0x7fffe273be9d
0x7fffe273bea5
0x7fffe273beae
0x7fffe273beb2
0x7fffe273bebb
0x7fffe273bed1
0x7fffe273bee2
0x7fffe273bef0
0x7fffe273befc
0x7fffe273bf04
0x7fffe273bf17
0x7fffe273bf28
0x7fffe273bf36
0x7fffe273bf42
0x7fffe273bf4a
0x7fffe273bf5a
0x7fffe273bf6a
0x7fffe273bf7a
0x7fffe273bf8a
0x7fffe273bf9a
0x7fffe273bfaa
0x7fffe273bfac
0x7fffe273bfae
0x7fffe273bfb9
0x7fffe273bfbe
0x7fffe273bfc7
0x7fffe273bfcb
0x7fffe273bfd1
0x7fffe273bfe6
0x7fffe273bff7
0x7fffe273c006
0x7fffe273c02d

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E
get_int_arg.LIBCMTD ref: 00007FFFE273BD97

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
_output_s_l, xrefs: 00007FFFE273BAFB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameterget_int_arg
String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2576288505-192189897
Opcode ID: b576c27c8c875c1ce4182572011a22670079dadd40bff06c5e4b49d8cc0733f6
Instruction ID: e68f611cf2a37fc0ab613777a74ae4988271f4e727df0e5bebe0d5ca10e92cb6
Opcode Fuzzy Hash: b576c27c8c875c1ce4182572011a22670079dadd40bff06c5e4b49d8cc0733f6
Instruction Fuzzy Hash: 0851F762D0C6C68AE7B0DB24E4943BEBBE4E786354F401136D28AC6999EFBCD5518F01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273BDE7 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FFF7FFFE273BDE7(signed int _a80, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t113;
				char* _t133;

				if (_a696 != 0x2a) goto 0xe273be16;
				_t133 =  &_a1112;
				_a116 = E00007FFF7FFFE2731E40(_t133);
				if (_a116 >= 0) goto 0xe273be14;
				_a116 = 0xffffffff;
				goto 0xe273be2d;
				_a116 = _t113 + _t133 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0xe273beb7;
				if (_a972 == 0x68) goto 0xe273bfc0;
				if (_a972 == 0x6c) goto 0xe273be76;
				if (_a972 == 0x77) goto 0xe273bfcd;
				goto 0xe273bfd9;
				if ( *_a1096 != 0x6c) goto 0xe273bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0xe273beb2;
				_a80 = _a80 | 0x00000010;
				goto 0xe273bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0xe273bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0xe273bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 != 0x33) goto 0xe273bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0xe273bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 == 0x64) goto 0xe273bfac;
				if ( *_a1096 == 0x69) goto 0xe273bfac;
				if ( *_a1096 == 0x6f) goto 0xe273bfac;
				if ( *_a1096 == 0x75) goto 0xe273bfac;
				if ( *_a1096 == 0x78) goto 0xe273bfac;
				if ( *_a1096 != 0x58) goto 0xe273bfae;
				goto 0xe273bfbe;
				_a704 = 0;
				goto E00007FFF7FFFE273BB66;
				goto 0xe273bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0xe273bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0xe273ca31;
				goto __rax;
			}

0x7fffe273bdf2
0x7fffe273bdf4
0x7fffe273be01
0x7fffe273be0a
0x7fffe273be0c
0x7fffe273be14
0x7fffe273be29
0x7fffe273be3a
0x7fffe273be49
0x7fffe273be53
0x7fffe273be61
0x7fffe273be6b
0x7fffe273be71
0x7fffe273be84
0x7fffe273be91
0x7fffe273be9d
0x7fffe273bea5
0x7fffe273beae
0x7fffe273beb2
0x7fffe273bebb
0x7fffe273bed1
0x7fffe273bee2
0x7fffe273bef0
0x7fffe273befc
0x7fffe273bf04
0x7fffe273bf17
0x7fffe273bf28
0x7fffe273bf36
0x7fffe273bf42
0x7fffe273bf4a
0x7fffe273bf5a
0x7fffe273bf6a
0x7fffe273bf7a
0x7fffe273bf8a
0x7fffe273bf9a
0x7fffe273bfaa
0x7fffe273bfac
0x7fffe273bfae
0x7fffe273bfb9
0x7fffe273bfbe
0x7fffe273bfc7
0x7fffe273bfcb
0x7fffe273bfd1
0x7fffe273bfe6
0x7fffe273bff7
0x7fffe273c006
0x7fffe273c02d

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E
get_int_arg.LIBCMTD ref: 00007FFFE273BDFC

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
_output_s_l, xrefs: 00007FFFE273BAFB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameterget_int_arg
String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2576288505-192189897
Opcode ID: 4684e22f791ce69839f562b923e995fff9986fe21dc9389a852d4c7307e36990
Instruction ID: 19936654cad605d90534a0e9c39f071969780e3076097a237c3e36f2ed90725c
Opcode Fuzzy Hash: 4684e22f791ce69839f562b923e995fff9986fe21dc9389a852d4c7307e36990
Instruction Fuzzy Hash: 9B414C72D0C6C68AE7B09B24E4943BEBBE4E786304F401136D299C6999EFBCD551CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273DD95 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FFF7FFFE273DD95(signed int _a80, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t113;
				char* _t133;

				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273ddc4;
				_t133 =  &_a1560;
				_a116 = E00007FFF7FFFE2731E40(_t133);
				if (_a116 >= 0) goto 0xe273ddc2;
				_a116 = 0xffffffff;
				goto 0xe273dddb;
				_a116 = _t113 + _t133 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0xe273de66;
				if (_a1408 == 0x68) goto 0xe273df6f;
				if (_a1408 == 0x6c) goto 0xe273de24;
				if (_a1408 == 0x77) goto 0xe273df7c;
				goto 0xe273df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0xe273de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0xe273de61;
				_a80 = _a80 | 0x00000010;
				goto 0xe273df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0xe273deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0xe273deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0xe273defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0xe273defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0xe273df5d;
				goto 0xe273df6d;
				_a1216 = 0;
				goto E00007FFF7FFFE273DC41;
				goto 0xe273df88;
				_a80 = _a80 | 0x00000020;
				goto 0xe273df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0xe273ea2a;
				goto __rax;
			}

0x7fffe273dda0
0x7fffe273dda2
0x7fffe273ddaf
0x7fffe273ddb8
0x7fffe273ddba
0x7fffe273ddc2
0x7fffe273ddd7
0x7fffe273dde8
0x7fffe273ddf7
0x7fffe273de01
0x7fffe273de0f
0x7fffe273de19
0x7fffe273de1f
0x7fffe273de32
0x7fffe273de40
0x7fffe273de4c
0x7fffe273de54
0x7fffe273de5d
0x7fffe273de61
0x7fffe273de6a
0x7fffe273de80
0x7fffe273de91
0x7fffe273de9f
0x7fffe273deab
0x7fffe273deb3
0x7fffe273dec6
0x7fffe273ded7
0x7fffe273dee5
0x7fffe273def1
0x7fffe273def9
0x7fffe273df09
0x7fffe273df19
0x7fffe273df29
0x7fffe273df39
0x7fffe273df49
0x7fffe273df59
0x7fffe273df5b
0x7fffe273df5d
0x7fffe273df68
0x7fffe273df6d
0x7fffe273df76
0x7fffe273df7a
0x7fffe273df80
0x7fffe273df95
0x7fffe273dfa6
0x7fffe273dfb5
0x7fffe273dfdc

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9
get_int_arg.LIBCMTD ref: 00007FFFE273DDAA

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~__invalid_parameterget_int_arg
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2576288505-734865713
Opcode ID: d152d77759d1a8b77c8e40c3a5b6b9e992a9212ee747c51bfdc081fcc3156ca6
Instruction ID: 852f3760e917882ba221d0aafec587933f04265cb9cff0a610a2e68ebd0d8c6c
Opcode Fuzzy Hash: d152d77759d1a8b77c8e40c3a5b6b9e992a9212ee747c51bfdc081fcc3156ca6
Instruction Fuzzy Hash: 66412CB2D0D6868AE7709B25E8803BB76E0FB86745F400136D689C7995EFBCD460CF16

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2726C32 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 83COMMON

Download Yara Rule

APIs

_swprintf_p.LIBCMTD ref: 00007FFFE2726DC2
_invoke_watson_if_oneof.LIBCMTD ref: 00007FFFE2726E0D

Strings

%.2X , xrefs: 00007FFFE2726DAD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE2726DE1
(*_errno()), xrefs: 00007FFFE2726DF9
_printMemBlockData, xrefs: 00007FFFE2726DED

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invoke_watson_if_oneof_swprintf_p
String ID: %.2X $(*_errno())$_printMemBlockData$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
API String ID: 2731067127-3604075083
Opcode ID: fe7d44c8fd9bf19f096a73d3f0335bde0191fec95794c4c7e73345e4b193bd8e
Instruction ID: 7a1260502bfc9a0d76a0867b923cb386fc9025c327d81a374ffb064dbd8ea774
Opcode Fuzzy Hash: fe7d44c8fd9bf19f096a73d3f0335bde0191fec95794c4c7e73345e4b193bd8e
Instruction Fuzzy Hash: 434119B2E0D6C18AE7249B11E4907AAB7A1FBC6740F504136E68D87B89EF7CD454CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2728670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00007FFFE272867D
WideCharToMultiByte.KERNEL32 ref: 00007FFFE2728722
FreeEnvironmentStringsW.KERNEL32 ref: 00007FFFE2728764

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\a_env.c, xrefs: 00007FFFE272873E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\a_env.c
API String ID: 1823725401-2473407871
Opcode ID: 12bd68ef287a579055a6545109484f2ffc82b1f6f13cfb147b3cff23ff6676d3
Instruction ID: 38b1515921b4bf5abae006a82e11a76b3b0837f62e1b287472205ee78a072174
Opcode Fuzzy Hash: 12bd68ef287a579055a6545109484f2ffc82b1f6f13cfb147b3cff23ff6676d3
Instruction Fuzzy Hash: 7A41DB72A18B8986E7508B56F44432BB7E0F7C5794F100435EACD87B68EFBDD4648B11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2734F20 Relevance: 9.1, APIs: 6, Instructions: 123
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E00007FFF7FFFE2734F20(long long __rax, long long __rcx, long long __rdx, long long __r8, long long _a8, long long _a16, long long _a24, signed int _a32) {
				void* _v16;
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				void* _v56;
				signed int _v72;
				long long _v80;
				signed int _v88;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t92;
				void* _t93;
				void* _t101;
				long long _t113;
				intOrPtr _t116;
				void* _t117;
				long long _t118;
				long long _t121;
				long long _t122;
				long long _t125;
				void* _t164;

				_t113 = __rax;
				_a32 = r9d;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_v88 = E00007FFF7FFFE2733B70(_a8, _a16, _a24);
				E00007FFF7FFFE272E680(_t79, _t113);
				_v80 = _t113;
				0xe2724000();
				_v56 = _t113 + 0x100;
				 *_v56 =  *_v56 + 1;
				if (_v88 == 0xffffffff) goto 0xe2735103;
				if (_v88 - _a32 <= 0) goto 0xe2735103;
				if (_v88 - 0xffffffff <= 0) goto 0xe2734fb9;
				_t116 = _a24;
				if (_v88 -  *((intOrPtr*)(_t116 + 4)) >= 0) goto 0xe2734fb9;
				goto 0xe2734fbe;
				E00007FFF7FFFE272E680(E00007FFF7FFFE272CF80(_t116), _t116);
				_t117 = _t116 +  *((intOrPtr*)(_a24 + 8));
				_v72 =  *((intOrPtr*)(_t117 + _v88 * 8));
				_t88 = E00007FFF7FFFE272E680( *((intOrPtr*)(_t117 + _v88 * 8)), _t117);
				_t118 = _t117 +  *((intOrPtr*)(_a24 + 8));
				if ( *((intOrPtr*)(_t118 + 4 + _v88 * 8)) == 0) goto 0xe2735038;
				_t89 = E00007FFF7FFFE272E680(_t88, _t118);
				_v48 = _t118;
				_t90 = E00007FFF7FFFE272E680(_t89, _t118);
				_t121 = _v48 +  *((intOrPtr*)(_t118 +  *((intOrPtr*)(_a24 + 8)) + 4 + _v88 * 8));
				_v40 = _t121;
				goto 0xe2735041;
				_v40 = 0;
				if (_v40 == 0) goto 0xe27350f4;
				r9d = _v72;
				_t92 = E00007FFF7FFFE272E680(E00007FFF7FFFE2733BD0(_t90, _a8, _a16, _a24), _t121);
				_t122 = _t121 +  *((intOrPtr*)(_a24 + 8));
				if ( *((intOrPtr*)(_t122 + 4 + _v88 * 8)) == 0) goto 0xe27350c9;
				_t93 = E00007FFF7FFFE272E680(_t92, _t122);
				_v32 = _t122;
				E00007FFF7FFFE272E680(_t93, _t122);
				_t125 = _v32 +  *((intOrPtr*)(_t122 +  *((intOrPtr*)(_a24 + 8)) + 4 + _v88 * 8));
				_v24 = _t125;
				goto 0xe27350d2;
				_v24 = 0;
				r8d = 0x103;
				E00007FFF7FFFE272E6C0(E00007FFF7FFFE273D7E0(_v24, _a8, _t164), _t125, _v80);
				goto 0xe27350f6;
				_v88 = _v72;
				goto 0xe2734f83;
				0xe2724000();
				if ( *((intOrPtr*)(_t125 + 0x100)) <= 0) goto 0xe2735131;
				0xe2724000();
				_v16 = _t125 + 0x100;
				 *_v16 =  *_v16 - 1;
				if (_v88 == 0xffffffff) goto 0xe273514a;
				if (_v88 - _a32 <= 0) goto 0xe273514a;
				_t101 = E00007FFF7FFFE272CF80(_v16);
				r9d = _v88;
				return E00007FFF7FFFE2733BD0(_t101, _a8, _a16, _a24);
			}

0x7fffe2734f20
0x7fffe2734f20
0x7fffe2734f25
0x7fffe2734f2a
0x7fffe2734f2f
0x7fffe2734f55
0x7fffe2734f59
0x7fffe2734f5e
0x7fffe2734f63
0x7fffe2734f6e
0x7fffe2734f81
0x7fffe2734f88
0x7fffe2734f99
0x7fffe2734fa4
0x7fffe2734fa6
0x7fffe2734fb5
0x7fffe2734fb7
0x7fffe2734fbe
0x7fffe2734fcf
0x7fffe2734fda
0x7fffe2734fde
0x7fffe2734fef
0x7fffe2734ffc
0x7fffe2734ffe
0x7fffe2735003
0x7fffe2735008
0x7fffe273502e
0x7fffe2735031
0x7fffe2735036
0x7fffe2735038
0x7fffe2735047
0x7fffe273504d
0x7fffe273506f
0x7fffe2735080
0x7fffe273508d
0x7fffe273508f
0x7fffe2735094
0x7fffe2735099
0x7fffe27350bf
0x7fffe27350c2
0x7fffe27350c7
0x7fffe27350c9
0x7fffe27350d2
0x7fffe27350ef
0x7fffe27350f4
0x7fffe27350fa
0x7fffe27350fe
0x7fffe2735103
0x7fffe273510f
0x7fffe2735111
0x7fffe273511c
0x7fffe273512f
0x7fffe2735136
0x7fffe2735143
0x7fffe2735145
0x7fffe273514a
0x7fffe2735170

APIs

__GetCurrentState.LIBCMTD ref: 00007FFFE2734F50

Part of subcall function 00007FFFE2733B70: __StateFromControlPc.LIBCMTD ref: 00007FFFE2733BA4

_inconsistency.LIBCMTD ref: 00007FFFE2734FB9
__SetState.LIBCMTD ref: 00007FFFE273506A
_SetImageBase.LIBCMTD ref: 00007FFFE27350EF
_inconsistency.LIBCMTD ref: 00007FFFE2735145
__SetState.LIBCMTD ref: 00007FFFE2735167

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: State$_inconsistency$BaseControlCurrentFromImage
String ID:
API String ID: 2452617236-0
Opcode ID: 03736bbfa20cfa1d6e80738f38b28c8345d2a0856ef117f7f635166efef2818c
Instruction ID: a005105dcc7d10a3bde109190b20d0eda5db1c942963d5ce95161f25613972aa
Opcode Fuzzy Hash: 03736bbfa20cfa1d6e80738f38b28c8345d2a0856ef117f7f635166efef2818c
Instruction Fuzzy Hash: 1261FD7290DA81C6DA70DB15E09136AB3A0FBC9789F104635EACDC3B5AEF7CE4518B41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2729F20 Relevance: 9.0, APIs: 6, Instructions: 46
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 27%

			E00007FFF7FFFE2729F20(intOrPtr __ecx, intOrPtr* __rax, intOrPtr _a8) {
				long long _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				int _v28;
				int _v32;
				char _v64;
				long long _v72;
				intOrPtr _t29;
				intOrPtr* _t41;

				_t41 = __rax;
				_a8 = __ecx;
				_v16 = 0xfffffffe;
				_v72 = 0;
				0xe27266b0();
				 *0xe274cd68 = 0;
				if (_a8 != 0xfffffffe) goto 0xe2729f81;
				 *0xe274cd68 = 1;
				_v32 = GetOEMCP();
				E00007FFF7FFFE2726800( &_v64);
				goto 0xe2729fe3;
				if (_a8 != 0xfffffffd) goto 0xe2729fae;
				 *0xe274cd68 = 1;
				_v28 = GetACP();
				E00007FFF7FFFE2726800( &_v64);
				_t29 = _v28;
				goto 0xe2729fe3;
				if (_a8 != 0xfffffffc) goto 0xe2729fe3;
				 *0xe274cd68 = 1;
				E00007FFF7FFFE2726840(_t29,  &_v64);
				_v24 =  *((intOrPtr*)( *_t41 + 4));
				E00007FFF7FFFE2726800( &_v64);
				goto 0xe2729ff9;
				_v20 = _a8;
				E00007FFF7FFFE2726800( &_v64);
				return _v20;
			}

0x7fffe2729f20
0x7fffe2729f20
0x7fffe2729f28
0x7fffe2729f31
0x7fffe2729f44
0x7fffe2729f4a
0x7fffe2729f59
0x7fffe2729f5b
0x7fffe2729f6b
0x7fffe2729f74
0x7fffe2729f7f
0x7fffe2729f86
0x7fffe2729f88
0x7fffe2729f98
0x7fffe2729fa1
0x7fffe2729fa6
0x7fffe2729fac
0x7fffe2729fb3
0x7fffe2729fb5
0x7fffe2729fc4
0x7fffe2729fcf
0x7fffe2729fd8
0x7fffe2729fe1
0x7fffe2729fe7
0x7fffe2729ff0
0x7fffe2729ffd

APIs

GetOEMCP.KERNEL32 ref: 00007FFFE2729F65
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2729F74
GetACP.KERNEL32 ref: 00007FFFE2729F92
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2729FA1

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_
String ID:
API String ID: 1901436342-0
Opcode ID: 69024ba52bd34e7b32b0e788ec4f64afe9409c237456bc3d803b93947163d83b
Instruction ID: 474b72db6b87bec77d35374dbd5ae1d1a82c63cfa38ea927c7b35935514e4f5e
Opcode Fuzzy Hash: 69024ba52bd34e7b32b0e788ec4f64afe9409c237456bc3d803b93947163d83b
Instruction Fuzzy Hash: 0D21C673D0C641CAE720DB14E44526ABBE0FBC6364F600236E299826E9EBBCD955CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273809F Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273829E

Strings

P, xrefs: 00007FFFE27382B7
_wcstombs_s_l, xrefs: 00007FFFE2738290
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c, xrefs: 00007FFFE273824F, 00007FFFE2738289
sizeInBytes > retsize, xrefs: 00007FFFE273823A, 00007FFFE2738297

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: P$_wcstombs_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c$sizeInBytes > retsize
API String ID: 2123368286-552404435
Opcode ID: f12e70934a7f8eca6376172156a370be3a7c923ed3c4affde7108b6e7297d87f
Instruction ID: 8ae696edf5a5085954259e6b03f7561cbad421f7f243b774f1945459d649d46b
Opcode Fuzzy Hash: f12e70934a7f8eca6376172156a370be3a7c923ed3c4affde7108b6e7297d87f
Instruction Fuzzy Hash: A551DC22D0DBC986E6709B14E44436A73E0FB86764F500735D6AD83BD8EFBDD8658B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273BCBD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FFF7FFFE273BCBD(intOrPtr _a76, signed int _a80, signed int _a88, signed int _a92, signed int _a108, signed int _a112, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a968, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t184;
				char* _t204;
				char* _t205;

				_a112 = 0;
				_a108 = _a112;
				_a88 = _a108;
				_a92 = _a88;
				_a80 = 0;
				_a116 = 0xffffffff;
				_a76 = 0;
				_a968 = _a696 & 0x000000ff;
				if (_a968 == 0x20) goto 0xe273bd57;
				if (_a968 == 0x23) goto 0xe273bd64;
				if (_a968 == 0x2b) goto 0xe273bd4a;
				if (_a968 == 0x2d) goto 0xe273bd3d;
				if (_a968 == 0x30) goto 0xe273bd72;
				goto 0xe273bd7d;
				_a80 = _a80 | 0x00000004;
				goto 0xe273bd7d;
				_a80 = _a80 | 0x00000001;
				goto 0xe273bd7d;
				_a80 = _a80 | 0x00000002;
				goto 0xe273bd7d;
				asm("bts eax, 0x7");
				goto 0xe273bd7d;
				_a80 = _a80 | 0x00000008;
				if (_a696 != 0x2a) goto 0xe273bdbe;
				_t204 =  &_a1112;
				_a88 = E00007FFF7FFFE2731E40(_t204);
				if (_a88 >= 0) goto 0xe273bdbc;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0xe273bdd5;
				_a88 = _t184 + _t204 - 0x30;
				_a116 = 0;
				if (_a696 != 0x2a) goto 0xe273be16;
				_t205 =  &_a1112;
				_a116 = E00007FFF7FFFE2731E40(_t205);
				if (_a116 >= 0) goto 0xe273be14;
				_a116 = 0xffffffff;
				goto 0xe273be2d;
				_a116 = _t184 + _t205 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0xe273beb7;
				if (_a972 == 0x68) goto 0xe273bfc0;
				if (_a972 == 0x6c) goto 0xe273be76;
				if (_a972 == 0x77) goto 0xe273bfcd;
				goto 0xe273bfd9;
				if ( *_a1096 != 0x6c) goto 0xe273bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0xe273beb2;
				_a80 = _a80 | 0x00000010;
				goto 0xe273bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0xe273bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0xe273bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 != 0x33) goto 0xe273bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0xe273bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 == 0x64) goto 0xe273bfac;
				if ( *_a1096 == 0x69) goto 0xe273bfac;
				if ( *_a1096 == 0x6f) goto 0xe273bfac;
				if ( *_a1096 == 0x75) goto 0xe273bfac;
				if ( *_a1096 == 0x78) goto 0xe273bfac;
				if ( *_a1096 != 0x58) goto 0xe273bfae;
				goto 0xe273bfbe;
				_a704 = 0;
				goto E00007FFF7FFFE273BB66;
				goto 0xe273bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0xe273bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0xe273ca31;
				goto __rax;
			}

0x7fffe273bcbd
0x7fffe273bcc9
0x7fffe273bcd1
0x7fffe273bcd9
0x7fffe273bcdd
0x7fffe273bce5
0x7fffe273bced
0x7fffe273bd02
0x7fffe273bd11
0x7fffe273bd1b
0x7fffe273bd25
0x7fffe273bd2f
0x7fffe273bd39
0x7fffe273bd3b
0x7fffe273bd44
0x7fffe273bd48
0x7fffe273bd51
0x7fffe273bd55
0x7fffe273bd5e
0x7fffe273bd62
0x7fffe273bd68
0x7fffe273bd70
0x7fffe273bd79
0x7fffe273bd8d
0x7fffe273bd8f
0x7fffe273bd9c
0x7fffe273bda5
0x7fffe273bdae
0x7fffe273bdb8
0x7fffe273bdbc
0x7fffe273bdd1
0x7fffe273bdda
0x7fffe273bdf2
0x7fffe273bdf4
0x7fffe273be01
0x7fffe273be0a
0x7fffe273be0c
0x7fffe273be14
0x7fffe273be29
0x7fffe273be3a
0x7fffe273be49
0x7fffe273be53
0x7fffe273be61
0x7fffe273be6b
0x7fffe273be71
0x7fffe273be84
0x7fffe273be91
0x7fffe273be9d
0x7fffe273bea5
0x7fffe273beae
0x7fffe273beb2
0x7fffe273bebb
0x7fffe273bed1
0x7fffe273bee2
0x7fffe273bef0
0x7fffe273befc
0x7fffe273bf04
0x7fffe273bf17
0x7fffe273bf28
0x7fffe273bf36
0x7fffe273bf42
0x7fffe273bf4a
0x7fffe273bf5a
0x7fffe273bf6a
0x7fffe273bf7a
0x7fffe273bf8a
0x7fffe273bf9a
0x7fffe273bfaa
0x7fffe273bfac
0x7fffe273bfae
0x7fffe273bfb9
0x7fffe273bfbe
0x7fffe273bfc7
0x7fffe273bfcb
0x7fffe273bfd1
0x7fffe273bfe6
0x7fffe273bff7
0x7fffe273c006
0x7fffe273c02d

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E
_invalid_parameter.LIBCMTD ref: 00007FFFE273CD3E
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273CD53
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273CD74

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
_output_s_l, xrefs: 00007FFFE273BAFB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2192614184-192189897
Opcode ID: 838c9af7f6c21a6938ef5e99847a712facd56587850898e9071408f632ec2777
Instruction ID: f022ed9504e0a188ed483afbf8abac74a716b937fe1e46e24564ce0129eea755
Opcode Fuzzy Hash: 838c9af7f6c21a6938ef5e99847a712facd56587850898e9071408f632ec2777
Instruction Fuzzy Hash: E0410C72D0C6C68AE370DB24E4943AEBBE4E786314F401135D699C6A99EFBCD551CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273DC6B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FFF7FFFE273DC6B(intOrPtr _a76, signed int _a80, signed int _a88, signed int _a92, signed int _a108, signed int _a112, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1404, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t184;
				char* _t204;
				char* _t205;

				_a112 = 0;
				_a108 = _a112;
				_a88 = _a108;
				_a92 = _a88;
				_a80 = 0;
				_a116 = 0xffffffff;
				_a76 = 0;
				_a1404 = _a1208 & 0x0000ffff;
				if (_a1404 == 0x20) goto 0xe273dd05;
				if (_a1404 == 0x23) goto 0xe273dd12;
				if (_a1404 == 0x2b) goto 0xe273dcf8;
				if (_a1404 == 0x2d) goto 0xe273dceb;
				if (_a1404 == 0x30) goto 0xe273dd20;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000004;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000001;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000002;
				goto 0xe273dd2b;
				asm("bts eax, 0x7");
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000008;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273dd6c;
				_t204 =  &_a1560;
				_a88 = E00007FFF7FFFE2731E40(_t204);
				if (_a88 >= 0) goto 0xe273dd6a;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0xe273dd83;
				_a88 = _t184 + _t204 - 0x30;
				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273ddc4;
				_t205 =  &_a1560;
				_a116 = E00007FFF7FFFE2731E40(_t205);
				if (_a116 >= 0) goto 0xe273ddc2;
				_a116 = 0xffffffff;
				goto 0xe273dddb;
				_a116 = _t184 + _t205 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0xe273de66;
				if (_a1408 == 0x68) goto 0xe273df6f;
				if (_a1408 == 0x6c) goto 0xe273de24;
				if (_a1408 == 0x77) goto 0xe273df7c;
				goto 0xe273df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0xe273de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0xe273de61;
				_a80 = _a80 | 0x00000010;
				goto 0xe273df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0xe273deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0xe273deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0xe273defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0xe273defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0xe273df5d;
				goto 0xe273df6d;
				_a1216 = 0;
				goto E00007FFF7FFFE273DC41;
				goto 0xe273df88;
				_a80 = _a80 | 0x00000020;
				goto 0xe273df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0xe273ea2a;
				goto __rax;
			}

0x7fffe273dc6b
0x7fffe273dc77
0x7fffe273dc7f
0x7fffe273dc87
0x7fffe273dc8b
0x7fffe273dc93
0x7fffe273dc9b
0x7fffe273dcb0
0x7fffe273dcbf
0x7fffe273dcc9
0x7fffe273dcd3
0x7fffe273dcdd
0x7fffe273dce7
0x7fffe273dce9
0x7fffe273dcf2
0x7fffe273dcf6
0x7fffe273dcff
0x7fffe273dd03
0x7fffe273dd0c
0x7fffe273dd10
0x7fffe273dd16
0x7fffe273dd1e
0x7fffe273dd27
0x7fffe273dd3b
0x7fffe273dd3d
0x7fffe273dd4a
0x7fffe273dd53
0x7fffe273dd5c
0x7fffe273dd66
0x7fffe273dd6a
0x7fffe273dd7f
0x7fffe273dd88
0x7fffe273dda0
0x7fffe273dda2
0x7fffe273ddaf
0x7fffe273ddb8
0x7fffe273ddba
0x7fffe273ddc2
0x7fffe273ddd7
0x7fffe273dde8
0x7fffe273ddf7
0x7fffe273de01
0x7fffe273de0f
0x7fffe273de19
0x7fffe273de1f
0x7fffe273de32
0x7fffe273de40
0x7fffe273de4c
0x7fffe273de54
0x7fffe273de5d
0x7fffe273de61
0x7fffe273de6a
0x7fffe273de80
0x7fffe273de91
0x7fffe273de9f
0x7fffe273deab
0x7fffe273deb3
0x7fffe273dec6
0x7fffe273ded7
0x7fffe273dee5
0x7fffe273def1
0x7fffe273def9
0x7fffe273df09
0x7fffe273df19
0x7fffe273df29
0x7fffe273df39
0x7fffe273df49
0x7fffe273df59
0x7fffe273df5b
0x7fffe273df5d
0x7fffe273df68
0x7fffe273df6d
0x7fffe273df76
0x7fffe273df7a
0x7fffe273df80
0x7fffe273df95
0x7fffe273dfa6
0x7fffe273dfb5
0x7fffe273dfdc

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9
_invalid_parameter.LIBCMTD ref: 00007FFFE273ED4C
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273ED61
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273ED82

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2192614184-734865713
Opcode ID: d839b4f8492d9702b4695783724771f139c243a43186ab9091008b35e86c7283
Instruction ID: 14a27738a02292a70c530e7cfa422a310c363c05c11caf62eb4f9eab34697b6b
Opcode Fuzzy Hash: d839b4f8492d9702b4695783724771f139c243a43186ab9091008b35e86c7283
Instruction Fuzzy Hash: 63410CB2D0D6C58AE3709B24E8803ABB7E0FB86344F400135E699C7A99EBBCD450CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273DC41 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FFF7FFFE273DC41(intOrPtr _a76, signed int _a80, signed int _a88, signed int _a92, signed int _a108, signed int _a112, intOrPtr _a116, char _a1200, signed int _a1208, intOrPtr _a1216, signed int _a1404, signed int _a1408, signed int _a1412, intOrPtr _a1536, signed short* _a1544, char _a1560) {
				void* _t190;
				char* _t210;
				char* _t211;

				_a76 = 1;
				E00007FFF7FFFE273EE40(_a1208 & 0x0000ffff, _a1536,  &_a1200);
				_a112 = 0;
				_a108 = _a112;
				_a88 = _a108;
				_a92 = _a88;
				_a80 = 0;
				_a116 = 0xffffffff;
				_a76 = 0;
				_a1404 = _a1208 & 0x0000ffff;
				if (_a1404 == 0x20) goto 0xe273dd05;
				if (_a1404 == 0x23) goto 0xe273dd12;
				if (_a1404 == 0x2b) goto 0xe273dcf8;
				if (_a1404 == 0x2d) goto 0xe273dceb;
				if (_a1404 == 0x30) goto 0xe273dd20;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000004;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000001;
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000002;
				goto 0xe273dd2b;
				asm("bts eax, 0x7");
				goto 0xe273dd2b;
				_a80 = _a80 | 0x00000008;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273dd6c;
				_t210 =  &_a1560;
				_a88 = E00007FFF7FFFE2731E40(_t210);
				if (_a88 >= 0) goto 0xe273dd6a;
				_a80 = _a80 | 0x00000004;
				_a88 =  ~_a88;
				goto 0xe273dd83;
				_a88 = _t190 + _t210 - 0x30;
				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273ddc4;
				_t211 =  &_a1560;
				_a116 = E00007FFF7FFFE2731E40(_t211);
				if (_a116 >= 0) goto 0xe273ddc2;
				_a116 = 0xffffffff;
				goto 0xe273dddb;
				_a116 = _t190 + _t211 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0xe273de66;
				if (_a1408 == 0x68) goto 0xe273df6f;
				if (_a1408 == 0x6c) goto 0xe273de24;
				if (_a1408 == 0x77) goto 0xe273df7c;
				goto 0xe273df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0xe273de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0xe273de61;
				_a80 = _a80 | 0x00000010;
				goto 0xe273df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0xe273deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0xe273deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0xe273defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0xe273defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0xe273df5d;
				goto 0xe273df6d;
				_a1216 = 0;
				goto E00007FFF7FFFE273DC41;
				goto 0xe273df88;
				_a80 = _a80 | 0x00000020;
				goto 0xe273df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0xe273ea2a;
				goto __rax;
			}

0x7fffe273dc41
0x7fffe273dc61
0x7fffe273dc6b
0x7fffe273dc77
0x7fffe273dc7f
0x7fffe273dc87
0x7fffe273dc8b
0x7fffe273dc93
0x7fffe273dc9b
0x7fffe273dcb0
0x7fffe273dcbf
0x7fffe273dcc9
0x7fffe273dcd3
0x7fffe273dcdd
0x7fffe273dce7
0x7fffe273dce9
0x7fffe273dcf2
0x7fffe273dcf6
0x7fffe273dcff
0x7fffe273dd03
0x7fffe273dd0c
0x7fffe273dd10
0x7fffe273dd16
0x7fffe273dd1e
0x7fffe273dd27
0x7fffe273dd3b
0x7fffe273dd3d
0x7fffe273dd4a
0x7fffe273dd53
0x7fffe273dd5c
0x7fffe273dd66
0x7fffe273dd6a
0x7fffe273dd7f
0x7fffe273dd88
0x7fffe273dda0
0x7fffe273dda2
0x7fffe273ddaf
0x7fffe273ddb8
0x7fffe273ddba
0x7fffe273ddc2
0x7fffe273ddd7
0x7fffe273dde8
0x7fffe273ddf7
0x7fffe273de01
0x7fffe273de0f
0x7fffe273de19
0x7fffe273de1f
0x7fffe273de32
0x7fffe273de40
0x7fffe273de4c
0x7fffe273de54
0x7fffe273de5d
0x7fffe273de61
0x7fffe273de6a
0x7fffe273de80
0x7fffe273de91
0x7fffe273de9f
0x7fffe273deab
0x7fffe273deb3
0x7fffe273dec6
0x7fffe273ded7
0x7fffe273dee5
0x7fffe273def1
0x7fffe273def9
0x7fffe273df09
0x7fffe273df19
0x7fffe273df29
0x7fffe273df39
0x7fffe273df49
0x7fffe273df59
0x7fffe273df5b
0x7fffe273df5d
0x7fffe273df68
0x7fffe273df6d
0x7fffe273df76
0x7fffe273df7a
0x7fffe273df80
0x7fffe273df95
0x7fffe273dfa6
0x7fffe273dfb5
0x7fffe273dfdc

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9
_invalid_parameter.LIBCMTD ref: 00007FFFE273ED4C
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273ED61
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273ED82

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2192614184-734865713
Opcode ID: 00c8469e1271fc8907031e5201d4ef955f45b92ddfc689a069c686c98e5ea265
Instruction ID: 47abc8e5d92449823b43556608e464b208de64cf62c3b9ac5124ad5dd011904d
Opcode Fuzzy Hash: 00c8469e1271fc8907031e5201d4ef955f45b92ddfc689a069c686c98e5ea265
Instruction Fuzzy Hash: 4E4109B2D0D6C686E7B09B14E8803BB76E0FB86345F400136D689C6595EFBCD460CF16

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273BDDA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FFF7FFFE273BDDA(signed int _a80, intOrPtr _a116, signed int _a696, intOrPtr _a704, char _a972, signed int _a976, void* _a1096, char _a1112) {
				void* _t114;
				char* _t134;

				_a116 = 0;
				if (_a696 != 0x2a) goto 0xe273be16;
				_t134 =  &_a1112;
				_a116 = E00007FFF7FFFE2731E40(_t134);
				if (_a116 >= 0) goto 0xe273be14;
				_a116 = 0xffffffff;
				goto 0xe273be2d;
				_a116 = _t114 + _t134 - 0x30;
				_a972 = _a696 & 0x000000ff;
				if (_a972 == 0x49) goto 0xe273beb7;
				if (_a972 == 0x68) goto 0xe273bfc0;
				if (_a972 == 0x6c) goto 0xe273be76;
				if (_a972 == 0x77) goto 0xe273bfcd;
				goto 0xe273bfd9;
				if ( *_a1096 != 0x6c) goto 0xe273bea7;
				_a1096 = _a1096 + 1;
				asm("bts eax, 0xc");
				goto 0xe273beb2;
				_a80 = _a80 | 0x00000010;
				goto 0xe273bfd9;
				asm("bts eax, 0xf");
				if ( *_a1096 != 0x36) goto 0xe273bf09;
				if ( *((char*)(_a1096 + 1)) != 0x34) goto 0xe273bf09;
				_a1096 = _a1096 + 2;
				asm("bts eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 != 0x33) goto 0xe273bf4c;
				if ( *((char*)(_a1096 + 1)) != 0x32) goto 0xe273bf4c;
				_a1096 = _a1096 + 2;
				asm("btr eax, 0xf");
				goto 0xe273bfbe;
				if ( *_a1096 == 0x64) goto 0xe273bfac;
				if ( *_a1096 == 0x69) goto 0xe273bfac;
				if ( *_a1096 == 0x6f) goto 0xe273bfac;
				if ( *_a1096 == 0x75) goto 0xe273bfac;
				if ( *_a1096 == 0x78) goto 0xe273bfac;
				if ( *_a1096 != 0x58) goto 0xe273bfae;
				goto 0xe273bfbe;
				_a704 = 0;
				goto E00007FFF7FFFE273BB66;
				goto 0xe273bfd9;
				_a80 = _a80 | 0x00000020;
				goto 0xe273bfd9;
				asm("bts eax, 0xb");
				_a976 = _a696;
				_a976 = _a976 - 0x41;
				if (_a976 - 0x37 > 0) goto 0xe273ca31;
				goto __rax;
			}

0x7fffe273bdda
0x7fffe273bdf2
0x7fffe273bdf4
0x7fffe273be01
0x7fffe273be0a
0x7fffe273be0c
0x7fffe273be14
0x7fffe273be29
0x7fffe273be3a
0x7fffe273be49
0x7fffe273be53
0x7fffe273be61
0x7fffe273be6b
0x7fffe273be71
0x7fffe273be84
0x7fffe273be91
0x7fffe273be9d
0x7fffe273bea5
0x7fffe273beae
0x7fffe273beb2
0x7fffe273bebb
0x7fffe273bed1
0x7fffe273bee2
0x7fffe273bef0
0x7fffe273befc
0x7fffe273bf04
0x7fffe273bf17
0x7fffe273bf28
0x7fffe273bf36
0x7fffe273bf42
0x7fffe273bf4a
0x7fffe273bf5a
0x7fffe273bf6a
0x7fffe273bf7a
0x7fffe273bf8a
0x7fffe273bf9a
0x7fffe273bfaa
0x7fffe273bfac
0x7fffe273bfae
0x7fffe273bfb9
0x7fffe273bfbe
0x7fffe273bfc7
0x7fffe273bfcb
0x7fffe273bfd1
0x7fffe273bfe6
0x7fffe273bff7
0x7fffe273c006
0x7fffe273c02d

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273BB09
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273BB1E
_invalid_parameter.LIBCMTD ref: 00007FFFE273CD3E
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273CD53
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273CD74

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273BAA2, 00007FFFE273BB02
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273BAB7, 00007FFFE273BAF4
_output_s_l, xrefs: 00007FFFE273BAFB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: ("Incorrect format specifier", 0)$_output_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2192614184-192189897
Opcode ID: 0dcb35cdac88f8f65d488c6c387acf7a3a87c9c5c0c9a15f6f87c725b9d0fc3a
Instruction ID: c83eb548786b5c3de6c0bb0dcab28934ca40f90b8ba946ef926c8c6011fbfcc3
Opcode Fuzzy Hash: 0dcb35cdac88f8f65d488c6c387acf7a3a87c9c5c0c9a15f6f87c725b9d0fc3a
Instruction Fuzzy Hash: C8414C62D0C6C686E3B09B24E4943BEBBE4EB86304F401136D689C6999EFBCD150CF02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273DD88 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00007FFF7FFFE273DD88(signed int _a80, intOrPtr _a116, signed int _a1208, intOrPtr _a1216, signed int _a1408, signed int _a1412, signed short* _a1544, char _a1560) {
				void* _t114;
				char* _t134;

				_a116 = 0;
				if ((_a1208 & 0x0000ffff) != 0x2a) goto 0xe273ddc4;
				_t134 =  &_a1560;
				_a116 = E00007FFF7FFFE2731E40(_t134);
				if (_a116 >= 0) goto 0xe273ddc2;
				_a116 = 0xffffffff;
				goto 0xe273dddb;
				_a116 = _t114 + _t134 - 0x30;
				_a1408 = _a1208 & 0x0000ffff;
				if (_a1408 == 0x49) goto 0xe273de66;
				if (_a1408 == 0x68) goto 0xe273df6f;
				if (_a1408 == 0x6c) goto 0xe273de24;
				if (_a1408 == 0x77) goto 0xe273df7c;
				goto 0xe273df88;
				if (( *_a1544 & 0x0000ffff) != 0x6c) goto 0xe273de56;
				_a1544 =  &(_a1544[1]);
				asm("bts eax, 0xc");
				goto 0xe273de61;
				_a80 = _a80 | 0x00000010;
				goto 0xe273df88;
				asm("bts eax, 0xf");
				if (( *_a1544 & 0x0000ffff) != 0x36) goto 0xe273deb8;
				if ((_a1544[1] & 0x0000ffff) != 0x34) goto 0xe273deb8;
				_a1544 =  &(_a1544[2]);
				asm("bts eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) != 0x33) goto 0xe273defb;
				if ((_a1544[1] & 0x0000ffff) != 0x32) goto 0xe273defb;
				_a1544 =  &(_a1544[2]);
				asm("btr eax, 0xf");
				goto 0xe273df6d;
				if (( *_a1544 & 0x0000ffff) == 0x64) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x69) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x6f) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x75) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) == 0x78) goto 0xe273df5b;
				if (( *_a1544 & 0x0000ffff) != 0x58) goto 0xe273df5d;
				goto 0xe273df6d;
				_a1216 = 0;
				goto E00007FFF7FFFE273DC41;
				goto 0xe273df88;
				_a80 = _a80 | 0x00000020;
				goto 0xe273df88;
				asm("bts eax, 0xb");
				_a1412 = _a1208 & 0x0000ffff;
				_a1412 = _a1412 - 0x41;
				if (_a1412 - 0x37 > 0) goto 0xe273ea2a;
				goto __rax;
			}

0x7fffe273dd88
0x7fffe273dda0
0x7fffe273dda2
0x7fffe273ddaf
0x7fffe273ddb8
0x7fffe273ddba
0x7fffe273ddc2
0x7fffe273ddd7
0x7fffe273dde8
0x7fffe273ddf7
0x7fffe273de01
0x7fffe273de0f
0x7fffe273de19
0x7fffe273de1f
0x7fffe273de32
0x7fffe273de40
0x7fffe273de4c
0x7fffe273de54
0x7fffe273de5d
0x7fffe273de61
0x7fffe273de6a
0x7fffe273de80
0x7fffe273de91
0x7fffe273de9f
0x7fffe273deab
0x7fffe273deb3
0x7fffe273dec6
0x7fffe273ded7
0x7fffe273dee5
0x7fffe273def1
0x7fffe273def9
0x7fffe273df09
0x7fffe273df19
0x7fffe273df29
0x7fffe273df39
0x7fffe273df49
0x7fffe273df59
0x7fffe273df5b
0x7fffe273df5d
0x7fffe273df68
0x7fffe273df6d
0x7fffe273df76
0x7fffe273df7a
0x7fffe273df80
0x7fffe273df95
0x7fffe273dfa6
0x7fffe273dfb5
0x7fffe273dfdc

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273DBE4
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273DBF9
_invalid_parameter.LIBCMTD ref: 00007FFFE273ED4C
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273ED61
_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE273ED82

Strings

("Incorrect format specifier", 0), xrefs: 00007FFFE273DB7D, 00007FFFE273DBDD
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c, xrefs: 00007FFFE273DB92, 00007FFFE273DBCF
_woutput_s_l, xrefs: 00007FFFE273DBD6

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_$_invalid_parameter
String ID: ("Incorrect format specifier", 0)$_woutput_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\output.c
API String ID: 2192614184-734865713
Opcode ID: c688226ec199b2b9f0c59a43de4c80c1eb2ed98f75eb3809899ea6a1a3543fc2
Instruction ID: 29a05f28b2fab60a7790f1b628576a49194bd4a5abacaa1f8556d5bb6860585e
Opcode Fuzzy Hash: c688226ec199b2b9f0c59a43de4c80c1eb2ed98f75eb3809899ea6a1a3543fc2
Instruction Fuzzy Hash: A941F9B2D0D6C686E7709B24E8803BB76E4FB86345F400136D689C6595EFBCD460DF16

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2739520 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFFE273F900: __doserrno.LIBCMTD ref: 00007FFFE273F913

SetFilePointer.KERNEL32 ref: 00007FFFE27395B0
GetLastError.KERNEL32 ref: 00007FFFE27395C1
_dosmaperr.LIBCMTD ref: 00007FFFE27395D6

Strings

("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 00007FFFE2739563
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseeki64.c, xrefs: 00007FFFE2739578

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: ErrorFileLastPointer__doserrno_dosmaperr
String ID: ("Invalid file descriptor. File possibly closed by a different thread",0)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\lseeki64.c
API String ID: 275287319-2412454244
Opcode ID: 9dbe059b54c234531181e61fbc079bb475f6c20a5a1a356ebb7b18ccdd590da7
Instruction ID: 94383c13fb24d846c53fa1f09fbbb66bf7e1a4b8614f1899384baf7d42e48c93
Opcode Fuzzy Hash: 9dbe059b54c234531181e61fbc079bb475f6c20a5a1a356ebb7b18ccdd590da7
Instruction Fuzzy Hash: B3318572D18B85C6D7108B14E48026AB7A1FB867A0F504335E6BE87AE9EF7CD461CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2726210 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE27262BE
_unlock.LIBCMTD ref: 00007FFFE2726329

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE272626F, 00007FFFE27262A9
(fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAY, xrefs: 00007FFFE272625A, 00007FFFE27262B7
_CrtSetDbgFlag, xrefs: 00007FFFE27262B0

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter_unlock
String ID: (fNewBits==_CRTDBG_REPORT_FLAG) || ((fNewBits & 0x0ffff & ~(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_DELAY_FREE_MEM_DF | _CRTDBG_CHECK_ALWAY$_CrtSetDbgFlag$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c
API String ID: 2816345473-1282596470
Opcode ID: db3a677d4455786e2b88604055b88d75c0eb5ecf603a90f053d8ba1f75c85f5c
Instruction ID: 25d160139f1c2ec86795746c9b9eb68e25cd5aa5c7ad06d1070fa8a0700b8447
Opcode Fuzzy Hash: db3a677d4455786e2b88604055b88d75c0eb5ecf603a90f053d8ba1f75c85f5c
Instruction Fuzzy Hash: 53312DB2D1C2428BE3509B14E94576A77E0FB82350F102135E65EC76E5EBFCE8688F02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2735393 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__RethrowException.LIBCMTD ref: 00007FFFE27353C5

Part of subcall function 00007FFFE27354A0: RaiseException.KERNEL32 ref: 00007FFFE27354CD

__RethrowException.LIBCMTD ref: 00007FFFE27353D1
_FindAndUnlinkFrame.LIBCMTD ref: 00007FFFE27353DC
_IsExceptionObjectToBeDestroyed.LIBCMTD ref: 00007FFFE2735433

Strings

csm, xrefs: 00007FFFE27353ED

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Exception$Rethrow$DestroyedFindFrameObjectRaiseUnlink
String ID: csm
API String ID: 933340387-1018135373
Opcode ID: 185150422f69e9325bbbdd07ff6b0460cc0f5d94f5833ed3dae1d6afaaf19a73
Instruction ID: c0f1437f15455af6d6959110444b56a314daa6014cda728d19a7bbf2ba801f91
Opcode Fuzzy Hash: 185150422f69e9325bbbdd07ff6b0460cc0f5d94f5833ed3dae1d6afaaf19a73
Instruction Fuzzy Hash: 3F214C72D1864182DA609B15E09036D67E0FBC6B61F501132EB8E877A5DFBDD451CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2740070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

_free_nolock.LIBCMTD ref: 00007FFFE27400EA
_free_nolock.LIBCMTD ref: 00007FFFE2740143
_unlock.LIBCMTD ref: 00007FFFE274015A

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\typname.cpp, xrefs: 00007FFFE274011C
pNode->_Next != NULL, xrefs: 00007FFFE2740107

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _free_nolock$_unlock
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\prebuild\eh\typname.cpp$pNode->_Next != NULL
API String ID: 2500497606-1087415141
Opcode ID: e5522c6252449cb40e85df54e6268dac1ebec28ce271d6c329a952fe203911e4
Instruction ID: 1305d00644fbeb8634612f7e1324015e0d0b962b945803b60f1165a710cd45bc
Opcode Fuzzy Hash: e5522c6252449cb40e85df54e6268dac1ebec28ce271d6c329a952fe203911e4
Instruction Fuzzy Hash: 82213D36A29B8581E7449B05E49032EA3E4F7C5B80F505435FA8E837A5EFFCD860C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2739694 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__doserrno.LIBCMTD ref: 00007FFFE27396F6
_invalid_parameter.LIBCMTD ref: 00007FFFE2739730

Strings

_write, xrefs: 00007FFFE2739722
(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 00007FFFE27396C1, 00007FFFE2739729
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c, xrefs: 00007FFFE27396D6, 00007FFFE273971B

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: __doserrno_invalid_parameter
String ID: (fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_write$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
API String ID: 4140903211-23161695
Opcode ID: 943f3f5a8649ad99659fc24fe5f00fa9245fa7ab2d20795fce64249369f79773
Instruction ID: d134b0be82b5475c35f6b011ffc403b543d79ba5b8b756683ef9e13dd4f927b1
Opcode Fuzzy Hash: 943f3f5a8649ad99659fc24fe5f00fa9245fa7ab2d20795fce64249369f79773
Instruction Fuzzy Hash: 56117071D2D24ACAF750AB10E98036972E1FB82344F402135E14D866D4FFFCE924CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2739939 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36COMMON

Download Yara Rule

APIs

__doserrno.LIBCMTD ref: 00007FFFE2739998
_invalid_parameter.LIBCMTD ref: 00007FFFE27399D2

Strings

_write_nolock, xrefs: 00007FFFE27399C4
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c, xrefs: 00007FFFE2739978, 00007FFFE27399BD
(buf != NULL), xrefs: 00007FFFE2739963, 00007FFFE27399CB

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: __doserrno_invalid_parameter
String ID: (buf != NULL)$_write_nolock$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
API String ID: 4140903211-3042049227
Opcode ID: b18c78e6a001b3924330ee466a7aa5e58f01f9920a26db0e17f8c8ea79e16f29
Instruction ID: b8fb062b45b49e8b78c3492d87993195086571f5997ffcf7679622ee738b4de7
Opcode Fuzzy Hash: b18c78e6a001b3924330ee466a7aa5e58f01f9920a26db0e17f8c8ea79e16f29
Instruction Fuzzy Hash: 61115B72E0C64ADAF7209B21E8513AA73D4FF82354F804136D58C866D5EFBCE564CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273976D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON

Download Yara Rule

APIs

__doserrno.LIBCMTD ref: 00007FFFE27397C3
_invalid_parameter.LIBCMTD ref: 00007FFFE27397FD

Strings

(_osfile(fh) & FOPEN), xrefs: 00007FFFE273978E, 00007FFFE27397F6
_write, xrefs: 00007FFFE27397EF
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c, xrefs: 00007FFFE27397A3, 00007FFFE27397E8

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: __doserrno_invalid_parameter
String ID: (_osfile(fh) & FOPEN)$_write$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
API String ID: 4140903211-1338331675
Opcode ID: f80fd563d90780f0aa1c670857feec0e10d9ec583905498dafbcab80ebad431c
Instruction ID: c528c88619192ff649363005318e3b0ff45cf8dfc614a25e4751f2ed4ef1bc1b
Opcode Fuzzy Hash: f80fd563d90780f0aa1c670857feec0e10d9ec583905498dafbcab80ebad431c
Instruction Fuzzy Hash: E8015E71D1C64AC6F710AF20E8813A936E0FB92354F901235E24D876E5EFBCE964CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2739A9B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 17COMMON

Download Yara Rule

APIs

__doserrno.LIBCMTD ref: 00007FFFE2739A9B
_invalid_parameter.LIBCMTD ref: 00007FFFE2739AD5

Part of subcall function 00007FFFE272BD70: DecodePointer.KERNEL32 ref: 00007FFFE272BD99

Strings

_write_nolock, xrefs: 00007FFFE2739AC7
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c, xrefs: 00007FFFE2739AC0
((cnt & 1) == 0), xrefs: 00007FFFE2739ACE

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: DecodePointer__doserrno_invalid_parameter
String ID: ((cnt & 1) == 0)$_write_nolock$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\write.c
API String ID: 1098298932-1795423647
Opcode ID: 76c1c365018f90ed7cb3e44e1db6073c5157a9fa4c515fc26b073f11152878b0
Instruction ID: ee83e05a3c356c6e6b3c468941ab37fafd0fb465b8450bba9e7538be9b5d1c2e
Opcode Fuzzy Hash: 76c1c365018f90ed7cb3e44e1db6073c5157a9fa4c515fc26b073f11152878b0
Instruction Fuzzy Hash: 35E0EDA2D0C94A95F750AF11EC123EA2790BF92748FC04236D19D8B2D2FFBCA525D752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273FF00 Relevance: 7.6, APIs: 5, Instructions: 79
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E00007FFF7FFFE273FF00(intOrPtr __ecx, intOrPtr _a8) {
				signed int _v16;
				signed int _v20;
				signed int _v24;

				_a8 = __ecx;
				_v24 = 0;
				_v16 = 0;
				0xe2729300();
				_v20 = 0;
				_v20 = _v20 + 1;
				if (_v20 -  *0xe274e520 >= 0) goto 0xe2740042;
				if ( *((long long*)( *0xe274d500 + _v20 * 8)) == 0) goto 0xe274003d;
				if (( *( *((intOrPtr*)( *0xe274d500 + _v20 * 8)) + 0x18) & 0x00000083) == 0) goto 0xe274003d;
				E00007FFF7FFFE273AE90(_v20,  *((intOrPtr*)( *0xe274d500 + _v20 * 8)));
				if (( *( *((intOrPtr*)( *0xe274d500 + _v20 * 8)) + 0x18) & 0x00000083) == 0) goto 0xe2740024;
				if (_a8 != 1) goto 0xe273ffe1;
				if (E00007FFF7FFFE273FD70( *((intOrPtr*)( *0xe274d500 + _v20 * 8))) == 0xffffffff) goto 0xe273ffdf;
				_v24 = _v24 + 1;
				goto 0xe2740024;
				if (_a8 != 0) goto 0xe2740024;
				if (( *( *((intOrPtr*)( *0xe274d500 + _v20 * 8)) + 0x18) & 0x00000002) == 0) goto 0xe2740024;
				if (E00007FFF7FFFE273FD70( *((intOrPtr*)( *0xe274d500 + _v20 * 8))) != 0xffffffff) goto 0xe2740024;
				_v16 = 0xffffffff;
				E00007FFF7FFFE273AF60(_v20,  *((intOrPtr*)( *0xe274d500 + _v20 * 8)));
				goto L1;
				__ecx = 1;
				__eax = E00007FFF7FFFE2729360(__eax, 1);
				if (_a8 != 1) goto 0xe274005b;
				__eax = _v24;
				goto 0xe274005f;
				__eax = _v16;
				return _v16;
			}

0x7fffe273ff00
0x7fffe273ff08
0x7fffe273ff10
0x7fffe273ff1d
0x7fffe273ff23
0x7fffe273ff33
0x7fffe273ff41
0x7fffe273ff58
0x7fffe273ff78
0x7fffe273ff92
0x7fffe273ffb2
0x7fffe273ffb9
0x7fffe273ffd3
0x7fffe273ffdb
0x7fffe273ffdf
0x7fffe273ffe6
0x7fffe2740000
0x7fffe274001a
0x7fffe274001c
0x7fffe2740038
0x7fffe274003d
0x7fffe2740042
0x7fffe2740047
0x7fffe2740051
0x7fffe2740053
0x7fffe2740059
0x7fffe274005b
0x7fffe2740063

APIs

_lock_file2.LIBCMTD ref: 00007FFFE273FF92
_fflush_nolock.LIBCMTD ref: 00007FFFE273FFCB
_fflush_nolock.LIBCMTD ref: 00007FFFE2740012
_unlock_file2.LIBCMTD ref: 00007FFFE2740038
_unlock.LIBCMTD ref: 00007FFFE2740047

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _fflush_nolock$_lock_file2_unlock_unlock_file2
String ID:
API String ID: 1144694634-0
Opcode ID: 9c48fc7a63950d59b547df98b2f037ee7aefe6eda58a35de18d9feeb54d081ae
Instruction ID: 98e5cb562656b8c8ac937230fe99c8317e44e819c1de2cad4806c824840e3802
Opcode Fuzzy Hash: 9c48fc7a63950d59b547df98b2f037ee7aefe6eda58a35de18d9feeb54d081ae
Instruction Fuzzy Hash: 1541A036E08501C6D634DB19D59133973E0FB8AB58F100235EA5DC77A5EFBDE961CA02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2733CC0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 27%

			E00007FFF7FFFE2733CC0(void* __edx, void* __rax, long long __rcx, long long __rdx, long long __r8, long long __r9, void* _a8, long long _a16, long long _a24, long long _a32, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				long long _v16;
				long long _v24;
				intOrPtr _v32;
				long long _v40;
				long long _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v64;
				long long _v72;
				char _v80;
				long long _v88;
				void* _t135;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t149;
				signed int* _t200;
				intOrPtr _t206;

				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				0xe2724000();
				if ( *((intOrPtr*)(__rax + 0x2c0)) != 0) goto 0xe2733d6c;
				if ( *_a8 == 0xe06d7363) goto 0xe2733d6c;
				if ( *_a8 != 0x80000029) goto 0xe2733d2a;
				if ( *((intOrPtr*)(_a8 + 0x18)) != 0xf) goto 0xe2733d2a;
				if ( *((long long*)(_a8 + 0x60)) == 0x19930520) goto 0xe2733d6c;
				if ( *_a8 == 0x80000026) goto 0xe2733d6c;
				if (( *_a40 & 0x1fffffff) - 0x19930522 < 0) goto 0xe2733d6c;
				if ((_a40[9] & 0x00000001) == 0) goto 0xe2733d6c;
				goto 0xe273409c;
				if (( *(_a8 + 4) & 0x00000066) == 0) goto 0xe2733ef3;
				if (_a40[1] == 0) goto 0xe2733ee4;
				if (_a48 != 0) goto 0xe2733ee4;
				if (( *(_a8 + 4) & 0x00000020) == 0) goto 0xe2733e40;
				if ( *_a8 != 0x80000026) goto 0xe2733e40;
				_v56 = E00007FFF7FFFE2733A60(_a24, _a40, _a32,  *((intOrPtr*)(_a24 + 0xf8)));
				if (_v56 - 0xffffffff < 0) goto 0xe2733e0a;
				if (_v56 - _a40[1] >= 0) goto 0xe2733e0a;
				goto 0xe2733e0f;
				E00007FFF7FFFE272CF80(_a40);
				r9d = _v56;
				E00007FFF7FFFE2734F20(_a40, _a16, _a32, _a40);
				goto 0xe2733ec7;
				if (( *(_a8 + 4) & 0x00000020) == 0) goto 0xe2733ec7;
				if ( *_a8 != 0x80000029) goto 0xe2733ec7;
				_v48 = _a8;
				_v52 =  *((intOrPtr*)(_v48 + 0x38));
				if (_v52 - 0xffffffff < 0) goto 0xe2733e95;
				if (_v52 - _a40[1] >= 0) goto 0xe2733e95;
				goto 0xe2733e9a;
				E00007FFF7FFFE272CF80(_a40);
				r9d = _v52;
				E00007FFF7FFFE2734F20(_v48,  *((intOrPtr*)(_v48 + 0x28)), _a32, _a40);
				goto 0xe273409c;
				E00007FFF7FFFE272E790(_v52 - _a40[1], _v48, _a16, _a32, _a40);
				goto 0xe2734097;
				if (_a40[3] != 0) goto 0xe2733f59;
				if (( *_a40 & 0x1fffffff) - 0x19930521 < 0) goto 0xe2734097;
				_t200 = _a40;
				if ( *((intOrPtr*)(_t200 + 0x20)) == 0) goto 0xe2733f44;
				_t135 = E00007FFF7FFFE272E680( *_a40 & 0x1fffffff, _t200);
				_v24 = _t200 + _a40[8];
				goto 0xe2733f4d;
				_v24 = 0;
				if (_v24 == 0) goto 0xe2734097;
				if ( *_a8 != 0xe06d7363) goto 0xe2734041;
				if ( *((intOrPtr*)(_a8 + 0x18)) - 3 < 0) goto 0xe2734041;
				if ( *((intOrPtr*)(_a8 + 0x20)) - 0x19930522 <= 0) goto 0xe2734041;
				_t206 =  *((intOrPtr*)(_a8 + 0x30));
				if ( *((intOrPtr*)(_t206 + 8)) == 0) goto 0xe2733fc5;
				E00007FFF7FFFE272E6A0(_t135, _t206);
				_v16 = _t206 +  *((intOrPtr*)( *((intOrPtr*)(_a8 + 0x30)) + 8));
				goto 0xe2733fce;
				_v16 = 0;
				_v40 = _v16;
				_t177 = _v40;
				if (_v40 == 0) goto 0xe2734041;
				_v64 = _a64 & 0x000000ff;
				_v72 = _a56;
				_v80 = _a48;
				_v88 = _a40;
				_v32 = _v40();
				goto 0xe2734097;
				_v64 = _a56;
				_v72 = _a48;
				_v80 = _a64 & 0x000000ff;
				_v88 = _a40;
				E00007FFF7FFFE27340B0(_t145, _t147, _t148, _t149, _t177, _a40, _a8, _a16, _a24, _a32);
				return 1;
			}

0x7fffe2733cc0
0x7fffe2733cc5
0x7fffe2733cca
0x7fffe2733ccf
0x7fffe2733cd8
0x7fffe2733ce4
0x7fffe2733cf8
0x7fffe2733d08
0x7fffe2733d16
0x7fffe2733d28
0x7fffe2733d38
0x7fffe2733d4e
0x7fffe2733d60
0x7fffe2733d67
0x7fffe2733d7c
0x7fffe2733d8e
0x7fffe2733d9c
0x7fffe2733db2
0x7fffe2733dc6
0x7fffe2733dec
0x7fffe2733df5
0x7fffe2733e06
0x7fffe2733e08
0x7fffe2733e0a
0x7fffe2733e0f
0x7fffe2733e2c
0x7fffe2733e3b
0x7fffe2733e50
0x7fffe2733e60
0x7fffe2733e6a
0x7fffe2733e77
0x7fffe2733e80
0x7fffe2733e91
0x7fffe2733e93
0x7fffe2733e95
0x7fffe2733e9a
0x7fffe2733eb8
0x7fffe2733ec2
0x7fffe2733edf
0x7fffe2733eee
0x7fffe2733eff
0x7fffe2733f15
0x7fffe2733f1b
0x7fffe2733f27
0x7fffe2733f29
0x7fffe2733f3d
0x7fffe2733f42
0x7fffe2733f44
0x7fffe2733f53
0x7fffe2733f67
0x7fffe2733f79
0x7fffe2733f8e
0x7fffe2733f9c
0x7fffe2733fa4
0x7fffe2733fa6
0x7fffe2733fbe
0x7fffe2733fc3
0x7fffe2733fc5
0x7fffe2733fd3
0x7fffe2733fd8
0x7fffe2733fde
0x7fffe2733fe8
0x7fffe2733ff4
0x7fffe2734000
0x7fffe273400c
0x7fffe2734035
0x7fffe273403f
0x7fffe2734049
0x7fffe2734055
0x7fffe2734061
0x7fffe273406d
0x7fffe2734092
0x7fffe27340a0

APIs

_inconsistency.LIBCMTD ref: 00007FFFE2733E0A

Strings

csm, xrefs: 00007FFFE2733F61
csm, xrefs: 00007FFFE2733CF2

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _inconsistency
String ID: csm$csm
API String ID: 32975420-3733052814
Opcode ID: b62b0453fdffd86c1ea8e56b24d9441da31a01f9fe07ee07632383c0adf59322
Instruction ID: 205a3db529e7df30cfadaf94a1e205166557b6e22842d46fdb4c1c733069a6a6
Opcode Fuzzy Hash: b62b0453fdffd86c1ea8e56b24d9441da31a01f9fe07ee07632383c0adf59322
Instruction Fuzzy Hash: BAA1BB36A0CBC586D7708B15E0843AAB7A0F786B94F504126EACD87B99DF7CD494CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2729640 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

__free_lconv_mon.LIBCMTD ref: 00007FFFE27296DF
__free_lconv_num.LIBCMTD ref: 00007FFFE2729726

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\localref.c, xrefs: 00007FFFE2729932
((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[ca, xrefs: 00007FFFE272991D

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: __free_lconv_mon__free_lconv_num
String ID: ((ptloci->lc_category[category].wlocale != NULL) && (ptloci->lc_category[category].wrefcount != NULL)) || ((ptloci->lc_category[ca$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\localref.c
API String ID: 2148069796-2706031433
Opcode ID: 5530c5148454f32ed92c453347a6e128a1bc42f7b71ac9e6bc1d50a4750a2989
Instruction ID: 55b3cc4f0caaef8ff4d3146450c1800bd9236fef6454245d188207cec5466f93
Opcode Fuzzy Hash: 5530c5148454f32ed92c453347a6e128a1bc42f7b71ac9e6bc1d50a4750a2989
Instruction Fuzzy Hash: 41A15D73A18A85C2EB508B45E0853BAA3E0F7C5B50F551436EA8E877A5EFFCD851C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2732772 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2732A56

Strings

("Buffer too small", 0), xrefs: 00007FFFE27329F2, 00007FFFE2732A4F
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c, xrefs: 00007FFFE2732A07, 00007FFFE2732A41
_vsnprintf_s_l, xrefs: 00007FFFE2732A48

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: ("Buffer too small", 0)$_vsnprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
API String ID: 2123368286-3717698799
Opcode ID: 1aafbfe16f86ccf21253850ca152cd04a8ee8357f57b5e583563c43112fb4b7a
Instruction ID: 58ec1560c5f92e4045c086907e96073e967ec0bed3a6913820388019aa8e2a4a
Opcode Fuzzy Hash: 1aafbfe16f86ccf21253850ca152cd04a8ee8357f57b5e583563c43112fb4b7a
Instruction Fuzzy Hash: 0E810232D1DB8686D6708B25E48436A73E0F786764F100635E6AEC37D5EFBCE4558B01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273C719 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00007FFF7FFFE273C719(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, char _a85, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a688, intOrPtr _a704, intOrPtr _a708, signed char _a816, signed int _a824, signed int _a832, intOrPtr _a840, signed short* _a848, signed char _a856, char _a860, char _a864, long long _a872, intOrPtr _a876, intOrPtr _a912, intOrPtr _a916, signed int _a1040, long long _a1048, signed short _a1056, long long _a1060, signed int _a1064, intOrPtr _a1088, char _a1112) {
				signed int _t212;
				signed char _t217;
				intOrPtr _t252;
				signed int _t327;
				signed int _t328;
				signed long long _t331;
				intOrPtr* _t354;
				signed long long _t379;

				_t327 = __rax;
				_a708 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0xe273c754;
				_a84 = 0x30;
				_a85 = _a708 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0xe273c777;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0xe273c79e;
				E00007FFF7FFFE2731EA0( &_a1112);
				_a824 = _t327;
				goto 0xe273c84b;
				if ((_a80 & 0x00001000) == 0) goto 0xe273c7c5;
				E00007FFF7FFFE2731EA0( &_a1112);
				_a824 = _t327;
				goto 0xe273c84b;
				if ((_a80 & 0x00000020) == 0) goto 0xe273c810;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c7f6;
				_t328 = E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t328;
				goto 0xe273c80e;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t328;
				goto 0xe273c84b;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c834;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t328;
				goto 0xe273c84b;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t328;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c882;
				if (_a824 >= 0) goto 0xe273c882;
				_a832 =  ~_a824;
				asm("bts eax, 0x8");
				goto 0xe273c892;
				_t331 = _a824;
				_a832 = _t331;
				if ((_a80 & 0x00008000) != 0) goto 0xe273c8c7;
				if ((_a80 & 0x00001000) != 0) goto 0xe273c8c7;
				_a832 = _a832 & _t331;
				if (_a116 >= 0) goto 0xe273c8d8;
				_a116 = 1;
				goto 0xe273c8f5;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0xe273c8f5;
				_a116 = 0x200;
				if (_a832 != 0) goto 0xe273c908;
				_a92 = 0;
				_a64 =  &_a687;
				_t212 = _a116;
				_a116 = _a116 - 1;
				if (_t212 > 0) goto 0xe273c936;
				if (_a832 == 0) goto 0xe273c9d3;
				_a1040 = _a72;
				_a816 = _t212 / _a1040 + 0x30;
				_a1048 = _a72;
				if (_a816 - 0x39 <= 0) goto 0xe273c9b2;
				_t217 = _a816 + _a708;
				_a816 = _t217;
				 *_a64 = _a816 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0xe273c915;
				_a104 = _t217;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0xe273ca31;
				if (_a104 == 0) goto 0xe273ca12;
				if ( *_a64 == 0x30) goto 0xe273ca31;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0xe273cc6e;
				if ((_a80 & 0x00000040) == 0) goto 0xe273ca95;
				if ((_a80 & 0x00000100) == 0) goto 0xe273ca63;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0xe273ca95;
				if ((_a80 & 0x00000001) == 0) goto 0xe273ca7d;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0xe273ca95;
				if ((_a80 & 0x00000002) == 0) goto 0xe273ca95;
				_a84 = 0x20;
				_a92 = 1;
				_a840 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0xe273cad5;
				E00007FFF7FFFE273CF10(0x20, _a840, _a1088,  &_a688);
				E00007FFF7FFFE273CF60(_a92, _a64,  &_a84, _a1088,  &_a688);
				if ((_a80 & 0x00000008) == 0) goto 0xe273cb27;
				if ((_a80 & 0x00000004) != 0) goto 0xe273cb27;
				E00007FFF7FFFE273CF10(0x30, _a840, _a1088,  &_a688);
				if (_a76 == 0) goto 0xe273cc1d;
				if (_a104 <= 0) goto 0xe273cc1d;
				_a872 = 0;
				_a848 = _a64;
				_a856 = _a104;
				_a856 = _a856 - 1;
				if (_a856 == 0) goto 0xe273cc1b;
				_a1056 =  *_a848 & 0x0000ffff;
				r9d = _a1056 & 0x0000ffff;
				r8d = 6;
				_a872 = E00007FFF7FFFE273B530( &_a860,  &_a864, _a1088);
				_a848 =  &(_a848[1]);
				if (_a872 != 0) goto 0xe273cbe5;
				if (_a860 != 0) goto 0xe273cbf2;
				_a688 = 0xffffffff;
				goto 0xe273cc1b;
				E00007FFF7FFFE273CF60(_a860,  &(_a848[1]),  &_a864, _a1088,  &_a688);
				goto 0xe273cb60;
				goto 0xe273cc3b;
				E00007FFF7FFFE273CF60(_a104,  &(_a848[1]), _a64, _a1088,  &_a688);
				if (_a688 < 0) goto 0xe273cc6e;
				if ((_a80 & 0x00000004) == 0) goto 0xe273cc6e;
				E00007FFF7FFFE273CF10(0x20, _a840, _a1088,  &_a688);
				if (_a96 == 0) goto 0xe273cc8e;
				0xe2725330();
				_a96 = 0;
				goto 0xe273b99c;
				if (_a704 == 0) goto 0xe273ccb4;
				if (_a704 == 7) goto 0xe273ccb4;
				_a1060 = 0;
				goto 0xe273ccbf;
				_a1060 = 1;
				_t252 = _a1060;
				_a876 = _t252;
				if (_a876 != 0) goto 0xe273cd05;
				_t354 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t354;
				r9d = 0;
				r8d = 0x8f5;
				0xe272b3b0();
				if (_t252 != 1) goto 0xe273cd05;
				asm("int3");
				if (_a876 != 0) goto 0xe273cd61;
				0xe272ab30();
				 *_t354 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFF7FFFE272BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a912 = 0xffffffff;
				E00007FFF7FFFE2726800( &_a120);
				goto 0xe273cd80;
				_a916 = _a688;
				E00007FFF7FFFE2726800( &_a120);
				return E00007FFF7FFFE2723280(_a916, 2, 2, _a1064 ^ _t379, L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}

0x7fffe273c719
0x7fffe273c719
0x7fffe273c724
0x7fffe273c737
0x7fffe273c739
0x7fffe273c748
0x7fffe273c74c
0x7fffe273c756
0x7fffe273c769
0x7fffe273c76f
0x7fffe273c782
0x7fffe273c78c
0x7fffe273c791
0x7fffe273c799
0x7fffe273c7a9
0x7fffe273c7b3
0x7fffe273c7b8
0x7fffe273c7c0
0x7fffe273c7ce
0x7fffe273c7d9
0x7fffe273c7e8
0x7fffe273c7ec
0x7fffe273c7f4
0x7fffe273c7fe
0x7fffe273c806
0x7fffe273c80e
0x7fffe273c819
0x7fffe273c823
0x7fffe273c82a
0x7fffe273c832
0x7fffe273c83c
0x7fffe273c843
0x7fffe273c854
0x7fffe273c85f
0x7fffe273c86c
0x7fffe273c878
0x7fffe273c880
0x7fffe273c882
0x7fffe273c88a
0x7fffe273c89d
0x7fffe273c8aa
0x7fffe273c8bf
0x7fffe273c8cc
0x7fffe273c8ce
0x7fffe273c8d6
0x7fffe273c8df
0x7fffe273c8eb
0x7fffe273c8ed
0x7fffe273c8fe
0x7fffe273c900
0x7fffe273c910
0x7fffe273c915
0x7fffe273c91f
0x7fffe273c925
0x7fffe273c930
0x7fffe273c93b
0x7fffe273c95e
0x7fffe273c96a
0x7fffe273c997
0x7fffe273c9a9
0x7fffe273c9ab
0x7fffe273c9bf
0x7fffe273c9c9
0x7fffe273c9ce
0x7fffe273c9e0
0x7fffe273c9ec
0x7fffe273c9fc
0x7fffe273ca03
0x7fffe273ca10
0x7fffe273ca1a
0x7fffe273ca24
0x7fffe273ca2d
0x7fffe273ca36
0x7fffe273ca45
0x7fffe273ca52
0x7fffe273ca54
0x7fffe273ca59
0x7fffe273ca61
0x7fffe273ca6c
0x7fffe273ca6e
0x7fffe273ca73
0x7fffe273ca7b
0x7fffe273ca86
0x7fffe273ca88
0x7fffe273ca8d
0x7fffe273caa5
0x7fffe273cab5
0x7fffe273cad0
0x7fffe273caee
0x7fffe273cafc
0x7fffe273cb07
0x7fffe273cb22
0x7fffe273cb2c
0x7fffe273cb37
0x7fffe273cb3d
0x7fffe273cb4d
0x7fffe273cb59
0x7fffe273cb70
0x7fffe273cb79
0x7fffe273cb8a
0x7fffe273cb92
0x7fffe273cb9b
0x7fffe273cbb6
0x7fffe273cbc9
0x7fffe273cbd9
0x7fffe273cbe3
0x7fffe273cbe5
0x7fffe273cbf0
0x7fffe273cc11
0x7fffe273cc16
0x7fffe273cc1b
0x7fffe273cc36
0x7fffe273cc43
0x7fffe273cc4e
0x7fffe273cc69
0x7fffe273cc74
0x7fffe273cc80
0x7fffe273cc85
0x7fffe273cc8e
0x7fffe273cc9b
0x7fffe273cca5
0x7fffe273cca7
0x7fffe273ccb2
0x7fffe273ccb4
0x7fffe273ccbf
0x7fffe273ccc6
0x7fffe273ccd5
0x7fffe273ccd7
0x7fffe273ccde
0x7fffe273cce3
0x7fffe273cce6
0x7fffe273ccf8
0x7fffe273cd00
0x7fffe273cd02
0x7fffe273cd0d
0x7fffe273cd0f
0x7fffe273cd14
0x7fffe273cd1a
0x7fffe273cd23
0x7fffe273cd3e
0x7fffe273cd43
0x7fffe273cd53
0x7fffe273cd5f
0x7fffe273cd68
0x7fffe273cd74
0x7fffe273cd97

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273C78C

Strings

0, xrefs: 00007FFFE273C739
9, xrefs: 00007FFFE273C98F
', xrefs: 00007FFFE273C719

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: get_int64_arg
String ID: '$0$9
API String ID: 1967237116-269856862
Opcode ID: 83c439eea7fc9ce93bcb821b911d608e7d80de2d13083439c5735137d4fc31ad
Instruction ID: 56b24daaceeba3087daeaa0b5e5bac8e6d31d194983251316b13b36396da05fa
Opcode Fuzzy Hash: 83c439eea7fc9ce93bcb821b911d608e7d80de2d13083439c5735137d4fc31ad
Instruction Fuzzy Hash: 1541C832A0DAC187E7758B19E4957AAB7E4F785750F100139E78C86B98EBBCD550CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2735260 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

_CreateFrameInfo.LIBCMTD ref: 00007FFFE2735342
_FindAndUnlinkFrame.LIBCMTD ref: 00007FFFE27353DC
_IsExceptionObjectToBeDestroyed.LIBCMTD ref: 00007FFFE2735433

Strings

csm, xrefs: 00007FFFE27353ED

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Frame$CreateDestroyedExceptionFindInfoObjectUnlink
String ID: csm
API String ID: 2005287440-1018135373
Opcode ID: 4c556ceed80f2aba1954f9041ed191ad0fbab56fa1f8ad9f2457e70616e7d401
Instruction ID: b651cf5aef84d1428b255c64c4eb6c56c0387b0ddf2579d3136eceae5f931374
Opcode Fuzzy Hash: 4c556ceed80f2aba1954f9041ed191ad0fbab56fa1f8ad9f2457e70616e7d401
Instruction Fuzzy Hash: 67512876908B86C2DA609B1AF09036E77E0F7C9B90F104135EB8D87BA5EF79D490CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27328E8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2732A56

Strings

("Buffer too small", 0), xrefs: 00007FFFE27329F2, 00007FFFE2732A4F
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c, xrefs: 00007FFFE2732A07, 00007FFFE2732A41
_vsnprintf_s_l, xrefs: 00007FFFE2732A48

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: ("Buffer too small", 0)$_vsnprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
API String ID: 2123368286-3717698799
Opcode ID: 65def78894184635a726d36e54dfff1a0241531dd31d36ef72262bf6a1fca492
Instruction ID: 8341d025f34ba8ee7ee61704b756fd2aa812ab46864334c1c884553acda039d3
Opcode Fuzzy Hash: 65def78894184635a726d36e54dfff1a0241531dd31d36ef72262bf6a1fca492
Instruction Fuzzy Hash: 78410D32D1C78686EA708B24E48437966D0FB86364F500735D6AD827D5EFBCE864CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727816 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

_calloc_dbg.LIBCMTD ref: 00007FFFE2727858

Part of subcall function 00007FFFE2724980: _calloc_dbg_impl.LIBCMTD ref: 00007FFFE27249C6

GetFileType.KERNEL32 ref: 00007FFFE2727A24
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFFE2727AA5

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c, xrefs: 00007FFFE2727841

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: CountCriticalFileInitializeSectionSpinType_calloc_dbg_calloc_dbg_impl
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c
API String ID: 2306298712-3864165772
Opcode ID: 3e38e2773493d70adebd926d66924ee4ad8b7a2b1a2b015d6b03c7a7cffd79aa
Instruction ID: f4af64c36358edf1e7ad54b7dfd09c0a3c4b6987e318e0ad7ecaa908539f2c8c
Opcode Fuzzy Hash: 3e38e2773493d70adebd926d66924ee4ad8b7a2b1a2b015d6b03c7a7cffd79aa
Instruction Fuzzy Hash: DA313C72A09AC585E7708B19E98076AB3A0F7C67A0F508231CA9D877D4EF7CD415CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2737F0E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273806E

Strings

bufferSize <= INT_MAX, xrefs: 00007FFFE273800A, 00007FFFE2738067
_wcstombs_s_l, xrefs: 00007FFFE2738060
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c, xrefs: 00007FFFE273801F, 00007FFFE2738059

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: _wcstombs_s_l$bufferSize <= INT_MAX$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c
API String ID: 2123368286-2562677240
Opcode ID: dabd10d16ebe11174fc63b9f89b539a3b240949ad9ffb505f617c08bbd3ff20b
Instruction ID: 3849003bc16ffbccb5c27f96c269bd49687311a51a57a0734d383ae3eaa3a98c
Opcode Fuzzy Hash: dabd10d16ebe11174fc63b9f89b539a3b240949ad9ffb505f617c08bbd3ff20b
Instruction Fuzzy Hash: 8C311832D0DB8685E6609B14E4803AA77E1FB86390F500635D69D83BE8EFBCD465CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2740680 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE274071E

Part of subcall function 00007FFFE273AFB0: _invalid_parameter.LIBCMTD ref: 00007FFFE273B046

Part of subcall function 00007FFFE2740A20: __doserrno.LIBCMTD ref: 00007FFFE2740A33

Strings

(str != NULL), xrefs: 00007FFFE27406BA, 00007FFFE2740717
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fclose.c, xrefs: 00007FFFE27406CF, 00007FFFE2740709
_fclose_nolock, xrefs: 00007FFFE2740710

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter$__doserrno
String ID: (str != NULL)$_fclose_nolock$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fclose.c
API String ID: 1181141450-2845860089
Opcode ID: 7bab6b588e6dd2839569b0ca5fa95970036134ebeeb6453b58b8f029525d0fe5
Instruction ID: 228cc80c4718f6816b6ca970cf14177628285bf2d9ec8dd4b96374ddf7df7c17
Opcode Fuzzy Hash: 7bab6b588e6dd2839569b0ca5fa95970036134ebeeb6453b58b8f029525d0fe5
Instruction Fuzzy Hash: 34315A72E28A4686EB509B11E48476A76E0FBC2754F101135E68E877E5EFBCD860CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273AB10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273ABCD

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\isatty.c, xrefs: 00007FFFE273AB7E, 00007FFFE273ABB8
(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 00007FFFE273AB69, 00007FFFE273ABC6
_isatty, xrefs: 00007FFFE273ABBF

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_isatty$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\isatty.c
API String ID: 2123368286-160817255
Opcode ID: 20bce409a33f2d52ae5b3246709d5cabe66b407105c41d1953a7685d10f1773e
Instruction ID: 00ece779f3212b8ec941303045853fbf8cf69bb7dcca9233aed0490920cd870e
Opcode Fuzzy Hash: 20bce409a33f2d52ae5b3246709d5cabe66b407105c41d1953a7685d10f1773e
Instruction Fuzzy Hash: 46218372D2D6468BE7109B10E88536AB7E1FB82354F405635E59DC76D4EBFCD8208B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2740580 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE274061E

Strings

(stream != NULL), xrefs: 00007FFFE27405BA, 00007FFFE2740617
fclose, xrefs: 00007FFFE2740610
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fclose.c, xrefs: 00007FFFE27405CF, 00007FFFE2740609

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (stream != NULL)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fclose.c$fclose
API String ID: 2123368286-3409824857
Opcode ID: b4902cc461c388e31b4dcd0307079e4da2555ab755984697fa072277fbec1f80
Instruction ID: 22d5f39968de05e762a20dc40fde08aae4fa94d73e43094c3801b5afbffe7838
Opcode Fuzzy Hash: b4902cc461c388e31b4dcd0307079e4da2555ab755984697fa072277fbec1f80
Instruction Fuzzy Hash: 18214A72D2CA8686E7509B10E48576AB7E0FB82354F401135E68E87A95EFFCD864CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272C170 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE272C20A

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\isctype.c, xrefs: 00007FFFE272C1B3
(unsigned)(c + 1) <= 256, xrefs: 00007FFFE272C19E

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_
String ID: (unsigned)(c + 1) <= 256$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\isctype.c
API String ID: 1901436342-3621827421
Opcode ID: 582f87e7669c1111abee6c616077222c15a1b9b573b43815cbd7bd4630f6c99c
Instruction ID: ab8b958fdfad1cd39195f7f115ac813c3a747c01b83123116400cfbcfd72e2ff
Opcode Fuzzy Hash: 582f87e7669c1111abee6c616077222c15a1b9b573b43815cbd7bd4630f6c99c
Instruction Fuzzy Hash: EA212A73D18A8186E610DB14E4816AAB7E0FBD1B40F504036F78D83AA9EFBCD424CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2732C9F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2732D62

Strings

_set_error_mode, xrefs: 00007FFFE2732D54
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\errmode.c, xrefs: 00007FFFE2732D13, 00007FFFE2732D4D
("Invalid error_mode", 0), xrefs: 00007FFFE2732CFE, 00007FFFE2732D5B

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: ("Invalid error_mode", 0)$_set_error_mode$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\errmode.c
API String ID: 2123368286-2972513288
Opcode ID: f8745b700fb78b44b2e658b57c518d69726f466f5def5af1cc34e5c73236fe3e
Instruction ID: a0926f10710567672ec29d94b14beb634f032bda4c4e2b6f2f8de5f3fe3525ea
Opcode Fuzzy Hash: f8745b700fb78b44b2e658b57c518d69726f466f5def5af1cc34e5c73236fe3e
Instruction Fuzzy Hash: 5F214D71D2D6428AE3608F14E88076A72E1FB46344F401536E54AC6694FFFCE924CB03

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2732695 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273274D

Strings

string != NULL && sizeInBytes > 0, xrefs: 00007FFFE27326E9, 00007FFFE2732746
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c, xrefs: 00007FFFE27326FE, 00007FFFE2732738
_vsnprintf_s_l, xrefs: 00007FFFE273273F

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: _vsnprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c$string != NULL && sizeInBytes > 0
API String ID: 2123368286-367560414
Opcode ID: b10b6c40919f833f94f1f9af6a6d465dd1a232ebc9f5396bdae7492d99103452
Instruction ID: 2a040dfb2041fa944b5c6b9ebe4074d9f085247a9d335670d37e8c66f57015ec
Opcode Fuzzy Hash: b10b6c40919f833f94f1f9af6a6d465dd1a232ebc9f5396bdae7492d99103452
Instruction Fuzzy Hash: 70115E32D0C64A89F7708B24E4853B966E0FB92344F505535D28DC6AD5EFFCE8A48B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27375E9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273769D

Strings

_wcstombs_l_helper, xrefs: 00007FFFE273768F
pwcs != NULL, xrefs: 00007FFFE2737636, 00007FFFE2737696
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c, xrefs: 00007FFFE273764B, 00007FFFE2737688

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: _wcstombs_l_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c$pwcs != NULL
API String ID: 2123368286-2992382544
Opcode ID: 4e01e6c780b0bcb150885d639f6c4af62c750d2377cec983ef0e9e7992ea6864
Instruction ID: c148fc27b2fa9c3e5bf61a2ec9e0a672e69327a501f0f8361f7164956ef31749
Opcode Fuzzy Hash: 4e01e6c780b0bcb150885d639f6c4af62c750d2377cec983ef0e9e7992ea6864
Instruction Fuzzy Hash: 10112871D0868695F7708B24E4943BA62E0FB8A314F905635C19DC66D5EFBDD2A4CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2737E4E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2737EF4

Strings

_wcstombs_s_l, xrefs: 00007FFFE2737EE6
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c, xrefs: 00007FFFE2737EA5, 00007FFFE2737EDF
(dst != NULL && sizeInBytes > 0) || (dst == NULL && sizeInBytes == 0), xrefs: 00007FFFE2737E90, 00007FFFE2737EED

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (dst != NULL && sizeInBytes > 0) || (dst == NULL && sizeInBytes == 0)$_wcstombs_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\wcstombs.c
API String ID: 2123368286-152112980
Opcode ID: 12ab011e70e09e91856032674ad216f6478f48f1fa811ad172dce2a736ade8bc
Instruction ID: d3a4b5ff27cc249eb004891828443f12697b791514a3b936cf5211b291b4ca5f
Opcode Fuzzy Hash: 12ab011e70e09e91856032674ad216f6478f48f1fa811ad172dce2a736ade8bc
Instruction Fuzzy Hash: B3112A71D1C6868AF7209B50E4843BA77E0FB82344F504535D64CCA6D5EFFDE9A88B02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273AFB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273B046

Strings

(stream != NULL), xrefs: 00007FFFE273AFE2, 00007FFFE273B03F
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fileno.c, xrefs: 00007FFFE273AFF7, 00007FFFE273B031
_fileno, xrefs: 00007FFFE273B038

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (stream != NULL)$_fileno$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\fileno.c
API String ID: 2123368286-3532421942
Opcode ID: 96c485b728b13626416908fd91ead62eaa4a9a456ff5e75182e25aa9e0b6060d
Instruction ID: 9ab5129c774ed1f604b99d98bd73a2b00f82d3823185079ab82bc0111fcd3280
Opcode Fuzzy Hash: 96c485b728b13626416908fd91ead62eaa4a9a456ff5e75182e25aa9e0b6060d
Instruction Fuzzy Hash: A11130B2D1C64A86E7509B10E48476A77E0FB82358F402535F69E83A94EFFCD468CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27234D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

_calloc_dbg.LIBCMTD ref: 00007FFFE27234F9

Part of subcall function 00007FFFE2724980: _calloc_dbg_impl.LIBCMTD ref: 00007FFFE27249C6

FlsSetValue.KERNEL32 ref: 00007FFFE2723516

Part of subcall function 00007FFFE2723E30: _unlock.LIBCMTD ref: 00007FFFE2723EC2
Part of subcall function 00007FFFE2723E30: _unlock.LIBCMTD ref: 00007FFFE2723F1C

GetCurrentThreadId.KERNEL32 ref: 00007FFFE272352C

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dllcrt0.c, xrefs: 00007FFFE27234E2

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _unlock$CurrentThreadValue_calloc_dbg_calloc_dbg_impl
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dllcrt0.c
API String ID: 433497747-929597301
Opcode ID: 4a193bd2c8a37f88eb93531062afc5f9393ecf856dfe2553b23811d9331ecddf
Instruction ID: 02d13843ca906def94a20080fc3c404a9dbdeab5dc392439c8ff5b5c763968fc
Opcode Fuzzy Hash: 4a193bd2c8a37f88eb93531062afc5f9393ecf856dfe2553b23811d9331ecddf
Instruction Fuzzy Hash: D10144A2E2C65282F350DB26E44473E62E4FBC6B50F505231ED5EC26E5EFBCE5218702

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273206A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE27320FA

Strings

_vsnprintf_helper, xrefs: 00007FFFE27320EC
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c, xrefs: 00007FFFE27320AB, 00007FFFE27320E5
(count == 0) || (string != NULL), xrefs: 00007FFFE2732096, 00007FFFE27320F3

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (count == 0) || (string != NULL)$_vsnprintf_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
API String ID: 2123368286-3131718208
Opcode ID: 6707a3a661624c28ef46bf525b659d524432ea2cd8b3632390f46d17d0644e77
Instruction ID: 370bdd550739f3212dfb9c672dcad666cb38fac67a224f659ff8d8e79a6f30e4
Opcode Fuzzy Hash: 6707a3a661624c28ef46bf525b659d524432ea2cd8b3632390f46d17d0644e77
Instruction Fuzzy Hash: 71118871D0C6428AF7208B24E44437576D0FB45748F504135D69C876E9EFBCD958CF02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2731FCB Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2732050

Strings

_vsnprintf_helper, xrefs: 00007FFFE2732042
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c, xrefs: 00007FFFE2732001, 00007FFFE273203B
(format != NULL), xrefs: 00007FFFE2731FEC, 00007FFFE2732049

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: (format != NULL)$_vsnprintf_helper$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c
API String ID: 2123368286-1927795013
Opcode ID: 1d868900bb9e5cb9c38cd3d3fc38e86365b4ebb9b902cb6620b71e05e16b40fa
Instruction ID: e44fb7d81965af88b683ff519bb92959379ef84865aa9bffbdcdc45df3caa535
Opcode Fuzzy Hash: 1d868900bb9e5cb9c38cd3d3fc38e86365b4ebb9b902cb6620b71e05e16b40fa
Instruction Fuzzy Hash: 7D015A72E0C646C6F7208B24F8403A926D0FB82358F500231E65C826E9FFBCE5A5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2725A25 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE2725AAA

Strings

_msize_dbg, xrefs: 00007FFFE2725A9C
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c, xrefs: 00007FFFE2725A5B, 00007FFFE2725A95
pUserData != NULL, xrefs: 00007FFFE2725A46, 00007FFFE2725AA3

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: _msize_dbg$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgheap.c$pUserData != NULL
API String ID: 2123368286-563024394
Opcode ID: 6b9fa116098faf353e1ca7c3b3c6506904e65b16bd6a9e65c326709190a7893b
Instruction ID: 77a4ce0a4e5df4cef275f022f840aecad2ce4b02fca78466e6d9467d1638f755
Opcode Fuzzy Hash: 6b9fa116098faf353e1ca7c3b3c6506904e65b16bd6a9e65c326709190a7893b
Instruction Fuzzy Hash: F3017CB2D0C60686E7209B10E8413AA76E0FB82324F900332D25C836D4FFBDD569CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE27325F6 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

_invalid_parameter.LIBCMTD ref: 00007FFFE273267B

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c, xrefs: 00007FFFE273262C, 00007FFFE2732666
_vsnprintf_s_l, xrefs: 00007FFFE273266D
format != NULL, xrefs: 00007FFFE2732617, 00007FFFE2732674

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _invalid_parameter
String ID: _vsnprintf_s_l$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\vsprintf.c$format != NULL
API String ID: 2123368286-577066449
Opcode ID: 618b2cf93d4d6d117bb096a419223036f434eaf0351198b3217c601cf8511035
Instruction ID: bbd7317c29bad7cf7651b362876e61edf1ff91d15cae86d1313ad74d7898b136
Opcode Fuzzy Hash: 618b2cf93d4d6d117bb096a419223036f434eaf0351198b3217c601cf8511035
Instruction Fuzzy Hash: A6017171D0C656C6E7608B10E8803A576E0FF86354F901135E64D86AE4EFBCE964CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727490 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00007FFFE27274F1), ref: 00007FFFE272749F
GetProcAddress.KERNEL32 ref: 00007FFFE27274BE

Strings

CorExitProcess, xrefs: 00007FFFE27274B2
mscoree.dll, xrefs: 00007FFFE2727498

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 13d0b91207a4789fb824e3953cfc7806df79015e4e72068d0de0f8a7d22cb74d
Instruction ID: c31b51d467cb15e9a942818ad71019357dca81294d3a65304f42a74f5db3bbaa
Opcode Fuzzy Hash: 13d0b91207a4789fb824e3953cfc7806df79015e4e72068d0de0f8a7d22cb74d
Instruction Fuzzy Hash: C0F0AC72D18A42C2D624DB14F48836977F0FB89348F540135D68E82678EFBCD568CA05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2740C80 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00007FFF7FFFE2740C80(signed int __ecx, void* __eflags, void* __rax, void* __r8, signed int _a8) {
				signed long long _v16;
				long _v24;
				void* _t57;
				signed long long _t59;

				_t57 = __rax;
				_a8 = __ecx;
				E00007FFF7FFFE273F900(_a8);
				if (_t57 == 0xffffffff) goto 0xe2740d05;
				if (_a8 != 1) goto 0xe2740cb3;
				if (( *( *0xe274e560 + 0xb8) & 0x00000001) != 0) goto 0xe2740ccc;
				if (_a8 != 2) goto 0xe2740cef;
				_t59 =  *0xe274e560;
				if (( *(_t59 + 0x60) & 0x00000001) == 0) goto 0xe2740cef;
				E00007FFF7FFFE273F900(1);
				_v16 = _t59;
				E00007FFF7FFFE273F900(2);
				if (_v16 == _t59) goto 0xe2740d05;
				E00007FFF7FFFE273F900(_a8);
				if (CloseHandle(??) == 0) goto 0xe2740d0f;
				_v24 = 0;
				goto 0xe2740d19;
				_v24 = GetLastError();
				E00007FFF7FFFE273F7D0(_a8, _t59);
				 *((char*)( *((intOrPtr*)(0xe274e560 + _t59 * 8)) + 8 + (_a8 & 0x0000001f) * 0x58)) = 0;
				if (_v24 == 0) goto 0xe2740d60;
				E00007FFF7FFFE272AA70(_v24,  *((intOrPtr*)(0xe274e560 + _t59 * 8)));
				goto 0xe2740d62;
				return 0;
			}

0x7fffe2740c80
0x7fffe2740c80
0x7fffe2740c8c
0x7fffe2740c95
0x7fffe2740c9c
0x7fffe2740cb1
0x7fffe2740cb8
0x7fffe2740cba
0x7fffe2740cca
0x7fffe2740cd1
0x7fffe2740cd6
0x7fffe2740ce0
0x7fffe2740ced
0x7fffe2740cf3
0x7fffe2740d03
0x7fffe2740d05
0x7fffe2740d0d
0x7fffe2740d15
0x7fffe2740d1d
0x7fffe2740d44
0x7fffe2740d4e
0x7fffe2740d54
0x7fffe2740d5e
0x7fffe2740d66

APIs

Part of subcall function 00007FFFE273F900: __doserrno.LIBCMTD ref: 00007FFFE273F913

CloseHandle.KERNEL32 ref: 00007FFFE2740CFB
GetLastError.KERNEL32 ref: 00007FFFE2740D0F
_free_osfhnd.LIBCMTD ref: 00007FFFE2740D1D
_dosmaperr.LIBCMTD ref: 00007FFFE2740D54

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: CloseErrorHandleLast__doserrno_dosmaperr_free_osfhnd
String ID:
API String ID: 1551955814-0
Opcode ID: 539147ec8a9783b9fa5ff2985af3543efd94603151f732987cc3c022e13e7d90
Instruction ID: aba7c2e4f310710b57fb177fd8d9f84e015aba8dfc0913d5e1af2a00ee4d3c5c
Opcode Fuzzy Hash: 539147ec8a9783b9fa5ff2985af3543efd94603151f732987cc3c022e13e7d90
Instruction Fuzzy Hash: 2E217432E1C64687E6249B20D45137A76E1FB83354F140235D65DC66E9EFADE825CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2721000 Relevance: 6.0, APIs: 4, Instructions: 47threadtimeCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 00007FFFE272101D
GetDateFormatA.KERNEL32 ref: 00007FFFE2721038
GetThreadLocale.KERNEL32 ref: 00007FFFE272106F
GetTimeFormatA.KERNEL32 ref: 00007FFFE272108A

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: FormatLocaleThread$DateTime
String ID:
API String ID: 3587784874-0
Opcode ID: 6ab24f3c8d7cd050487db91c395009c2fe45c414da0b1ba1062a45228bb8b770
Instruction ID: 029fc173ad8477e8903294a33764fc03f9bcdecedc9976019c1ded2fa5e56d24
Opcode Fuzzy Hash: 6ab24f3c8d7cd050487db91c395009c2fe45c414da0b1ba1062a45228bb8b770
Instruction Fuzzy Hash: 0C11C132A0878086E3208F64F44025EB7E0FB49BA4F548734EA9D87BA9EF7DD1518700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2734960 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 35%

			E00007FFF7FFFE2734960(void* __ecx, long long __rcx, long long __rdx, long long __r8, long long __r9, void* _a8, long long _a16, long long _a24, long long _a32, signed int _a40, intOrPtr _a48, long long _a56, long long _a64) {
				long long _v24;
				long long _v32;
				long long _v40;
				long long _v48;
				long long _v56;
				char _v60;
				char _v64;
				signed int _v72;
				char _v80;
				char _v88;
				long long _v96;
				intOrPtr _v104;
				long long _v112;
				long long _v120;
				long long _v128;
				signed int _v136;
				void* _t106;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				long long _t153;
				signed int _t161;
				signed int _t165;
				long long _t166;
				long long _t169;
				long long _t170;
				intOrPtr _t174;

				_a32 = __r9;
				_a24 = __r8;
				_a16 = __rdx;
				_a8 = __rcx;
				_t153 = _a8;
				if ( *_t153 != 0x80000003) goto 0xe2734990;
				goto 0xe2734cc6;
				0xe2724000();
				if ( *((long long*)(_t153 + 0xe0)) == 0) goto 0xe2734a33;
				0xe2724000();
				_v56 = _t153;
				E00007FFF7FFFE2723D00(_t106);
				if ( *((intOrPtr*)(_v56 + 0xe0)) == _t153) goto 0xe2734a33;
				if ( *_a8 == 0xe0434f4d) goto 0xe2734a33;
				if ( *_a8 == 0xe0434352) goto 0xe2734a33;
				_v120 = _a64;
				_v128 = _a56;
				_v136 = _a40;
				if (E00007FFF7FFFE272E9B0(_a8, _a16, _a24, _a32) == 0) goto 0xe2734a33;
				goto 0xe2734cc6;
				if ( *((intOrPtr*)(_a40 + 0xc)) == 0) goto 0xe2734a43;
				goto 0xe2734a48;
				E00007FFF7FFFE272CF80(_a40);
				_v120 = _a32;
				_v128 =  &_v60;
				_t161 =  &_v64;
				_v136 = _t161;
				r9d = _a48;
				r8d = _a56;
				E00007FFF7FFFE272EA30(_a16, _a40);
				_v72 = _t161;
				_v64 = _v64 + 1;
				_v72 = _v72 + 0x14;
				if (_v64 - _v60 >= 0) goto 0xe2734cc6;
				if (_a48 -  *_v72 < 0) goto 0xe2734c2b;
				_t165 = _v72;
				if (_a48 -  *((intOrPtr*)(_t165 + 4)) > 0) goto 0xe2734c2b;
				_t117 = E00007FFF7FFFE272E680( *((intOrPtr*)(_t165 + 4)), _t165);
				_t166 = _t165 +  *((intOrPtr*)(_v72 + 0x10));
				if ( *((intOrPtr*)(_t166 + 4 + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14)) == 0) goto 0xe2734b53;
				_t118 = E00007FFF7FFFE272E680(_t117, _t166);
				_v48 = _t166;
				_t119 = E00007FFF7FFFE272E680(_t118, _t166);
				_t169 = _v48 +  *((intOrPtr*)(_t166 +  *((intOrPtr*)(_v72 + 0x10)) + 4 + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14));
				_v40 = _t169;
				goto 0xe2734b5f;
				_v40 = 0;
				if (_v40 == 0) goto 0xe2734bff;
				_t120 = E00007FFF7FFFE272E680(_t119, _t169);
				_t170 = _t169 +  *((intOrPtr*)(_v72 + 0x10));
				if ( *((intOrPtr*)(_t170 + 4 + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14)) == 0) goto 0xe2734be3;
				_t121 = E00007FFF7FFFE272E680(_t120, _t170);
				_v32 = _t170;
				E00007FFF7FFFE272E680(_t121, _t170);
				_v24 = _v32 +  *((intOrPtr*)(_t170 +  *((intOrPtr*)(_v72 + 0x10)) + 4 + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14));
				goto 0xe2734bef;
				_v24 = 0;
				_t174 = _v24;
				if ( *((char*)(_t174 + 0x10)) != 0) goto 0xe2734c2b;
				E00007FFF7FFFE272E680( *((char*)(_t174 + 0x10)), _t174);
				if (( *(_t174 +  *((intOrPtr*)(_v72 + 0x10)) + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14) & 0x00000040) == 0) goto 0xe2734c30;
				goto L1;
				__eax = E00007FFF7FFFE272E680(__eax, __rax);
				_v72 =  *((intOrPtr*)(_v72 + 0x10));
				__rax = __rax +  *((intOrPtr*)(_v72 + 0x10));
				_v72 =  *((intOrPtr*)(_v72 + 0xc)) - 1;
				__rcx = ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14;
				__rax = __rax + ( *((intOrPtr*)(_v72 + 0xc)) - 1) * 0x14;
				__eflags = __rax;
				_v80 = 0;
				_v88 = 1;
				__rcx = _a64;
				_v96 = _a64;
				_v104 = _a56;
				__rcx = _v72;
				_v112 = _v72;
				_v120 = 0;
				_v128 = __rax;
				__rax = _a40;
				_v136 = _a40;
				__r9 = _a32;
				__r8 = _a24;
				__rdx = _a16;
				__rcx = _a8;
				__eax = E00007FFF7FFFE2735180(__edi, __esi, __esp, __eflags, _a8, _a16, _a24, _a32);
				goto L1;
				return __eax;
			}

0x7fffe2734960
0x7fffe2734965
0x7fffe273496a
0x7fffe273496f
0x7fffe273497b
0x7fffe2734989
0x7fffe273498b
0x7fffe2734990
0x7fffe273499d
0x7fffe27349a3
0x7fffe27349a8
0x7fffe27349ad
0x7fffe27349be
0x7fffe27349ce
0x7fffe27349de
0x7fffe27349e8
0x7fffe27349f4
0x7fffe2734a00
0x7fffe2734a2c
0x7fffe2734a2e
0x7fffe2734a3f
0x7fffe2734a41
0x7fffe2734a43
0x7fffe2734a50
0x7fffe2734a5a
0x7fffe2734a5f
0x7fffe2734a64
0x7fffe2734a69
0x7fffe2734a71
0x7fffe2734a89
0x7fffe2734a8e
0x7fffe2734a9b
0x7fffe2734aa8
0x7fffe2734ab5
0x7fffe2734ac9
0x7fffe2734acf
0x7fffe2734ade
0x7fffe2734ae4
0x7fffe2734af2
0x7fffe2734b0b
0x7fffe2734b0d
0x7fffe2734b12
0x7fffe2734b17
0x7fffe2734b46
0x7fffe2734b49
0x7fffe2734b51
0x7fffe2734b53
0x7fffe2734b68
0x7fffe2734b6e
0x7fffe2734b7c
0x7fffe2734b95
0x7fffe2734b97
0x7fffe2734b9c
0x7fffe2734ba4
0x7fffe2734bd9
0x7fffe2734be1
0x7fffe2734be3
0x7fffe2734bef
0x7fffe2734bfd
0x7fffe2734bff
0x7fffe2734c29
0x7fffe2734c2b
0x7fffe2734c30
0x7fffe2734c3a
0x7fffe2734c3e
0x7fffe2734c4b
0x7fffe2734c4e
0x7fffe2734c52
0x7fffe2734c52
0x7fffe2734c55
0x7fffe2734c5a
0x7fffe2734c5f
0x7fffe2734c67
0x7fffe2734c73
0x7fffe2734c77
0x7fffe2734c7c
0x7fffe2734c81
0x7fffe2734c8a
0x7fffe2734c8f
0x7fffe2734c97
0x7fffe2734c9c
0x7fffe2734ca4
0x7fffe2734cac
0x7fffe2734cb4
0x7fffe2734cbc
0x7fffe2734cc1
0x7fffe2734ccd

Strings

MOC, xrefs: 00007FFFE27349C8
RCC, xrefs: 00007FFFE27349D8

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID:
String ID: MOC$RCC
API String ID: 0-2084237596
Opcode ID: ff3899ab70367f580fbe79aa5854b52896b6d0a2cba9891fdbb3d09f9aae126f
Instruction ID: 3967570b1950069ff886c9818eaa1da1664651b496de18c6feaaa3ca5110b2f1
Opcode Fuzzy Hash: ff3899ab70367f580fbe79aa5854b52896b6d0a2cba9891fdbb3d09f9aae126f
Instruction Fuzzy Hash: CC911C32A0DB8582DA64DB45E0A137EB3A0FBC5744F104536EA8E83799DF7CE451CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273C6F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00007FFF7FFFE273C6F8(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, char _a85, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a688, intOrPtr _a704, intOrPtr _a708, signed char _a816, signed int _a824, signed int _a832, intOrPtr _a840, signed short* _a848, signed char _a856, char _a860, char _a864, long long _a872, intOrPtr _a876, intOrPtr _a912, intOrPtr _a916, signed int _a1040, long long _a1048, signed short _a1056, long long _a1060, signed int _a1064, intOrPtr _a1088, char _a1112) {
				signed int _t217;
				signed char _t222;
				intOrPtr _t257;
				signed int _t332;
				signed int _t333;
				signed long long _t336;
				intOrPtr* _t359;
				signed long long _t384;

				_t332 = __rax;
				_a116 = 0x10;
				asm("bts eax, 0xf");
				_a708 = 7;
				_a708 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0xe273c754;
				_a84 = 0x30;
				_a85 = _a708 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0xe273c777;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0xe273c79e;
				E00007FFF7FFFE2731EA0( &_a1112);
				_a824 = _t332;
				goto 0xe273c84b;
				if ((_a80 & 0x00001000) == 0) goto 0xe273c7c5;
				E00007FFF7FFFE2731EA0( &_a1112);
				_a824 = _t332;
				goto 0xe273c84b;
				if ((_a80 & 0x00000020) == 0) goto 0xe273c810;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c7f6;
				_t333 = E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t333;
				goto 0xe273c80e;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t333;
				goto 0xe273c84b;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c834;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t333;
				goto 0xe273c84b;
				E00007FFF7FFFE2731E40( &_a1112);
				_a824 = _t333;
				if ((_a80 & 0x00000040) == 0) goto 0xe273c882;
				if (_a824 >= 0) goto 0xe273c882;
				_a832 =  ~_a824;
				asm("bts eax, 0x8");
				goto 0xe273c892;
				_t336 = _a824;
				_a832 = _t336;
				if ((_a80 & 0x00008000) != 0) goto 0xe273c8c7;
				if ((_a80 & 0x00001000) != 0) goto 0xe273c8c7;
				_a832 = _a832 & _t336;
				if (_a116 >= 0) goto 0xe273c8d8;
				_a116 = 1;
				goto 0xe273c8f5;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0xe273c8f5;
				_a116 = 0x200;
				if (_a832 != 0) goto 0xe273c908;
				_a92 = 0;
				_a64 =  &_a687;
				_t217 = _a116;
				_a116 = _a116 - 1;
				if (_t217 > 0) goto 0xe273c936;
				if (_a832 == 0) goto 0xe273c9d3;
				_a1040 = _a72;
				_a816 = _t217 / _a1040 + 0x30;
				_a1048 = _a72;
				if (_a816 - 0x39 <= 0) goto 0xe273c9b2;
				_t222 = _a816 + _a708;
				_a816 = _t222;
				 *_a64 = _a816 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0xe273c915;
				_a104 = _t222;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0xe273ca31;
				if (_a104 == 0) goto 0xe273ca12;
				if ( *_a64 == 0x30) goto 0xe273ca31;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0xe273cc6e;
				if ((_a80 & 0x00000040) == 0) goto 0xe273ca95;
				if ((_a80 & 0x00000100) == 0) goto 0xe273ca63;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0xe273ca95;
				if ((_a80 & 0x00000001) == 0) goto 0xe273ca7d;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0xe273ca95;
				if ((_a80 & 0x00000002) == 0) goto 0xe273ca95;
				_a84 = 0x20;
				_a92 = 1;
				_a840 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0xe273cad5;
				E00007FFF7FFFE273CF10(0x20, _a840, _a1088,  &_a688);
				E00007FFF7FFFE273CF60(_a92, _a64,  &_a84, _a1088,  &_a688);
				if ((_a80 & 0x00000008) == 0) goto 0xe273cb27;
				if ((_a80 & 0x00000004) != 0) goto 0xe273cb27;
				E00007FFF7FFFE273CF10(0x30, _a840, _a1088,  &_a688);
				if (_a76 == 0) goto 0xe273cc1d;
				if (_a104 <= 0) goto 0xe273cc1d;
				_a872 = 0;
				_a848 = _a64;
				_a856 = _a104;
				_a856 = _a856 - 1;
				if (_a856 == 0) goto 0xe273cc1b;
				_a1056 =  *_a848 & 0x0000ffff;
				r9d = _a1056 & 0x0000ffff;
				r8d = 6;
				_a872 = E00007FFF7FFFE273B530( &_a860,  &_a864, _a1088);
				_a848 =  &(_a848[1]);
				if (_a872 != 0) goto 0xe273cbe5;
				if (_a860 != 0) goto 0xe273cbf2;
				_a688 = 0xffffffff;
				goto 0xe273cc1b;
				E00007FFF7FFFE273CF60(_a860,  &(_a848[1]),  &_a864, _a1088,  &_a688);
				goto 0xe273cb60;
				goto 0xe273cc3b;
				E00007FFF7FFFE273CF60(_a104,  &(_a848[1]), _a64, _a1088,  &_a688);
				if (_a688 < 0) goto 0xe273cc6e;
				if ((_a80 & 0x00000004) == 0) goto 0xe273cc6e;
				E00007FFF7FFFE273CF10(0x20, _a840, _a1088,  &_a688);
				if (_a96 == 0) goto 0xe273cc8e;
				0xe2725330();
				_a96 = 0;
				goto 0xe273b99c;
				if (_a704 == 0) goto 0xe273ccb4;
				if (_a704 == 7) goto 0xe273ccb4;
				_a1060 = 0;
				goto 0xe273ccbf;
				_a1060 = 1;
				_t257 = _a1060;
				_a876 = _t257;
				if (_a876 != 0) goto 0xe273cd05;
				_t359 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t359;
				r9d = 0;
				r8d = 0x8f5;
				0xe272b3b0();
				if (_t257 != 1) goto 0xe273cd05;
				asm("int3");
				if (_a876 != 0) goto 0xe273cd61;
				0xe272ab30();
				 *_t359 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFF7FFFE272BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a912 = 0xffffffff;
				E00007FFF7FFFE2726800( &_a120);
				goto 0xe273cd80;
				_a916 = _a688;
				E00007FFF7FFFE2726800( &_a120);
				return E00007FFF7FFFE2723280(_a916, 2, 2, _a1064 ^ _t384, L"_output_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}

0x7fffe273c6f8
0x7fffe273c6f8
0x7fffe273c704
0x7fffe273c70c
0x7fffe273c719
0x7fffe273c724
0x7fffe273c737
0x7fffe273c739
0x7fffe273c748
0x7fffe273c74c
0x7fffe273c756
0x7fffe273c769
0x7fffe273c76f
0x7fffe273c782
0x7fffe273c78c
0x7fffe273c791
0x7fffe273c799
0x7fffe273c7a9
0x7fffe273c7b3
0x7fffe273c7b8
0x7fffe273c7c0
0x7fffe273c7ce
0x7fffe273c7d9
0x7fffe273c7e8
0x7fffe273c7ec
0x7fffe273c7f4
0x7fffe273c7fe
0x7fffe273c806
0x7fffe273c80e
0x7fffe273c819
0x7fffe273c823
0x7fffe273c82a
0x7fffe273c832
0x7fffe273c83c
0x7fffe273c843
0x7fffe273c854
0x7fffe273c85f
0x7fffe273c86c
0x7fffe273c878
0x7fffe273c880
0x7fffe273c882
0x7fffe273c88a
0x7fffe273c89d
0x7fffe273c8aa
0x7fffe273c8bf
0x7fffe273c8cc
0x7fffe273c8ce
0x7fffe273c8d6
0x7fffe273c8df
0x7fffe273c8eb
0x7fffe273c8ed
0x7fffe273c8fe
0x7fffe273c900
0x7fffe273c910
0x7fffe273c915
0x7fffe273c91f
0x7fffe273c925
0x7fffe273c930
0x7fffe273c93b
0x7fffe273c95e
0x7fffe273c96a
0x7fffe273c997
0x7fffe273c9a9
0x7fffe273c9ab
0x7fffe273c9bf
0x7fffe273c9c9
0x7fffe273c9ce
0x7fffe273c9e0
0x7fffe273c9ec
0x7fffe273c9fc
0x7fffe273ca03
0x7fffe273ca10
0x7fffe273ca1a
0x7fffe273ca24
0x7fffe273ca2d
0x7fffe273ca36
0x7fffe273ca45
0x7fffe273ca52
0x7fffe273ca54
0x7fffe273ca59
0x7fffe273ca61
0x7fffe273ca6c
0x7fffe273ca6e
0x7fffe273ca73
0x7fffe273ca7b
0x7fffe273ca86
0x7fffe273ca88
0x7fffe273ca8d
0x7fffe273caa5
0x7fffe273cab5
0x7fffe273cad0
0x7fffe273caee
0x7fffe273cafc
0x7fffe273cb07
0x7fffe273cb22
0x7fffe273cb2c
0x7fffe273cb37
0x7fffe273cb3d
0x7fffe273cb4d
0x7fffe273cb59
0x7fffe273cb70
0x7fffe273cb79
0x7fffe273cb8a
0x7fffe273cb92
0x7fffe273cb9b
0x7fffe273cbb6
0x7fffe273cbc9
0x7fffe273cbd9
0x7fffe273cbe3
0x7fffe273cbe5
0x7fffe273cbf0
0x7fffe273cc11
0x7fffe273cc16
0x7fffe273cc1b
0x7fffe273cc36
0x7fffe273cc43
0x7fffe273cc4e
0x7fffe273cc69
0x7fffe273cc74
0x7fffe273cc80
0x7fffe273cc85
0x7fffe273cc8e
0x7fffe273cc9b
0x7fffe273cca5
0x7fffe273cca7
0x7fffe273ccb2
0x7fffe273ccb4
0x7fffe273ccbf
0x7fffe273ccc6
0x7fffe273ccd5
0x7fffe273ccd7
0x7fffe273ccde
0x7fffe273cce3
0x7fffe273cce6
0x7fffe273ccf8
0x7fffe273cd00
0x7fffe273cd02
0x7fffe273cd0d
0x7fffe273cd0f
0x7fffe273cd14
0x7fffe273cd1a
0x7fffe273cd23
0x7fffe273cd3e
0x7fffe273cd43
0x7fffe273cd53
0x7fffe273cd5f
0x7fffe273cd68
0x7fffe273cd74
0x7fffe273cd97

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273C78C

Strings

0, xrefs: 00007FFFE273C739
9, xrefs: 00007FFFE273C98F

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: get_int64_arg
String ID: 0$9
API String ID: 1967237116-1975997740
Opcode ID: aed7fbe3ab945623e5c36a128674cf35c8ffbba07ad38133e4628ccf625e54aa
Instruction ID: 48c38a7d2a66ceaa3f3b0c41a21e8af791dd4b25519adc9df503abd79b1d164f
Opcode Fuzzy Hash: aed7fbe3ab945623e5c36a128674cf35c8ffbba07ad38133e4628ccf625e54aa
Instruction Fuzzy Hash: 4141D632A0DAC18BE7658B19E4817AAB7E4F785750F100139E788C6B98EBBCE550CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273E70C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 23%

			E00007FFF7FFFE273E70C(signed int __rax, void* __rdx, long long _a32, void* _a64, void* _a72, intOrPtr _a76, signed int _a80, char _a84, short _a86, intOrPtr _a88, long long _a92, long long _a96, signed char _a104, intOrPtr _a108, signed int _a116, char _a120, char _a687, char _a1200, signed short _a1212, intOrPtr _a1216, intOrPtr _a1220, signed char _a1296, signed int _a1304, signed int _a1312, intOrPtr _a1320, long long _a1328, signed char _a1336, intOrPtr _a1340, intOrPtr _a1344, intOrPtr _a1376, intOrPtr _a1380, signed int _a1480, long long _a1488, long long _a1496, long long _a1504, signed int _a1512, intOrPtr _a1536, char _a1560) {
				signed int _t213;
				signed char _t218;
				void* _t249;
				intOrPtr _t257;
				signed int _t331;
				signed int _t332;
				signed long long _t335;
				intOrPtr* _t354;
				intOrPtr* _t359;
				signed long long _t389;

				_t331 = __rax;
				_a1220 = 0x27;
				_a72 = 0x10;
				if ((_a80 & 0x00000080) == 0) goto 0xe273e74d;
				_a84 = 0x30;
				_a86 = _a1220 + 0x51;
				_a92 = 2;
				_a72 = 8;
				if ((_a80 & 0x00000080) == 0) goto 0xe273e770;
				asm("bts eax, 0x9");
				if ((_a80 & 0x00008000) == 0) goto 0xe273e797;
				E00007FFF7FFFE2731EA0( &_a1560);
				_a1304 = _t331;
				goto 0xe273e844;
				if ((_a80 & 0x00001000) == 0) goto 0xe273e7be;
				E00007FFF7FFFE2731EA0( &_a1560);
				_a1304 = _t331;
				goto 0xe273e844;
				if ((_a80 & 0x00000020) == 0) goto 0xe273e809;
				if ((_a80 & 0x00000040) == 0) goto 0xe273e7ef;
				_t332 = E00007FFF7FFFE2731E40( &_a1560);
				_a1304 = _t332;
				goto 0xe273e807;
				E00007FFF7FFFE2731E40( &_a1560);
				_a1304 = _t332;
				goto 0xe273e844;
				if ((_a80 & 0x00000040) == 0) goto 0xe273e82d;
				E00007FFF7FFFE2731E40( &_a1560);
				_a1304 = _t332;
				goto 0xe273e844;
				E00007FFF7FFFE2731E40( &_a1560);
				_a1304 = _t332;
				if ((_a80 & 0x00000040) == 0) goto 0xe273e87b;
				if (_a1304 >= 0) goto 0xe273e87b;
				_a1312 =  ~_a1304;
				asm("bts eax, 0x8");
				goto 0xe273e88b;
				_t335 = _a1304;
				_a1312 = _t335;
				if ((_a80 & 0x00008000) != 0) goto 0xe273e8c0;
				if ((_a80 & 0x00001000) != 0) goto 0xe273e8c0;
				_a1312 = _a1312 & _t335;
				if (_a116 >= 0) goto 0xe273e8d1;
				_a116 = 1;
				goto 0xe273e8ee;
				_a80 = _a80 & 0xfffffff7;
				if (_a116 - 0x200 <= 0) goto 0xe273e8ee;
				_a116 = 0x200;
				if (_a1312 != 0) goto 0xe273e901;
				_a92 = 0;
				_a64 =  &_a687;
				_t213 = _a116;
				_a116 = _a116 - 1;
				if (_t213 > 0) goto 0xe273e92f;
				if (_a1312 == 0) goto 0xe273e9cc;
				_a1480 = _a72;
				_a1296 = _t213 / _a1480 + 0x30;
				_a1488 = _a72;
				if (_a1296 - 0x39 <= 0) goto 0xe273e9ab;
				_t218 = _a1296 + _a1220;
				_a1296 = _t218;
				 *_a64 = _a1296 & 0x000000ff;
				_a64 = _a64 - 1;
				goto 0xe273e90e;
				_a104 = _t218;
				_a64 = _a64 + 1;
				if ((_a80 & 0x00000200) == 0) goto 0xe273ea2a;
				if (_a104 == 0) goto 0xe273ea0b;
				if ( *_a64 == 0x30) goto 0xe273ea2a;
				_a64 = _a64 - 1;
				 *_a64 = 0x30;
				_a104 = _a104 + 1;
				if (_a108 != 0) goto 0xe273ec7c;
				if ((_a80 & 0x00000040) == 0) goto 0xe273ea9d;
				if ((_a80 & 0x00000100) == 0) goto 0xe273ea61;
				_a84 = 0x2d;
				_a92 = 1;
				goto 0xe273ea9d;
				if ((_a80 & 0x00000001) == 0) goto 0xe273ea80;
				_a84 = 0x2b;
				_a92 = 1;
				goto 0xe273ea9d;
				if ((_a80 & 0x00000002) == 0) goto 0xe273ea9d;
				_a84 = 0x20;
				_a92 = 1;
				_a1320 = _a88 - _a104 - _a92;
				if ((_a80 & 0x0000000c) != 0) goto 0xe273eadf;
				E00007FFF7FFFE273EEC0(0x20, _a1320, _a1536,  &_a1200);
				E00007FFF7FFFE273EF10(_a92, _a64,  &_a84, _a1536,  &_a1200);
				if ((_a80 & 0x00000008) == 0) goto 0xe273eb33;
				if ((_a80 & 0x00000004) != 0) goto 0xe273eb33;
				E00007FFF7FFFE273EEC0(0x30, _a1320, _a1536,  &_a1200);
				if (_a76 != 0) goto 0xe273ec29;
				if (_a104 <= 0) goto 0xe273ec29;
				_t354 = _a64;
				_a1328 = _t354;
				_a1336 = _a104;
				_a1336 = _a1336 - 1;
				if (_a1336 <= 0) goto 0xe273ec27;
				_t249 = E00007FFF7FFFE2726840(_a1336,  &_a120);
				_a1496 = _t354;
				E00007FFF7FFFE2726840(_t249,  &_a120);
				_a1340 = E00007FFF7FFFE273F000( &_a1212, _a1328,  *((intOrPtr*)( *_t354 + 0x10c)), _a1496);
				if (_a1340 > 0) goto 0xe273ebe7;
				_a1200 = 0xffffffff;
				goto 0xe273ec27;
				E00007FFF7FFFE273EE40(_a1212 & 0x0000ffff, _a1536,  &_a1200);
				_a1328 = _a1328 + _a1340;
				goto 0xe273eb61;
				goto 0xe273ec47;
				E00007FFF7FFFE273EF10(_a104, _a1328 + _a1340, _a64, _a1536,  &_a1200);
				if (_a1200 < 0) goto 0xe273ec7c;
				if ((_a80 & 0x00000004) == 0) goto 0xe273ec7c;
				E00007FFF7FFFE273EEC0(0x20, _a1320, _a1536,  &_a1200);
				if (_a96 == 0) goto 0xe273ec9c;
				0xe2725330();
				_a96 = 0;
				goto 0xe273da75;
				if (_a1216 == 0) goto 0xe273ecc2;
				if (_a1216 == 7) goto 0xe273ecc2;
				_a1504 = 0;
				goto 0xe273eccd;
				_a1504 = 1;
				_t257 = _a1504;
				_a1344 = _t257;
				if (_a1344 != 0) goto 0xe273ed13;
				_t359 = L"((state == ST_NORMAL) || (state == ST_TYPE))";
				_a32 = _t359;
				r9d = 0;
				r8d = 0x8f5;
				0xe272b3b0();
				if (_t257 != 1) goto 0xe273ed13;
				asm("int3");
				if (_a1344 != 0) goto 0xe273ed6f;
				0xe272ab30();
				 *_t359 = 0x16;
				_a32 = 0;
				r9d = 0x8f5;
				E00007FFF7FFFE272BD70(L"((state == ST_NORMAL) || (state == ST_TYPE))", L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
				_a1376 = 0xffffffff;
				E00007FFF7FFFE2726800( &_a120);
				goto 0xe273ed8e;
				_a1380 = _a1200;
				E00007FFF7FFFE2726800( &_a120);
				return E00007FFF7FFFE2723280(_a1380, 2, 2, _a1512 ^ _t389, L"_woutput_s_l", L"f:\\dd\\vctools\\crt_bld\\self_64_amd64\\crt\\src\\output.c");
			}

0x7fffe273e70c
0x7fffe273e70c
0x7fffe273e717
0x7fffe273e72a
0x7fffe273e731
0x7fffe273e740
0x7fffe273e745
0x7fffe273e74f
0x7fffe273e762
0x7fffe273e768
0x7fffe273e77b
0x7fffe273e785
0x7fffe273e78a
0x7fffe273e792
0x7fffe273e7a2
0x7fffe273e7ac
0x7fffe273e7b1
0x7fffe273e7b9
0x7fffe273e7c7
0x7fffe273e7d2
0x7fffe273e7e1
0x7fffe273e7e5
0x7fffe273e7ed
0x7fffe273e7f7
0x7fffe273e7ff
0x7fffe273e807
0x7fffe273e812
0x7fffe273e81c
0x7fffe273e823
0x7fffe273e82b
0x7fffe273e835
0x7fffe273e83c
0x7fffe273e84d
0x7fffe273e858
0x7fffe273e865
0x7fffe273e871
0x7fffe273e879
0x7fffe273e87b
0x7fffe273e883
0x7fffe273e896
0x7fffe273e8a3
0x7fffe273e8b8
0x7fffe273e8c5
0x7fffe273e8c7
0x7fffe273e8cf
0x7fffe273e8d8
0x7fffe273e8e4
0x7fffe273e8e6
0x7fffe273e8f7
0x7fffe273e8f9
0x7fffe273e909
0x7fffe273e90e
0x7fffe273e918
0x7fffe273e91e
0x7fffe273e929
0x7fffe273e934
0x7fffe273e957
0x7fffe273e963
0x7fffe273e990
0x7fffe273e9a2
0x7fffe273e9a4
0x7fffe273e9b8
0x7fffe273e9c2
0x7fffe273e9c7
0x7fffe273e9d9
0x7fffe273e9e5
0x7fffe273e9f5
0x7fffe273e9fc
0x7fffe273ea09
0x7fffe273ea13
0x7fffe273ea1d
0x7fffe273ea26
0x7fffe273ea2f
0x7fffe273ea3e
0x7fffe273ea4b
0x7fffe273ea52
0x7fffe273ea57
0x7fffe273ea5f
0x7fffe273ea6a
0x7fffe273ea71
0x7fffe273ea76
0x7fffe273ea7e
0x7fffe273ea89
0x7fffe273ea90
0x7fffe273ea95
0x7fffe273eaad
0x7fffe273eabd
0x7fffe273eada
0x7fffe273eaf8
0x7fffe273eb06
0x7fffe273eb11
0x7fffe273eb2e
0x7fffe273eb38
0x7fffe273eb43
0x7fffe273eb49
0x7fffe273eb4e
0x7fffe273eb5a
0x7fffe273eb71
0x7fffe273eb7a
0x7fffe273eb85
0x7fffe273eb8a
0x7fffe273eb97
0x7fffe273ebc9
0x7fffe273ebd8
0x7fffe273ebda
0x7fffe273ebe5
0x7fffe273ebff
0x7fffe273ec1a
0x7fffe273ec22
0x7fffe273ec27
0x7fffe273ec42
0x7fffe273ec4f
0x7fffe273ec5a
0x7fffe273ec77
0x7fffe273ec82
0x7fffe273ec8e
0x7fffe273ec93
0x7fffe273ec9c
0x7fffe273eca9
0x7fffe273ecb3
0x7fffe273ecb5
0x7fffe273ecc0
0x7fffe273ecc2
0x7fffe273eccd
0x7fffe273ecd4
0x7fffe273ece3
0x7fffe273ece5
0x7fffe273ecec
0x7fffe273ecf1
0x7fffe273ecf4
0x7fffe273ed06
0x7fffe273ed0e
0x7fffe273ed10
0x7fffe273ed1b
0x7fffe273ed1d
0x7fffe273ed22
0x7fffe273ed28
0x7fffe273ed31
0x7fffe273ed4c
0x7fffe273ed51
0x7fffe273ed61
0x7fffe273ed6d
0x7fffe273ed76
0x7fffe273ed82
0x7fffe273eda5

APIs

get_int64_arg.LIBCMTD ref: 00007FFFE273E785

Strings

', xrefs: 00007FFFE273E70C
9, xrefs: 00007FFFE273E988

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: get_int64_arg
String ID: '$9
API String ID: 1967237116-1823400153
Opcode ID: 96444a5ecc25f07181ec4491dd73a0df774b8fd8e649fad80ce219d3ce06daa6
Instruction ID: f79c9d8d02f0a1670a05731fa69ff94327adfcfb399126e4a677260e26011542
Opcode Fuzzy Hash: 96444a5ecc25f07181ec4491dd73a0df774b8fd8e649fad80ce219d3ce06daa6
Instruction Fuzzy Hash: 5D41EB3290DAC58BE7708B19E8813ABB3E0FB95791F001135E698C7B98EBBCD4508F05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE273D710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

_unlock.LIBCMTD ref: 00007FFFE273D7BF

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgdel.cpp, xrefs: 00007FFFE273D78E
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse), xrefs: 00007FFFE273D779

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _unlock
String ID: _BLOCK_TYPE_IS_VALID(pHead->nBlockUse)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\dbgdel.cpp
API String ID: 2480363372-1749241151
Opcode ID: 2b49e58eed8e6e59642ee45ba138bd684622393025d622caadb7daf1159c6293
Instruction ID: acb209de3ed69cff15ac418ab909c8ca236be2d4564cb43bc3a3a144c4d8d0c7
Opcode Fuzzy Hash: 2b49e58eed8e6e59642ee45ba138bd684622393025d622caadb7daf1159c6293
Instruction Fuzzy Hash: 40114F76E3868686EBA49B15DC8177A63E1FBC2754F105035E64D83B95EFBCE420CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2741200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_FindAndUnlinkFrame.LIBCMTD ref: 00007FFFE274120D
_IsExceptionObjectToBeDestroyed.LIBCMTD ref: 00007FFFE274125E

Strings

csm, xrefs: 00007FFFE274121D

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: DestroyedExceptionFindFrameObjectUnlink
String ID: csm
API String ID: 1826589669-1018135373
Opcode ID: 34ffa76e03f6f125ffde0022bc26c820041218dfec633c9b0636301340e9056d
Instruction ID: 7227485ce998c46a17f1861915b465cab26865f9c60412658455573ac970e16b
Opcode Fuzzy Hash: 34ffa76e03f6f125ffde0022bc26c820041218dfec633c9b0636301340e9056d
Instruction Fuzzy Hash: E4114F32E44A82CADF20EF75C4802B927E0FB96B84F552131EA1DC77A1EF64D991C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272F3E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

_free_nolock.LIBCMTD ref: 00007FFFE272F419

Strings

("Corrupted pointer passed to _freea", 0), xrefs: 00007FFFE272F430
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\malloc.h, xrefs: 00007FFFE272F445

Memory Dump Source

Source File: 00000003.00000002.276665110.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000003.00000002.276659895.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276682478.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276690228.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.276695462.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7fffe2720000_regsvr32.jbxd

Similarity

API ID: _free_nolock
String ID: ("Corrupted pointer passed to _freea", 0)$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\malloc.h
API String ID: 2882679554-3458198949
Opcode ID: fcbdd2152eeca573d64b24b70be95bad50c5d4f9526249e7eb53e402592ebf7b
Instruction ID: b982cb3f54a003d8ad36e43abc11314890be8e31248cbbe16184d3e6de060514
Opcode Fuzzy Hash: fcbdd2152eeca573d64b24b70be95bad50c5d4f9526249e7eb53e402592ebf7b
Instruction Fuzzy Hash: A0012162E2C74286EB509B64E48472AB3E4F792350F400535EA8DC2F95EFFCD424CB02

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 2960, Parent PID: 5772COMMON

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0.6%
Signature Coverage:	0%
Total number of Nodes:	1882
Total number of Limit Nodes:	49

Executed Functions

Function 00007FFFE27212B0 Relevance: 210.9, APIs: 6, Strings: 114, Instructions: 872
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoLoadLibrary.OLE32 ref: 00007FFFE2722F02
MessageBoxA.USER32 ref: 00007FFFE2722F1C
ExitProcess.KERNEL32 ref: 00007FFFE2722F27
VirtualAlloc.KERNELBASE ref: 00007FFFE2722F57
RtlAllocateHeap.NTDLL ref: 00007FFFE2722F65
RtlDeleteBoundaryDescriptor.NTDLL ref: 00007FFFE2722F86

Strings

Ya], xrefs: 00007FFFE2721590
VO4, xrefs: 00007FFFE2721BD0
It, xrefs: 00007FFFE2721CC0
U9#(, xrefs: 00007FFFE27224EA
HPZ, xrefs: 00007FFFE2722896
g@$, xrefs: 00007FFFE2722328
e7tc, xrefs: 00007FFFE2722C6A
EBg, xrefs: 00007FFFE2721F9A
} z$, xrefs: 00007FFFE27229F4
:'U@, xrefs: 00007FFFE2722490
%</, xrefs: 00007FFFE27224A4
,$n, xrefs: 00007FFFE2721658
$huN, xrefs: 00007FFFE2722DE6
BxJr, xrefs: 00007FFFE2721B26
R;pB, xrefs: 00007FFFE2721BBC
Puvm, xrefs: 00007FFFE2722D0A
-{*, xrefs: 00007FFFE272285A
%Uc, xrefs: 00007FFFE2722E18
rkE@, xrefs: 00007FFFE2721415
}WL, xrefs: 00007FFFE2721A22
h78<, xrefs: 00007FFFE2721AA4
P+oo, xrefs: 00007FFFE272233C
<v:, xrefs: 00007FFFE2721A4A
5vCx, xrefs: 00007FFFE2722B98
|e:, xrefs: 00007FFFE2722EDD
j+h, xrefs: 00007FFFE27228BE
w&ed, xrefs: 00007FFFE2722288
M1vi, xrefs: 00007FFFE27226F2
QlyO, xrefs: 00007FFFE2721D9C
<)@P, xrefs: 00007FFFE27215E0
oE, xrefs: 00007FFFE2722418
wC54, xrefs: 00007FFFE2722AF8
PX5, xrefs: 00007FFFE272265C
t(O, xrefs: 00007FFFE27218C4
pAT#, xrefs: 00007FFFE2721B4E
*hH%, xrefs: 00007FFFE272215C
"!k, xrefs: 00007FFFE27221FC
xA\#, xrefs: 00007FFFE272163A
ePO, xrefs: 00007FFFE2721A04
C/, xrefs: 00007FFFE2721E82
mbPv, xrefs: 00007FFFE2721423
cDj, xrefs: 00007FFFE27218E2
`I, xrefs: 00007FFFE2722634
5qj', xrefs: 00007FFFE2721F90
mCl4, xrefs: 00007FFFE27216C6
jfX, xrefs: 00007FFFE2721EF0
.#(, xrefs: 00007FFFE2721346
M13U, xrefs: 00007FFFE27217B6
<M}O, xrefs: 00007FFFE2721D6A
{$U|, xrefs: 00007FFFE27223A0
$}%z, xrefs: 00007FFFE2722C7E
?x?, xrefs: 00007FFFE2721D2E
Ko*h, xrefs: 00007FFFE2722CC4
tc`, xrefs: 00007FFFE27221C0
=kf^, xrefs: 00007FFFE2721662
|X, xrefs: 00007FFFE2721AC2
werfault.exe, xrefs: 00007FFFE2722E68
+ong, xrefs: 00007FFFE2722A3A
!@C+, xrefs: 00007FFFE2721824
%8#, xrefs: 00007FFFE2721D06
9[+, xrefs: 00007FFFE2721FD6
U+on, xrefs: 00007FFFE2721E28
3ob, xrefs: 00007FFFE27215EA
`AnM, xrefs: 00007FFFE2722E6F
Eekg, xrefs: 00007FFFE27224D6
S}pn, xrefs: 00007FFFE27222BA
^*C, xrefs: 00007FFFE272209E
FLIn, xrefs: 00007FFFE27228FA
#z$U, xrefs: 00007FFFE27221B6
}'6, xrefs: 00007FFFE2721B76
hx", xrefs: 00007FFFE2721B30
aUJ', xrefs: 00007FFFE27217F2
:9m?, xrefs: 00007FFFE2722792
L ]1, xrefs: 00007FFFE2721842
N3, xrefs: 00007FFFE272245E
S[L, xrefs: 00007FFFE272218E
{fM$, xrefs: 00007FFFE2721B8A
@ , xrefs: 00007FFFE27229EA
$:*:, xrefs: 00007FFFE2722C74
D)'U, xrefs: 00007FFFE27222A6
gVWH, xrefs: 00007FFFE2721D88
+iT, xrefs: 00007FFFE2722012
1\u, xrefs: 00007FFFE2722CBA
8<-, xrefs: 00007FFFE2721BEE
;qdf, xrefs: 00007FFFE2721A7C
>~, xrefs: 00007FFFE2721DA6
2s<S, xrefs: 00007FFFE272236E
%U9, xrefs: 00007FFFE2722A9E
-'C, xrefs: 00007FFFE2721AAE
M z, xrefs: 00007FFFE2721438
V#s, xrefs: 00007FFFE2721676
0.3, xrefs: 00007FFFE27213AC
$D1v, xrefs: 00007FFFE27215CC
*hH, xrefs: 00007FFFE2721386
(pd, xrefs: 00007FFFE27221CA
c-_j, xrefs: 00007FFFE27221F2
"V2, xrefs: 00007FFFE272280A
Pl5, xrefs: 00007FFFE2721E3C
i~e, xrefs: 00007FFFE2721FCC
N1kj^H<M1vf@$_yiXP+o*hH*fZQl5vC5qjfXErgxjcCb4v_e75<edkge!z$U9k+h, xrefs: 00007FFFE2722FBB
,1., xrefs: 00007FFFE272258A
&\hR, xrefs: 00007FFFE2721EBE
kxfc, xrefs: 00007FFFE27218A6
V9s, xrefs: 00007FFFE272260C
%<, xrefs: 00007FFFE2722CE2
:!@, xrefs: 00007FFFE272145B
l|f, xrefs: 00007FFFE2722080
4bB, xrefs: 00007FFFE2722210
wk/, xrefs: 00007FFFE2721784
Cb47, xrefs: 00007FFFE2722D00
MDj, xrefs: 00007FFFE272281E
0kj., xrefs: 00007FFFE272144D
?CE`, xrefs: 00007FFFE2721BF8
$931, xrefs: 00007FFFE2721D56

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: AllocAllocateBoundaryDeleteDescriptorExitHeapLibraryLoadMessageProcessVirtual
String ID: %<$Ya]$g@$$|X$ 4bB$!@C+$"V2$#z$U$$931$$:*:$$D1v$$huN$$}%z$%8#$%</$%U9$&\hR$*hH%$+ong$+iT$-{*$-'C$.#($0kj.$0.3$1\u$2s<S$3ob$5qj'$5vCx$8<-$:!@$:'U@$:9m?$;qdf$<)@P$<M}O$<v:$=kf^$>~$?CE`$@ $BxJr$C/$Cb47$D)'U$Eekg$FLIn$HPZ$Ko*h$L ]1$M13U$M1vi$MDj$N1kj^H<M1vf@$_yiXP+o*hH*fZQl5vC5qjfXErgxjcCb4v_e75<edkge!z$U9k+h$P+oo$PX5$Puvm$QlyO$R;pB$S[L$S}pn$U+on$U9#($V#s$V9s$VO4$^*C$`AnM$aUJ'$c-_j$cDj$e7tc$ePO$gVWH$h78<$hx"$j+h$kxfc$l|f$mCl4$mbPv$pAT#$rkE@$t(O$tc`$w&ed$wC54$werfault.exe$wk/$xA\#${$U|${fM$$|e:$} z$$}'6$}WL$It$"!k$%Uc$(pd$*hH$,$n$,1.$9[+$?x?$EBg$M z$N3$Pl5$i~e$jfX$oE$`I
API String ID: 3056597726-2032897877
Opcode ID: be2b6721a01229fe6d62131d54c2e067f3d2e24da2d5df3bb551e88fe72b0fff
Instruction ID: 67f92827ad41a2542b30726a5c914b66c0de43806d78508feeb5baaad886ed12
Opcode Fuzzy Hash: be2b6721a01229fe6d62131d54c2e067f3d2e24da2d5df3bb551e88fe72b0fff
Instruction Fuzzy Hash: 39E2C9B690A7C18FE3748F229A817DD3AB0F346748F509208D3991FA1DDB795252CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0000014B7C8C0000 Relevance: 76.3, APIs: 5, Strings: 38, Instructions: 1094
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000014B7C8C0450
GetNativeSystemInfo.KERNELBASE ref: 0000014B7C8C0539
VirtualAlloc.KERNELBASE ref: 0000014B7C8C0580
VirtualProtect.KERNELBASE ref: 0000014B7C8C09E9
RtlAddFunctionTable.KERNEL32 ref: 0000014B7C8C0A79

Strings

Libr, xrefs: 0000014B7C8C00D0
Flus, xrefs: 0000014B7C8C0113
ualP, xrefs: 0000014B7C8C00FF
lloc, xrefs: 0000014B7C8C00F0
urce, xrefs: 0000014B7C8C0304
Reso, xrefs: 0000014B7C8C02DB
ualA, xrefs: 0000014B7C8C00E8
ncti, xrefs: 0000014B7C8C016A
hIns, xrefs: 0000014B7C8C011A
Find, xrefs: 0000014B7C8C02D0
urce, xrefs: 0000014B7C8C02E7
truc, xrefs: 0000014B7C8C0121
aryA, xrefs: 0000014B7C8C00D8
Lock, xrefs: 0000014B7C8C0330
Cach, xrefs: 0000014B7C8C012F
Reso, xrefs: 0000014B7C8C0355
rote, xrefs: 0000014B7C8C0106
Load, xrefs: 0000014B7C8C00C8
urce, xrefs: 0000014B7C8C035D
eSys, xrefs: 0000014B7C8C0144
GetN, xrefs: 0000014B7C8C0136
Virt, xrefs: 0000014B7C8C00F8
Size, xrefs: 0000014B7C8C0311
temI, xrefs: 0000014B7C8C014B
ativ, xrefs: 0000014B7C8C013D
ddFu, xrefs: 0000014B7C8C0163
ofRe, xrefs: 0000014B7C8C0318
onTa, xrefs: 0000014B7C8C0171
Reso, xrefs: 0000014B7C8C02FC
RtlA, xrefs: 0000014B7C8C015C
tion, xrefs: 0000014B7C8C0128
Virt, xrefs: 0000014B7C8C00E0
Slee, xrefs: 0000014B7C8C00B7
Reso, xrefs: 0000014B7C8C0338
Free, xrefs: 0000014B7C8C034D
urce, xrefs: 0000014B7C8C0340
Load, xrefs: 0000014B7C8C02F4
sour, xrefs: 0000014B7C8C031F

Memory Dump Source

Source File: 00000004.00000002.301305892.0000014B7C8C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014B7C8C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_14b7c8c0000_rundll32.jbxd

Similarity

API ID: Virtual$Alloc$FunctionInfoNativeProtectSystemTable
String ID: Cach$Find$Flus$Free$GetN$Libr$Load$Load$Lock$Reso$Reso$Reso$Reso$RtlA$Size$Slee$Virt$Virt$aryA$ativ$ddFu$eSys$hIns$lloc$ncti$ofRe$onTa$rote$sour$temI$tion$truc$ualA$ualP$urce$urce$urce$urce
API String ID: 394283112-2517549848
Opcode ID: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction ID: 005e6d8d16ad489a23e7962067767fa5418c5df92595d27fbc64fd970f429393
Opcode Fuzzy Hash: 590c178917582490f2a8474f3428d2fdec128c188f960b73743dba758a98ecc8
Instruction Fuzzy Hash: 6672B230518A488BEB69DF18C8857F9B7F1FB94305F10466DE89AC32D2DB38D946CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727640 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FFFE272764C
_calloc_dbg.LIBCMTD ref: 00007FFFE2727671

Part of subcall function 00007FFFE2724980: _calloc_dbg_impl.LIBCMTD ref: 00007FFFE27249C6

_calloc_dbg.LIBCMTD ref: 00007FFFE2727858

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c, xrefs: 00007FFFE272765A, 00007FFFE2727841

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: _calloc_dbg$InfoStartup_calloc_dbg_impl
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\ioinit.c
API String ID: 1930727954-3864165772
Opcode ID: 53ed6c7dc9c3017b6de27dce3b9aec11c1bcaebc47f482f4e33ed4626b187432
Instruction ID: d6e809d0e17665c93a1afa646f4531d29c58fdb4308dd3ae8e513038fc5272e7
Opcode Fuzzy Hash: 53ed6c7dc9c3017b6de27dce3b9aec11c1bcaebc47f482f4e33ed4626b187432
Instruction Fuzzy Hash: 9BF10D72A09BC5C5E7708B19E88076AB7A0F7C6764F104225CA9D877E4EF7CD455CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727DE0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__initmbctable.LIBCMT ref: 00007FFFE2727DED
_calloc_dbg.LIBCMTD ref: 00007FFFE2727E7B
_calloc_dbg.LIBCMTD ref: 00007FFFE2727F1B

Part of subcall function 00007FFFE272D490: _invalid_parameter.LIBCMTD ref: 00007FFFE272D541

_invoke_watson_if_error.LIBCMTD ref: 00007FFFE2727F9B

Strings

~, xrefs: 00007FFFE2727EFE
strcpy_s(*env, cchars, p), xrefs: 00007FFFE2727F92
_setenvp, xrefs: 00007FFFE2727F8B
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c, xrefs: 00007FFFE2727F84
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c, xrefs: 00007FFFE2727E66, 00007FFFE2727F06

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: _calloc_dbg$__initmbctable_invalid_parameter_invoke_watson_if_error
String ID: _setenvp$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdenvp.c$strcpy_s(*env, cchars, p)$~
API String ID: 1648969265-681193798
Opcode ID: f93d43cf3bb1813beee52146895ee3ce0099543f481cf7d004c716eae911393f
Instruction ID: dcacedbb14248261a71aad5f40c7e516b17f287a46e835536c7136326d2e1fa8
Opcode Fuzzy Hash: f93d43cf3bb1813beee52146895ee3ce0099543f481cf7d004c716eae911393f
Instruction Fuzzy Hash: EF514B62E1DA8282E750CB14E48073A77E0FBC6754F501135EA8EC77A9EFBDE4518B42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2728670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNELBASE ref: 00007FFFE272867D
WideCharToMultiByte.KERNEL32 ref: 00007FFFE2728722
FreeEnvironmentStringsW.KERNEL32 ref: 00007FFFE2728764

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\a_env.c, xrefs: 00007FFFE272873E

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\a_env.c
API String ID: 1823725401-2473407871
Opcode ID: 12bd68ef287a579055a6545109484f2ffc82b1f6f13cfb147b3cff23ff6676d3
Instruction ID: 38b1515921b4bf5abae006a82e11a76b3b0837f62e1b287472205ee78a072174
Opcode Fuzzy Hash: 12bd68ef287a579055a6545109484f2ffc82b1f6f13cfb147b3cff23ff6676d3
Instruction Fuzzy Hash: 7A41DB72A18B8986E7508B56F44432BB7E0F7C5794F100435EACD87B68EFBDD4648B11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2723D30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFFE2727540: _initp_misc_winsig.LIBCMTD ref: 00007FFFE272757B
Part of subcall function 00007FFFE2727540: _initp_eh_hooks.LIBCMTD ref: 00007FFFE2727585

Part of subcall function 00007FFFE2728FE0: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFFE272906F

FlsAlloc.KERNEL32 ref: 00007FFFE2723D55

Part of subcall function 00007FFFE2723E00: FlsFree.KERNEL32 ref: 00007FFFE2723E13
Part of subcall function 00007FFFE2723E00: _mtdeletelocks.LIBCMTD ref: 00007FFFE2723E23

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tidtable.c, xrefs: 00007FFFE2723D7B

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: AllocCountCriticalFreeInitializeSectionSpin_initp_eh_hooks_initp_misc_winsig_mtdeletelocks
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\tidtable.c
API String ID: 3828364660-3898981997
Opcode ID: 57cc27a1817b354a41c90cd4e830bede4952610ad4d5e9ce9ee4939fd8329ad8
Instruction ID: 9b921ddf588745f1dff84b07792f31616c70ff992d00bca1a10dd692cdbdbcd2
Opcode Fuzzy Hash: 57cc27a1817b354a41c90cd4e830bede4952610ad4d5e9ce9ee4939fd8329ad8
Instruction Fuzzy Hash: F9115EB2E2C64286F350AB25E84577926E1FFC6750F005631E96EC22E5FFBCE4248612

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272F570 Relevance: 7.6, APIs: 5, Instructions: 83
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E00007FFF7FFFE272F570(intOrPtr __edx, long long __rcx, void* __rdx, long long __r8, void* _a8, intOrPtr _a16, long long _a24, intOrPtr _a32, void* _a40, intOrPtr _a48, intOrPtr _a64) {
				long long _v24;
				intOrPtr _v32;
				long long _v40;
				signed int _v48;
				int _v52;
				int _v56;
				signed int _v64;
				long long _v72;
				void* _t53;
				long long _t82;

				_a32 = r9d;
				_a24 = __r8;
				_a16 = __edx;
				_a8 = __rcx;
				_v56 = 0;
				if (_a48 != 0) goto 0xe272f5ab;
				_a48 =  *((intOrPtr*)( *_a8 + 4));
				if (_a64 == 0) goto 0xe272f5bf;
				_v32 = 9;
				goto 0xe272f5c7;
				_v32 = 1;
				_v64 = 0;
				_v72 = 0;
				r9d = _a32;
				_v48 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_v48 != 0) goto 0xe272f60b;
				goto 0xe272f6f8;
				if (0 != 0) goto 0xe272f652;
				if (_v48 <= 0) goto 0xe272f652;
				if (_v48 - 0xfffffff0 > 0) goto 0xe272f652;
				_t82 = _v48 + _v48 + 0x10;
				_t53 = malloc(??); // executed
				E00007FFF7FFFE272F3B0(_t53, 0xdddd, _t82);
				_v24 = _t82;
				goto 0xe272f65b;
				_v24 = 0;
				_v40 = _v24;
				if (_v40 != 0) goto 0xe272f674;
				goto 0xe272f6f8;
				E00007FFF7FFFE27232B0(0, _a48, 0, _v40, __rdx, _v48 << 1);
				_v64 = _v48;
				_v72 = _v40;
				r9d = _a32;
				_v52 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_v52 == 0) goto 0xe272f6ea;
				r8d = _v52;
				_v56 = GetStringTypeW(??, ??, ??, ??);
				E00007FFF7FFFE272F3E0(_v40);
				return _v56;
			}

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFFE272F5F3
malloc.LIBCMTD ref: 00007FFFE272F639
_MarkAllocaS.LIBCMTD ref: 00007FFFE272F646
MultiByteToWideChar.KERNEL32 ref: 00007FFFE272F6B9
GetStringTypeW.KERNEL32 ref: 00007FFFE272F6E0

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$AllocaMarkStringTypemalloc
String ID:
API String ID: 2618398691-0
Opcode ID: 05827e3f81ca9d4f9e036e9cc38fe06689f9ef4e573a4afec1c92632646a1a95
Instruction ID: 4a7f984997382a94e8b666fde504fac4200be57e4b2825777eac7ff93877540b
Opcode Fuzzy Hash: 05827e3f81ca9d4f9e036e9cc38fe06689f9ef4e573a4afec1c92632646a1a95
Instruction Fuzzy Hash: 2D41C972A18781CAD7609B15E08476AB7E0F7C6794F104135EA9E83BA9EFBCD494CF01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2728040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__initmbctable.LIBCMT ref: 00007FFFE2728056
GetModuleFileNameA.KERNEL32 ref: 00007FFFE2728071

Strings

C:\Windows\system32\rundll32.exe, xrefs: 00007FFFE2728068, 00007FFFE2728077, 00007FFFE27280A9
f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdargv.c, xrefs: 00007FFFE272813C

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: FileModuleName__initmbctable
String ID: C:\Windows\system32\rundll32.exe$f:\dd\vctools\crt_bld\self_64_amd64\crt\src\stdargv.c
API String ID: 3548084100-3042134252
Opcode ID: d38f4fd9cb9ecdd73cd32345429acc70b773e7a180fa8c1b1693dc69edd9f2e5
Instruction ID: d7a432a20c16e5a675df41514b393c4b8a9c7c084268069e4116af50100cbff1
Opcode Fuzzy Hash: d38f4fd9cb9ecdd73cd32345429acc70b773e7a180fa8c1b1693dc69edd9f2e5
Instruction Fuzzy Hash: 13414262E18A4681EA10CB54E48036A73E0FBC67A4F500236E6AE867E4EFBDD050C701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272A5E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E00007FFF7FFFE272A5E0(long long __rcx, void* _a8) {
				signed int _v24;
				char _v42;
				void* _v48;
				signed int _v56;
				char _v312;
				signed char* _v328;
				char _v584;
				char _v840;
				char _v1352;
				char _v1384;
				char _v1392;
				intOrPtr _v1400;
				long long _v1408;
				long long _v1416;
				signed long long _t206;
				signed char* _t214;
				signed long long _t223;
				intOrPtr _t225;
				intOrPtr _t226;
				signed long long _t233;

				_t224 = __rcx;
				_a8 = __rcx;
				_t206 =  *0xe274b018; // 0x6e18f8a98be8
				_v24 = _t206 ^ _t233;
				if (GetCPInfo(??, ??) == 0) goto 0xe272a906;
				_v56 = 0;
				goto 0xe272a63c;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0xe272a661;
				 *((char*)(_t233 + _a8 + 0x470)) = _v56 & 0x000000ff;
				goto 0xe272a62c;
				_v312 = 0x20;
				_v328 =  &_v42;
				goto 0xe272a68f;
				_v328 =  &(_v328[2]);
				if (( *_v328 & 0x000000ff) == 0) goto 0xe272a6ea;
				_v56 =  *_v328 & 0x000000ff;
				goto 0xe272a6c2;
				_v56 = _v56 + 1;
				_t214 = _v328;
				if (_v56 - ( *(_t214 + 1) & 0x000000ff) > 0) goto 0xe272a6e8;
				 *((char*)(_t233 + _t214 + 0x470)) = 0x20;
				goto 0xe272a6b2;
				goto 0xe272a67b;
				_v1392 = 0;
				_v1400 =  *((intOrPtr*)(_a8 + 0xc));
				_v1408 =  *((intOrPtr*)(_a8 + 4));
				_v1416 =  &_v1352;
				r9d = 0x100;
				E00007FFF7FFFE272F4D0(1,  &_v1352, __rcx,  &_v312); // executed
				_v1384 = 0;
				_v1392 =  *((intOrPtr*)(_a8 + 4));
				_v1400 = 0x100;
				_v1408 =  &_v840;
				_v1416 = 0x100;
				r8d = 0x100;
				E00007FFF7FFFE272EF00( *((intOrPtr*)(_a8 + 0xc)), _a8, _t224,  &_v312);
				_v1384 = 0;
				_v1392 =  *((intOrPtr*)(_a8 + 4));
				_v1400 = 0x100;
				_v1408 =  &_v584;
				_v1416 = 0x100;
				r8d = 0x200;
				_t223 = _a8;
				E00007FFF7FFFE272EF00( *((intOrPtr*)(_t223 + 0xc)), _t223, _t224,  &_v312);
				_v56 = 0;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0xe272a901;
				if (( *(_t233 + 0x60 + _t223 * 2) & 1) == 0) goto 0xe272a879;
				_t225 = _a8;
				 *((char*)(_a8 + _t225 + 0x1c)) =  *(_t225 + _t223 + 0x1c) & 0x000000ff | 0x00000010;
				 *((char*)(_a8 + _t225 + 0x11d)) =  *(_t233 + _t223 + 0x260) & 0x000000ff;
				goto 0xe272a8fc;
				if (( *(_t233 + 0x60 + _t223 * 2) & 2) == 0) goto 0xe272a8e5;
				_t226 = _a8;
				 *((char*)(_a8 + _t226 + 0x1c)) =  *(_t226 + _t223 + 0x1c) & 0x000000ff | 0x00000020;
				 *((char*)(_a8 + _t226 + 0x11d)) =  *(_t233 + _t223 + 0x360) & 0x000000ff;
				goto 0xe272a8fc;
				 *((char*)(_a8 + _t223 + 0x11d)) = 0;
				goto L1;
				goto 0xe272aa20;
				_v56 = 0;
				_v56 = _v56 + 1;
				_v56 = _v56 + 1;
				if (_v56 - 0x100 >= 0) goto 0xe272aa20;
				if (_v56 - 0x41 < 0) goto 0xe272a99c;
				if (_v56 - 0x5a > 0) goto 0xe272a99c;
				_v56 = _v56 + 1;
				__rcx = _a8;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000010;
				_v56 = _v56 + 1;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x1c)) = __al;
				_v56 = _v56 + 0x20;
				__ecx = _v56;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x11d)) = __al;
				goto 0xe272aa1b;
				if (_v56 - 0x61 < 0) goto 0xe272aa04;
				if (_v56 - 0x7a > 0) goto 0xe272aa04;
				_v56 = _v56 + 1;
				__rcx = _a8;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000020;
				_v56 = _v56 + 1;
				__rdx = _a8;
				 *((char*)(_a8 + __rcx + 0x1c)) = __al;
				_v56 = _v56 - 0x20;
				__ecx = _v56;
				__rdx = _a8;
				 *((char*)(__rdx + __rcx + 0x11d)) = __al;
				goto 0xe272aa1b;
				__eax = _v56;
				__rcx = _a8;
				 *((char*)(_a8 + __rax + 0x11d)) = 0;
				goto L2;
				__rcx = _v24;
				__rcx = _v24 ^ __rsp;
				return E00007FFF7FFFE2723280(_v56, _v56, __edx, _v24 ^ __rsp, __rdx, __r8);
			}

APIs

GetCPInfo.KERNEL32 ref: 00007FFFE272A611

Strings

, xrefs: 00007FFFE272A6DE
z, xrefs: 00007FFFE272A9A6

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 939841bcdfd8ad812f8c29de7d09562b703ae5a82c5ff0fab969d8d2fb6d5a5e
Instruction ID: 1fbd8f3d8b5c10613b8ef723a11aa059206e8282af59f0f222de6bd149daab00
Opcode Fuzzy Hash: 939841bcdfd8ad812f8c29de7d09562b703ae5a82c5ff0fab969d8d2fb6d5a5e
Instruction Fuzzy Hash: 36B1D772A1CAC0CAD7758B29E4807ABB7E0F789785F045125DACDC3B88EB6CD4529F01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2729C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__updatetmbcinfo.LIBCMTD ref: 00007FFFE2729C2F

Part of subcall function 00007FFFE2729B10: _unlock.LIBCMTD ref: 00007FFFE2729BD9

Part of subcall function 00007FFFE2729F20: GetOEMCP.KERNEL32 ref: 00007FFFE2729F65
Part of subcall function 00007FFFE2729F20: _LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE2729F74

_unlock.LIBCMTD ref: 00007FFFE2729EC8

Strings

f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbctype.c, xrefs: 00007FFFE2729C73

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: Locale_unlock$UpdateUpdate::~___updatetmbcinfo
String ID: f:\dd\vctools\crt_bld\self_64_amd64\crt\src\mbctype.c
API String ID: 4112623284-4095683531
Opcode ID: 114b502a02101202ab178c15c35a0eec3101ed15409dbefe0a439e46951f247b
Instruction ID: 59020e312baa57f6ca63761d647ac0075c74efbff70c18a6818c61b0eeea136e
Opcode Fuzzy Hash: 114b502a02101202ab178c15c35a0eec3101ed15409dbefe0a439e46951f247b
Instruction Fuzzy Hash: 0D914E73E08A85C6E7608B15E48036A7BE0FBC9794F544535EA8E837A8EF7CD950CB01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727AE3 Relevance: 4.6, APIs: 3, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00007FFFE2727B9C
GetFileType.KERNELBASE ref: 00007FFFE2727BD0
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FFFE2727C6A
SetHandleCount.KERNEL32 ref: 00007FFFE2727CE6

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: CountHandle$CriticalFileInitializeSectionSpinType
String ID:
API String ID: 649110484-0
Opcode ID: ed119dbcfe117d5e0bd09ef46c48439c608c9051694c3bf3c45030c641dfada2
Instruction ID: 1a9a7e1e701af1b31328ea09ca7fb0f545e30462280234c3cb4c3bd6212ed8cd
Opcode Fuzzy Hash: ed119dbcfe117d5e0bd09ef46c48439c608c9051694c3bf3c45030c641dfada2
Instruction Fuzzy Hash: E931A862A09BC185E6708B28E98436A62A4EBC6760F144735C6AD876E4EF7CD495CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2728860 Relevance: 4.5, APIs: 3, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00007FFFE27233C2), ref: 00007FFFE2728876
GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFFE27233C2), ref: 00007FFFE2728891
HeapSetInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFFE27233C2), ref: 00007FFFE27288BB

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: 48cf33cfee9be34a63005782b3e03b00dcbae59413766f72d2946869900c76f4
Instruction ID: a4b7a6bdda38610a550ad5372ec37e07a09351380a1bab0d157ecdf67a4dbb95
Opcode Fuzzy Hash: 48cf33cfee9be34a63005782b3e03b00dcbae59413766f72d2946869900c76f4
Instruction Fuzzy Hash: BBF08275E18A4282F7109751E80A77923D0FF8A344F814434D58DC27A4FFBDD5A9C602

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272461B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00007FFF7FFFE272461B(void* __rdx, void* __r8, long long _a32, long long _a40, intOrPtr _a64, long long _a72, void* _a80, intOrPtr _a88, long long _a96, long long _a128, signed int _a136, long long _a144, intOrPtr _a152, void* _a160) {
				signed int _t64;
				intOrPtr _t66;
				void* _t73;
				void* _t92;
				long long _t98;
				long long _t113;
				long long _t114;
				long long _t115;
				long long _t130;
				intOrPtr _t132;
				long long _t135;

				if (_a136 == 1) goto 0xe2724672;
				_t64 = _a136 & 0x0000ffff;
				if (_t64 == 2) goto 0xe2724672;
				if (_a136 == 3) goto 0xe2724672;
				_a40 = "Error: memory allocation: bad memory block type.\n";
				_a32 = "%s";
				r9d = 0;
				r8d = 0;
				0xe272ad00();
				if (_t64 != 1) goto 0xe2724672;
				asm("int3");
				_t98 = _a128 + 0x34;
				_a96 = _t98;
				0xe272ac90(); // executed
				_a80 = _t98;
				if (_a80 != 0) goto 0xe27246b8;
				if (_a160 == 0) goto 0xe27246b3;
				 *_a160 = 0xc;
				goto 0xe27248b4;
				_t66 =  *0xe274b03c; // 0x34
				 *0xe274b03c = _t66 + 1;
				if (_a64 == 0) goto 0xe272472d;
				 *_a80 = 0;
				 *((long long*)(_a80 + 8)) = 0;
				 *((long long*)(_a80 + 0x10)) = 0;
				 *((intOrPtr*)(_a80 + 0x18)) = 0xfedcbabc;
				 *((long long*)(_a80 + 0x20)) = _a128;
				 *(_a80 + 0x1c) = 3;
				 *((intOrPtr*)(_a80 + 0x28)) = 0;
				goto 0xe2724844;
				if (0xffffffff -  *0xe274c960 - _a128 <= 0) goto 0xe2724763;
				_t130 =  *0xe274c960; // 0x38e6
				 *0xe274c960 = _t130 + _a128;
				goto 0xe272476e;
				 *0xe274c960 = 0xffffffff;
				_t132 =  *0xe274c990; // 0x2870
				 *0xe274c990 = _t132 + _a128;
				_t113 =  *0xe274c978; // 0x2870
				_t92 =  *0xe274c990 - _t113; // 0x2870
				if (_t92 <= 0) goto 0xe27247a8;
				_t114 =  *0xe274c990; // 0x2870
				 *0xe274c978 = _t114;
				if ( *0xe274c980 == 0) goto 0xe27247c4;
				_t115 =  *0xe274c980; // 0x14b7c8e3170
				 *((long long*)(_t115 + 8)) = _a80;
				goto 0xe27247d0;
				 *0xe274c968 = _a80;
				_t135 =  *0xe274c980; // 0x14b7c8e3170
				 *_a80 = _t135;
				 *((long long*)(_a80 + 8)) = 0;
				 *((long long*)(_a80 + 0x10)) = _a144;
				 *((intOrPtr*)(_a80 + 0x18)) = _a152;
				 *((long long*)(_a80 + 0x20)) = _a128;
				 *(_a80 + 0x1c) = _a136;
				_t78 = _a88;
				 *((intOrPtr*)(_a80 + 0x28)) = _a88;
				 *0xe274c980 = _a80;
				r8d = 4;
				E00007FFF7FFFE27232B0( *0xe274b04c & 0x000000ff, _a88,  *0xe274b04c & 0x000000ff, _a80 + 0x2c, __rdx, __r8);
				_t145 = _a128;
				r8d = 4;
				E00007FFF7FFFE27232B0( *0xe274b04c & 0x000000ff, _a88,  *0xe274b04c & 0x000000ff, _a80 + _a128 + 0x30, _a128, __r8);
				_t73 = E00007FFF7FFFE27232B0( *0xe274b04f & 0x000000ff, _t78,  *0xe274b04f & 0x000000ff, _a80 + 0x30, _t145, _a128);
				_a72 = _a80 + 0x30;
				return E00007FFF7FFFE2729360(_t73, 4);
			}

APIs

_unlock.LIBCMTD ref: 00007FFFE27248B9

Strings

Error: memory allocation: bad memory block type., xrefs: 00007FFFE2724640

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: _unlock
String ID: Error: memory allocation: bad memory block type.
API String ID: 2480363372-1537269110
Opcode ID: 0e27953d906dd6213389af50a7459ab3260dce137a7056963e47b3559a26f049
Instruction ID: 4e3fc19a311f9ae9cbf456d18570ae5ee5886bde306668ad62606ba350f85556
Opcode Fuzzy Hash: 0e27953d906dd6213389af50a7459ab3260dce137a7056963e47b3559a26f049
Instruction Fuzzy Hash: F371E876E09B85C6EB208B55E49032AB7E0FBCAB50F004535DA9D837A4EFBCD464CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2726FF2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFFE272CA00: RtlEncodePointer.NTDLL ref: 00007FFFE272CA33

_initterm_e.LIBCMTD ref: 00007FFFE272701F

Strings

Y, xrefs: 00007FFFE272700C

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: EncodePointer_initterm_e
String ID: Y
API String ID: 1618838664-1754117475
Opcode ID: 24d3616295d43623420cef2980f0f4d1896d7dbbaf9113ec39dfe7d3f9684184
Instruction ID: 09d4764d2440139dab7535088fed78ae9481a30272dabaae75cf35c0d90944c2
Opcode Fuzzy Hash: 24d3616295d43623420cef2980f0f4d1896d7dbbaf9113ec39dfe7d3f9684184
Instruction Fuzzy Hash: 72E0A5A2D0804297F621AB20E9417BA63E0FFD2354F400231E64DC24A5FFACE928CA12

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272A000 Relevance: 3.3, APIs: 2, Instructions: 256
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E00007FFF7FFFE272A000(signed short __ecx, void* __rcx, long long __rdx, signed int _a8, void* _a16) {
				signed int _v24;
				signed char* _v32;
				char _v50;
				char _v56;
				signed int _v72;
				signed char* _v80;
				signed int _v84;
				signed int _v88;
				signed long long _t204;
				signed long long _t205;
				signed long long _t206;
				signed char* _t215;
				signed long long _t218;
				signed long long _t233;
				signed long long _t234;

				_a16 = __rdx;
				_a8 = __ecx;
				_t204 =  *0xe274b018; // 0x6e18f8a98be8
				_t205 = _t204 ^ _t234;
				_v24 = _t205;
				_a8 = E00007FFF7FFFE2729F20(_a8, _t205);
				if (_a8 != 0) goto 0xe272a04d;
				E00007FFF7FFFE272A4E0(_a16);
				goto 0xe272a463;
				_v84 = 0;
				_v84 = _v84 + 1;
				if (_t205 - 5 >= 0) goto 0xe272a239;
				_t206 = _t205 * 0x30;
				if ( *((intOrPtr*)(0xe274bb70 + _t206)) != _a8) goto 0xe272a234;
				_v72 = 0;
				goto 0xe272a0a2;
				_v72 = _v72 + 1;
				if (_v72 - 0x101 >= 0) goto 0xe272a0bf;
				 *((char*)(_a16 + _t206 + 0x1c)) = 0;
				goto 0xe272a098;
				_v88 = 0;
				goto 0xe272a0d3;
				_v88 = _v88 + 1;
				if (_v88 - 4 >= 0) goto 0xe272a197;
				_v80 = 0x47ffef61a9700;
				goto 0xe272a111;
				_v80 =  &(_v80[2]);
				if (( *_v80 & 0x000000ff) == 0) goto 0xe272a192;
				if ((_v80[1] & 0x000000ff) == 0) goto 0xe272a192;
				_v72 =  *_v80 & 0x000000ff;
				goto 0xe272a142;
				_v72 = _v72 + 1;
				_t215 = _v80;
				if (_v72 - ( *(_t215 + 1) & 0x000000ff) > 0) goto 0xe272a18d;
				_t233 = _a16;
				 *((char*)(_t233 + 0xe274bb70 + _t206 * 0x30 + 0x1c)) =  *(_a16 + _t215 + 0x1c) & 0x000000ff |  *0xFFFFC4E976D8;
				goto 0xe272a138;
				goto 0xe272a103;
				goto 0xe272a0c9;
				 *(_a16 + 4) = _a8;
				 *((intOrPtr*)(_a16 + 8)) = 1;
				_t218 = _a16;
				 *(_a16 + 0xc) = E00007FFF7FFFE272A480( *((intOrPtr*)(_t218 + 4)));
				_v88 = 0;
				goto 0xe272a1e7;
				_v88 = _v88 + 1;
				if (_v88 - 6 >= 0) goto 0xe272a220;
				_t205 = 0xe274bb70;
				 *((short*)(_a16 + 0x10 + _t233 * 2)) =  *(0xe274bb70 + 4 + (0xe274bb70 + _t218 * 0x30) * 2) & 0x0000ffff;
				goto 0xe272a1dd;
				E00007FFF7FFFE272A5E0(_a16);
				goto 0xe272a463;
				goto L1;
				if (_a8 == 0) goto 0xe272a271;
				if (_a8 == 0xfde8) goto 0xe272a271;
				if (_a8 == 0xfde9) goto 0xe272a271;
				__eax = _a8 & 0x0000ffff;
				__ecx = _a8 & 0x0000ffff;
				if (IsValidCodePage(??) != 0) goto 0xe272a27b;
				__eax = 0xffffffff;
				goto 0xe272a463;
				__rdx =  &_v56;
				__ecx = _a8;
				if (GetCPInfo(??, ??) == 0) goto 0xe272a444;
				_v72 = 0;
				goto 0xe272a2a9;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				if (_v72 - 0x101 >= 0) goto 0xe272a2c6;
				__eax = _v72;
				__rcx = _a16;
				 *((char*)(_a16 + __rax + 0x1c)) = 0;
				goto 0xe272a29f;
				__rax = _a16;
				__ecx = _a8;
				 *(_a16 + 4) = _a8;
				__rax = _a16;
				 *(_a16 + 0xc) = 0;
				if (_v56 - 1 <= 0) goto 0xe272a3f4;
				__rax =  &_v50;
				_v32 =  &_v50;
				goto 0xe272a30c;
				_v32 =  &(_v32[2]);
				_v32 =  &(_v32[2]);
				__rax = _v32;
				__eax =  *_v32 & 0x000000ff;
				if (( *_v32 & 0x000000ff) == 0) goto 0xe272a37c;
				__rax = _v32;
				__eax =  *(__rax + 1) & 0x000000ff;
				if (( *(__rax + 1) & 0x000000ff) == 0) goto 0xe272a37c;
				__rax = _v32;
				__eax =  *_v32 & 0x000000ff;
				_v72 =  *_v32 & 0x000000ff;
				goto 0xe272a33d;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				__rax = _v32;
				__eax =  *(__rax + 1) & 0x000000ff;
				if (_v72 - ( *(__rax + 1) & 0x000000ff) > 0) goto 0xe272a37a;
				_v72 = _v72 + 1;
				__rcx = _a16;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000004;
				_v72 = _v72 + 1;
				__rdx = _a16;
				 *((char*)(_a16 + __rcx + 0x1c)) = __al;
				goto 0xe272a333;
				goto 0xe272a2fe;
				_v72 = 1;
				goto 0xe272a390;
				_v72 = _v72 + 1;
				_v72 = _v72 + 1;
				if (_v72 - 0xff >= 0) goto 0xe272a3c8;
				_v72 = _v72 + 1;
				__rcx = _a16;
				 *(__rcx + __rax + 0x1c) & 0x000000ff =  *(__rcx + __rax + 0x1c) & 0x000000ff | 0x00000008;
				_v72 = _v72 + 1;
				__rdx = _a16;
				 *((char*)(_a16 + __rcx + 0x1c)) = __al;
				goto 0xe272a386;
				__rax = _a16;
				__ecx =  *(_a16 + 4);
				__eax = E00007FFF7FFFE272A480( *(_a16 + 4));
				__rcx = _a16;
				 *(_a16 + 0xc) = __eax;
				__rax = _a16;
				 *((intOrPtr*)(_a16 + 8)) = 1;
				goto 0xe272a403;
				__rax = _a16;
				 *(__rax + 8) = 0;
				_v88 = 0;
				goto 0xe272a417;
				_v88 = _v88 + 1;
				_v88 = _v88 + 1;
				if (_v88 - 6 >= 0) goto 0xe272a433;
				__eax = _v88;
				__ecx = 0;
				__rdx = _a16;
				 *((short*)(_a16 + 0x10 + __rax * 2)) = __cx;
				goto 0xe272a40d;
				__rcx = _a16;
				__eax = E00007FFF7FFFE272A5E0(_a16); // executed
				__eax = 0;
				goto 0xe272a463;
				if ( *0xe274cd68 == 0) goto 0xe272a45e;
				__rcx = _a16;
				E00007FFF7FFFE272A4E0(_a16) = 0;
				goto 0xe272a463;
				__eax = 0xffffffff;
				__rcx = _v24;
				__rcx = _v24 ^ __rsp;
				return E00007FFF7FFFE2723280(0xffffffff, __ecx, __edx, _v24 ^ __rsp, __rdx, __r8);
			}

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::~_
String ID:
API String ID: 1901436342-0
Opcode ID: bd1aa9bb27f65b33b611181b282d42369fc0b805d559ad423015dd3100174c74
Instruction ID: 96b686e8ed65f2cf32d166d806b8576c290be12e6ee1a8d969cc91955e330c3d
Opcode Fuzzy Hash: bd1aa9bb27f65b33b611181b282d42369fc0b805d559ad423015dd3100174c74
Instruction Fuzzy Hash: A2D1F672A1C6818AD7A48B19E48472AB7E0F7C9754F108136EACEC3798EF7CE5558F01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2727540 Relevance: 3.0, APIs: 2, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00007FFF7FFFE2727540(long long __rax) {
				long long _v24;
				void* _t8;
				void* _t9;

				_t16 = __rax;
				_t9 = E00007FFF7FFFE2723D00(_t8); // executed
				_v24 = __rax;
				return E00007FFF7FFFE272CF20(E00007FFF7FFFE272CFB0(E00007FFF7FFFE272D450(E00007FFF7FFFE272D470(E00007FFF7FFFE272BD50(E00007FFF7FFFE272AB90(_t9, _v24), _v24), _v24), _v24), _v24), _t16, _v24);
			}

0x7fffe2727540
0x7fffe2727544
0x7fffe2727549
0x7fffe272758e

APIs

Part of subcall function 00007FFFE2723D00: RtlEncodePointer.NTDLL ref: 00007FFFE2723D06

_initp_misc_winsig.LIBCMTD ref: 00007FFFE272757B
_initp_eh_hooks.LIBCMTD ref: 00007FFFE2727585

Part of subcall function 00007FFFE272CF20: EncodePointer.KERNEL32(?,?,?,?,00007FFFE272758A,?,?,?,?,?,?,00007FFFE2723D39), ref: 00007FFFE272CF30

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: EncodePointer$_initp_eh_hooks_initp_misc_winsig
String ID:
API String ID: 2678799220-0
Opcode ID: abe4bcf42024140c0e82e0fb2c3eff25659a698c9099ae3cd415aa6bcc21eafa
Instruction ID: 1b8e37825d707b5a65da6cf856aedc1f5953466c2328f97bba91035b22e155ca
Opcode Fuzzy Hash: abe4bcf42024140c0e82e0fb2c3eff25659a698c9099ae3cd415aa6bcc21eafa
Instruction Fuzzy Hash: A1E0E9A7D1848182D520FB11E85226B57B0FBDA748F500135FACD86A7BEF5CE6208B82

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272ACA8 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

__crtExitProcess.LIBCMTD ref: 00007FFFE272ACB7

Part of subcall function 00007FFFE27274E0: ExitProcess.KERNEL32 ref: 00007FFFE27274F5

RtlAllocateHeap.NTDLL ref: 00007FFFE272ACE7

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: ExitProcess$AllocateHeap__crt
String ID:
API String ID: 4215626177-0
Opcode ID: 77cc9cc60f8eca6ccffa51c036cc335ce9466cc401fd995fa093edd43c12ab32
Instruction ID: 87e0c3e73545775cf33cb1e620ed437e57b76fd1e2b0dcf9bb2360588bc6ef95
Opcode Fuzzy Hash: 77cc9cc60f8eca6ccffa51c036cc335ce9466cc401fd995fa093edd43c12ab32
Instruction Fuzzy Hash: 39E08662D0C98683F7249716E40037962E0FFC6348F400035D78E826A5EFBDD4A0D602

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2724399 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FFF7FFFE2724399(long long __rax, long long _a48, intOrPtr _a80, intOrPtr _a88, void* _a120) {

				_a48 = __rax;
				if (_a48 == 0) goto 0xe27243ad;
				goto 0xe27243f5;
				if (_a88 != 0) goto 0xe27243ce;
				if (_a120 == 0) goto 0xe27243c7;
				 *_a120 = 0xc;
				goto 0xe27243f5;
				if (E00007FFF7FFFE272ABB0(_a48, _a80) != 0) goto 0xe27243f3;
				if (_a120 == 0) goto 0xe27243ef;
				 *_a120 = 0xc;
				goto 0xe27243f5;
				goto 0xe2724377;
				return 0;
			}

0x7fffe2724399
0x7fffe27243a4
0x7fffe27243ab
0x7fffe27243b2
0x7fffe27243ba
0x7fffe27243c1
0x7fffe27243cc
0x7fffe27243da
0x7fffe27243e2
0x7fffe27243e9
0x7fffe27243f1
0x7fffe27243f3
0x7fffe27243f9

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac0a5da81333129a8f229358abc3f3628bfe7ae3225332448e9bf5308d83ad5
Instruction ID: f9500e763cc488584e92fce48ddd41780e2f09c25a59bc9845547f93983ae433
Opcode Fuzzy Hash: 1ac0a5da81333129a8f229358abc3f3628bfe7ae3225332448e9bf5308d83ad5
Instruction Fuzzy Hash: 6801B76391CB41C6FB608A15F55472AA7E0F7C6794F101131EA8D92BA9EFBCE490CA01

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE272F4D0 Relevance: 1.5, APIs: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFFE272F570: MultiByteToWideChar.KERNEL32 ref: 00007FFFE272F5F3

_LocaleUpdate::~_LocaleUpdate.LIBCMTD ref: 00007FFFE272F559

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: Locale$ByteCharMultiUpdateUpdate::~_Wide
String ID:
API String ID: 2569699860-0
Opcode ID: 0c57b3b436687e78039d68963cfd06a068c3edb785e51800680b91c9a9ce0a07
Instruction ID: 004c41a3f691551796ce53ee6b6f74ad1d37b64c650b821bc08f8634895cf6d0
Opcode Fuzzy Hash: 0c57b3b436687e78039d68963cfd06a068c3edb785e51800680b91c9a9ce0a07
Instruction Fuzzy Hash: D901BCB2A1C6C08AC760DF11F08169ABBA1F7CA384F60412AEACD83B59DB38D514CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2723433 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

_ioterm.LIBCMTD ref: 00007FFFE2723437

Part of subcall function 00007FFFE2727D00: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFFE272343C), ref: 00007FFFE2727D93

Part of subcall function 00007FFFE2723E00: FlsFree.KERNEL32 ref: 00007FFFE2723E13
Part of subcall function 00007FFFE2723E00: _mtdeletelocks.LIBCMTD ref: 00007FFFE2723E23

Part of subcall function 00007FFFE27288D0: HeapDestroy.KERNEL32 ref: 00007FFFE27288DB

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: CriticalDeleteDestroyFreeHeapSection_ioterm_mtdeletelocks
String ID:
API String ID: 1508997487-0
Opcode ID: 8f8406f5a5b9feed6255c52f4e6aa9aa0153dd1bc57843c66d7c8198eef2426a
Instruction ID: d395bc0d8413e9f429c85debab940b19ae38d57a6e554c1269b4d17c8a82e960
Opcode Fuzzy Hash: 8f8406f5a5b9feed6255c52f4e6aa9aa0153dd1bc57843c66d7c8198eef2426a
Instruction Fuzzy Hash: 82E042E2E0C0039AF651677559423B911D4AF87786F400435E91EC52D6FFDDA9314663

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFFE2723D00 Relevance: 1.5, APIs: 1, Instructions: 5COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL ref: 00007FFFE2723D06

Memory Dump Source

Source File: 00000004.00000002.301341298.00007FFFE2721000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FFFE2720000, based on PE: true

Associated: 00000004.00000002.301336178.00007FFFE2720000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301363130.00007FFFE2742000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301371092.00007FFFE274B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.301376068.00007FFFE274F000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7fffe2720000_rundll32.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 486166b47cec33101184f167bfa082c8d21519f5c79393c344b51e77eb7d9bd4
Instruction ID: fde711d44ec06023455536852507d21a0d07da86bae1cafde684db35130635f6
Opcode Fuzzy Hash: 486166b47cec33101184f167bfa082c8d21519f5c79393c344b51e77eb7d9bd4
Instruction Fuzzy Hash: 3FA02220F02080C2CAAC33320C8303C00A02F28308FE00838C30F80220CC2CA2FE8B00

Uniqueness

Uniqueness Score: -1.00%

Source: qJhkILqiEA.dll	Virustotal: Detection: 38%			Perma Link
Source: qJhkILqiEA.dll	ReversingLabs: Detection: 58%

Source: https://173.82.82.196:8080/tem	Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/4	Avira URL Cloud: Label: malware
Source: https://173.82.82.196/	URL Reputation: Label: malware
Source: https://173.82.82.196:8080/	URL Reputation: Label: malware
Source: https://173.82.82.196:8080/X	Avira URL Cloud: Label: malware

Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown	TCP traffic detected without corresponding DNS query: 173.82.82.196

Source: svchost.exe, 00000026.00000003.602679362.000002450776F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000026.00000003.602679362.000002450776F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000026.00000003.602679362.000002450776F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.602717062.0000024507780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000026.00000003.602679362.000002450776F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.602717062.0000024507780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-05-13T10:00:01.2192622Z\|\|.\|\|8adb3f26-c14b-4fc0-afb3-91b3c6daaa3f\|\|1152921505694830749\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab

Source: regsvr32.exe, 00000009.00000003.572877262.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.779869873.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.667132701.00000233A6462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000002.645256392.0000024507700000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000015.00000002.667067807.00000233A6413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000009.00000002.779704007.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.574209878.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000009.00000003.573783150.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.345372968.0000000002D61000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.779982091.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.345995503.0000000002DA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.346476340.0000000002DC4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.780319248.0000000002DC4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.9.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000009.00000003.573783150.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.779982091.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab7A
Source: regsvr32.exe, 00000009.00000003.573487527.0000000000C57000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.780054708.0000000000C57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1e21e31cb5a00
Source: svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000010.00000002.326155574.000001EEBD413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196/
Source: regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/
Source: regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/4
Source: regsvr32.exe, 00000009.00000002.779344665.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/X
Source: regsvr32.exe, 00000009.00000002.779518435.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.573842211.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://173.82.82.196:8080/tem
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000E.00000002.779831348.000001E2D8843000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000010.00000002.326502045.000001EEBD469000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325786484.000001EEBD467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000002.326477827.000001EEBD456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325925433.000001EEBD450000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000010.00000002.326457641.000001EEBD442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325882596.000001EEBD441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000010.00000002.326457641.000001EEBD442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325882596.000001EEBD441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000002.326463887.000001EEBD44B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325834208.000001EEBD449000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000010.00000003.325811178.000001EEBD461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000010.00000002.326155574.000001EEBD413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326446385.000001EEBD43D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325877149.000001EEBD445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000010.00000003.325856156.000001EEBD440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325877149.000001EEBD445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000010.00000003.303858019.000001EEBD430000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.326347509.000001EEBD439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000010.00000002.326477827.000001EEBD456000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325925433.000001EEBD450000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.325821699.000001EEBD44D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000026.00000003.620962483.00000245077AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000026.00000003.616553473.00000245077AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616691918.0000024507787000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616612672.00000245077B4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616639931.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616586218.0000024507798000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.616569796.0000024507787000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000026.00000003.624893055.0000024507789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report
Source: svchost.exe, 00000026.00000003.624813083.00000245077B0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624938666.0000024507C02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624922280.000002450779A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624893055.0000024507789000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.624832618.00000245077B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFE2727FF0 appears 31 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFE272B3B0 appears 148 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFFE272BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFE2727FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFE272B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe	Code function: String function: 00007FFFE272BD70 appears 113 times

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\qJhkILqiEA.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JTkGafd\eTKTE.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2960 -s 352
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6236 -s 328
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\qJhkILqiEA.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_FileTime	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,AddIn_SystemTime	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\qJhkILqiEA.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qJhkILqiEA.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JTkGafd\eTKTE.dll"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6236
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2960
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5772:120:WilError_01

Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000C892 push ebp; retf	3_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000D095 push B3B8007Eh; iretd	3_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000D0F3 push ebp; iretd	3_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180013551 push ebx; retf	3_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000D15D push ebx; retn 0068h	3_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000CDA8 push ebp; iretd	3_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000CE36 push 458B0086h; iretd	3_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_0000000180013551 push ebx; retf	9_2_0000000180013559

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qJhkILqiEA

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_qJh_4c633c907b4a85acdb7918fc966c22f420621b1_e567d4a7_19e8067e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_qJh_4c633c907b4a85acdb7918fc966c22f420621b1_e567d4a7_19f80630\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE25C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE625.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9CF.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREEF0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFD1A.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFEFE.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Static File Info

Windows Analysis Report
qJhkILqiEA

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre