Edit tour

Windows Analysis Report
10kmr9d7.dll

Overview

General Information

Sample name:	10kmr9d7.dll renamed because original name is a hash value
Original sample name:	10kmr9d7.mp3
Analysis ID:	1490633
MD5:	7abbf9f2106c2dd1e69110c6c6b8dbc6
SHA1:	05cf0a54c0e62d170b6ff9bb0108b70164a0e681
SHA256:	44f5ebb4facaba45274f08437a1f980bbbdb209cbd016ead76e4ec1afaca4dc2
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7328 cmdline: loaddll64.exe "C:\Users\user\Desktop\10kmr9d7.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7380 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7404 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7388 cmdline: rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7468 cmdline: rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Create MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7532 cmdline: rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Destroy MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7568 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CancelAllOperations MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7576 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Create MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7588 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Destroy MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7604 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetTxtReplaceData MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7616 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueReplaceData MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7628 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueDeleteData MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7636 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetBasicData MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7644 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_Delete MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7664 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ShutdownTargetDLL MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7704 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetMaxLogLevel MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7712 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetLogCallback MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7724 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsV2 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7732 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActions MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7744 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessPendingActionsAfterReboot MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7768 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_PrepareUpdate MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7788 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_IsDLLNewlyLoaded MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7800 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_InitTargetDLL MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7816 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMinorAPIVersion MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7836 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMajorAPIVersion MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7844 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsV2 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7868 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreats MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7876 cmdline: rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_FinishUpdate MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Binary string: D:\JENKINS\workspace\N_CleanActions\bin\x64\Release\ActionsShim.pdb source: rundll32.exe, 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000008.00000002.3566919339.0000000180154000.00000002.00000001.01000000.00000003.sdmp, 10kmr9d7.dll

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00000001800143C0 GetLogicalDriveStringsW,QueryDosDeviceW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

5_2_00000001800143C0

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 62.192.173.45 443

Jump to behavior

Source: Joe Sandbox View

ASN Name: HUGESERVER-NETWORKSUS HUGESERVER-NETWORKSUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 733Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 733Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: /Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 335Connection: Keep-AliveCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: weblineinfo.com

Source: unknown

HTTP traffic detected: POST /flags/api/v2/frontend/experimentValues HTTP/1.1Accept: */*Content-Type: application/jsonX-Client-Name: feature-gate-js-clientX-Client-Version: 4.8.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36Host: weblineinfo.comContent-Length: 733Connection: Keep-AliveCache-Control: no-cache

Source: rundll32.exe, 00000008.00000003.2463373720.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2046428804.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.c
Source: rundll32.exe, 00000005.00000002.3567765146.000001D5616C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771469730.000001D5616C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3230690493.000001D5616C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254376394.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1768162677.000001D5616C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254447572.000001D5616C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771548444.000001D5616C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2048112069.00000251C5469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3567840753.00000251C5463000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1835197651.00000251C546A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2463373720.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268841806.00000251C546E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/
Source: rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/D.
Source: rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/KC8
Source: rundll32.exe, 00000008.00000003.2843064279.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2843064279.00000251C549B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1835197651.00000251C546A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2463373720.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2694528807.00000251C549B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2046428804.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues
Source: rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1835197651.00000251C546A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues%
Source: rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues%J
Source: rundll32.exe, 00000008.00000003.1834996963.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2046428804.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues&&
Source: rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues&&B
Source: rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues(I
Source: rundll32.exe, 00000005.00000003.2254376394.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3567840753.00000251C5463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues)
Source: rundll32.exe, 00000008.00000003.2268720540.00000251C549B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues)6
Source: rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues)Bg
Source: rundll32.exe, 00000008.00000003.1834996963.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues-
Source: rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3567840753.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues.com
Source: rundll32.exe, 00000008.00000002.3567840753.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues.comy&qz
Source: rundll32.exe, 00000008.00000002.3567840753.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues1&
Source: rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues7Bm
Source: rundll32.exe, 00000008.00000003.2694528807.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues8&
Source: rundll32.exe, 00000005.00000003.2016168138.000001D56172E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254376394.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues;J
Source: rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValues?
Source: rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesA
Source: rundll32.exe, 00000005.00000003.1768051739.000001D561704000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1768127854.000001D561704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesGz
Source: rundll32.exe, 00000005.00000003.2016168138.000001D56172E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254376394.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesHJhz
Source: rundll32.exe, 00000008.00000002.3567840753.00000251C5463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesIE5f
Source: rundll32.exe, 00000005.00000003.2016168138.000001D56172E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1768051739.000001D561704000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1768127854.000001D561704000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254376394.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesOID
Source: rundll32.exe, 00000008.00000003.2268720540.00000251C549B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1834996963.00000251C54A3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2463373720.00000251C549B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2843064279.00000251C549B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2694528807.00000251C549B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2046428804.00000251C549B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesOIDInfo
Source: rundll32.exe, 00000008.00000003.1834996963.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesOIDr
Source: rundll32.exe, 00000005.00000003.1768051739.000001D561704000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1768127854.000001D561704000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesSIs
Source: rundll32.exe, 00000008.00000003.1834996963.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesT
Source: rundll32.exe, 00000008.00000002.3567840753.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2843064279.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesU&Uz
Source: rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuescom
Source: rundll32.exe, 00000005.00000003.2254376394.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesdJLz0
Source: rundll32.exe, 00000008.00000003.2694528807.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesg&Gz
Source: rundll32.exe, 00000008.00000003.2694528807.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3567840753.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2843064279.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2463373720.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2046428804.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesll
Source: rundll32.exe, 00000008.00000003.2694528807.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3567840753.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2463373720.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2046428804.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesn&xz
Source: rundll32.exe, 00000005.00000003.1768051739.000001D561704000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1768127854.000001D561704000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesoIW
Source: rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuessJSz/
Source: rundll32.exe, 00000008.00000003.2694528807.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1834996963.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2843064279.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2463373720.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2046428804.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://weblineinfo.com/flags/api/v2/frontend/experimentValuesuxs

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 62.192.173.45:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 62.192.173.45:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 62.192.173.45:443 -> 192.168.2.4:49752 version: TLS 1.2

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180015BF0 BCryptOpenAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,BCryptDestroyKey,BCryptCloseAlgorithmProvider,		5_2_0000000180015BF0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180015F90 BCryptOpenAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptImportKeyPair,BCryptVerifySignature,BCryptDestroyKey,		5_2_0000000180015F90

Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_000001D562FCD6CA NtProtectVirtualMemory,	5_3_000001D562FCD6CA
Source: C:\Windows\System32\rundll32.exe	Code function: 5_3_000001D562FCD65A NtAllocateVirtualMemory,	5_3_000001D562FCD65A
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180006560 NtAllocateVirtualMemory,NtProtectVirtualMemory,	5_2_0000000180006560
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000251C56CD65A NtAllocateVirtualMemory,	8_3_00000251C56CD65A
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000251C56CD6CA NtProtectVirtualMemory,	8_3_00000251C56CD6CA

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018012A000	5_2_000000018012A000
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180001D60	5_2_0000000180001D60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018012C804	5_2_000000018012C804
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001801178AC	5_2_00000001801178AC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800150D0	5_2_00000001800150D0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001801310C8	5_2_00000001801310C8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180118A10	5_2_0000000180118A10
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180117290	5_2_0000000180117290
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180117AB0	5_2_0000000180117AB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018012D318	5_2_000000018012D318
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180126B04	5_2_0000000180126B04
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018011A3C0	5_2_000000018011A3C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800143C0	5_2_00000001800143C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018012CC98	5_2_000000018012CC98
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000FE05	5_2_000000018000FE05
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180123610	5_2_0000000180123610
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180006560	5_2_0000000180006560
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001801176A0	5_2_00000001801176A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180139F04	5_2_0000000180139F04

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180106AE4 appears 53 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180107230 appears 65 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018003C440 appears 47 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005830 appears 51 times

Source: 10kmr9d7.dll

Binary or memory string: OriginalFilenameActionsShim.dll8 vs 10kmr9d7.dll

Source: 10kmr9d7.dll

Static PE information: Section: .rsrc ZLIB complexity 0.9947324810606061

Source: 10kmr9d7.dll

Binary string: ??\\?\\\.\LPTCOMCONPRNAUXNUL/ntdll.dllchineseczechnorwegianslovakidProcessUtilsD:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp :\Device\Mup\\\Device\LanmanRedirector\\\\\.\GlobalrootOpenProcess call with pid [%d] failed with error [%d]. Cannot get the process path!mb::common::system::ProcessUtils::GetProcessPathGetProcessImageFileName for [%d] failed with error [%d]. Cannot get the process path!NtQuerySystemInformationSHA1MD5SHA256SHA384SHA512**** Error 0x%x returned by BCryptOpenAlgorithmProvider - HashMbCommonSigCRYPTUSRD:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cppMbHashMemoryObjectLength**** Error 0x%x returned by BCryptGetProperty getting object length**** memory allocation failedHashDigestLength**** Error 0x%x returned by BCryptGetProperty getting hash length**** Invalid hash size: %u, need %u**** Invalid hash buffer: %p**** Error 0x%x returned by BCryptCreateHash**** Error 0x%x returned by BCryptHashData**** Error 0x%x returned by BCryptFinishHashRSAPUBLICBLOBFailed to import the public key - %xImportRsaPublicKeyXRSA**** Error 0x%x returned by BCryptOpenAlgorithmProviderVerifyTrusted****> Failed to import public key - %xKaseya LimitedKaseya certificate is trusted!ConnectWise certificate is trusted!VerifyData**** Failed to import public key - %xVerify signature returns %xGetFileHash32Not A Valid Dos StubNot A Valid PE Executable**** Error getting memoryError calculating rest of data!!GetFileHash64

Source: classification engine

Classification label: mal56.evad.winDLL@56/0@1/1

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180008770 CreateToolhelp32Snapshot,GetLastError,Sleep,CreateToolhelp32Snapshot,Module32FirstW,CloseHandle,OpenProcess,GetLastError,GetLastError,GetModuleHandleW,GetProcAddress,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetLastError,GetModuleHandleW,CloseHandle,VirtualQueryEx,CloseHandle,GetLastError,CloseHandle,CloseHandle,GetLastError,CloseHandle,

5_2_0000000180008770

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL

Source: 10kmr9d7.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\10kmr9d7.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Create
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Destroy
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CancelAllOperations
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Create
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Destroy
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetTxtReplaceData
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueReplaceData
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueDeleteData
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetBasicData
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_Delete
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ShutdownTargetDLL
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetMaxLogLevel
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetLogCallback
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsV2
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActions
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessPendingActionsAfterReboot
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_PrepareUpdate
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_IsDLLNewlyLoaded
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_InitTargetDLL
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMinorAPIVersion
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMajorAPIVersion
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsV2
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreats
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_FinishUpdate
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Create	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Destroy	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CancelAllOperations	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Create	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Destroy	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetTxtReplaceData	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueReplaceData	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueDeleteData	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetBasicData	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_Delete	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ShutdownTargetDLL	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetMaxLogLevel	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetLogCallback	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsV2	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActions	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessPendingActionsAfterReboot	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_PrepareUpdate	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_IsDLLNewlyLoaded	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_InitTargetDLL	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMinorAPIVersion	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMajorAPIVersion	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsV2	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreats	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_FinishUpdate	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 10kmr9d7.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 10kmr9d7.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: 10kmr9d7.dll

Static file information: File size 2449408 > 1048576

Source: 10kmr9d7.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x143800

Source: 10kmr9d7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 10kmr9d7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 10kmr9d7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 10kmr9d7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 10kmr9d7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 10kmr9d7.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 10kmr9d7.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 10kmr9d7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 10kmr9d7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 10kmr9d7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 10kmr9d7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 10kmr9d7.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe

5_2_0000000180008770

Source: 10kmr9d7.dll

Static PE information: real checksum: 0x227cd1 should be: 0x25c48f

Source: 10kmr9d7.dll

Static PE information: section name: _RDATA

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\rundll32.exe

API coverage: 2.6 %

Source: C:\Windows\System32\loaddll64.exe TID: 7332

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe

5_2_00000001800143C0

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 00000005.00000002.3567765146.000001D561668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`Foa
Source: rundll32.exe, 00000006.00000002.1753744971.0000022AA39D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlloo@{P
Source: rundll32.exe, 0000000B.00000002.1792038899.00000295225E8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000002.1791605637.0000026086208000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: rundll32.exe, 0000000F.00000002.1787647780.000001B7BECD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR1sP
Source: rundll32.exe, 0000001A.00000002.1796375133.000001F677D98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQh
Source: rundll32.exe, 00000008.00000002.3567840753.00000251C5408000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: rundll32.exe, 00000005.00000003.3230690493.000001D5616EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567765146.000001D5616EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254447572.000001D5616EE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771548444.000001D5616EF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1768162677.000001D5616F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2048112069.00000251C5469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3567840753.00000251C5463000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1835197651.00000251C546A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268841806.00000251C546E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000018.00000002.1796182452.000002E26C5E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRRp
Source: rundll32.exe, 0000000A.00000002.1795383594.000002359B098000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOOIdP
Source: rundll32.exe, 0000001B.00000002.1795592817.00000235962C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRRr
Source: rundll32.exe, 00000010.00000002.1795949257.0000027E3E418000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR6
Source: rundll32.exe, 0000000E.00000002.1792035376.000001EFD54B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT<
Source: loaddll64.exe, 00000000.00000002.2992880785.0000021E94C2D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1693344485.00000188A97F9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.1787575832.000001EF1AAE8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.1791447808.00000192B5108000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1795963479.000002A6721A8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.1795901134.00000162A0968000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000014.00000002.1796234407.000001BAD9608000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000016.00000002.1796502483.0000015F23A48000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.1795112649.000001FFE41C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1795768931.000001F96ABA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000001C.00000002.1795491690.00000297BE728000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: rundll32.exe, 00000004.00000002.1693602387.0000024133CF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllss
Source: rundll32.exe, 00000009.00000002.1788817676.0000025C64808000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllDD
Source: rundll32.exe, 00000012.00000002.1791652895.000001B025988000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllOO
Source: rundll32.exe, 00000015.00000002.1795224140.00000235868B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllTT

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180107848 GetLastError,IsDebuggerPresent,OutputDebugStringW,

5_2_0000000180107848

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180107848 GetLastError,IsDebuggerPresent,OutputDebugStringW,

5_2_0000000180107848

Source: C:\Windows\System32\rundll32.exe

5_2_0000000180008770

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180115DC0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		5_2_0000000180115DC0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180106F64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		5_2_0000000180106F64

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 62.192.173.45 443

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7404	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7404	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7468	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7468	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7404 1

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,		5_2_0000000180130228
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,		5_2_000000018012FDA8

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180107684 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_0000000180107684

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	13 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://weblineinfo.com/	0%	Avira URL Cloud	safe
https://weblineinfo.com/D.	0%	Avira URL Cloud	safe
http://crl.microsoft.c	0%	Avira URL Cloud	safe
https://weblineinfo.com/KC8	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
weblineinfo.com	62.192.173.45	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoft.c	rundll32.exe, 00000008.00000003.2463373720.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2046428804.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/KC8	rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/	rundll32.exe, 00000005.00000002.3567765146.000001D5616C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771469730.000001D5616C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3230690493.000001D5616C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771390805.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3419555198.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.3230405674.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254376394.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3567979777.000001D5616FD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1768162677.000001D5616C8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2254447572.000001D5616C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2771548444.000001D5616C6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2048112069.00000251C5469000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3567840753.00000251C5463000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1835197651.00000251C546A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2463373720.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.2268841806.00000251C546E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://weblineinfo.com/D.	rundll32.exe, 00000008.00000003.2268720540.00000251C54CD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.192.173.45	weblineinfo.com	Lithuania		25780	HUGESERVER-NETWORKSUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1490633
Start date and time:	2024-08-09 16:23:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	10kmr9d7.dll renamed because original name is a hash value
Original Sample Name:	10kmr9d7.mp3
Detection:	MAL
Classification:	mal56.evad.winDLL@56/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 72% Number of executed functions: 13 Number of non-executed functions: 66
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 7576 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HUGESERVER-NETWORKSUS	mirai.spc.elf	Get hash	malicious	Mirai	Browse	171.22.79.159
	ClientAny.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	2.58.84.229
	https://denizfirsatgsmtektikbuo.xyz/	Get hash	malicious	HTMLPhisher	Browse	2.58.85.5
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	107.161.53.91
	lKXAJFq3ih.exe	Get hash	malicious	AsyncRAT	Browse	2.58.85.145
	peign94sXb.elf	Get hash	malicious	Unknown	Browse	171.22.79.111
	jSlv5GLHad.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	185.133.35.50
	hajime-like-20231028-0250.elf	Get hash	malicious	Gafgyt, Mirai	Browse	62.192.173.7
	HDyd3HGFG9.elf	Get hash	malicious	Mirai	Browse	62.192.173.7

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	PDFixers (1).exe	Get hash	malicious	Unknown	Browse	62.192.173.45
	file.exe	Get hash	malicious	Vidar	Browse	62.192.173.45
	file.exe	Get hash	malicious	Babuk, Djvu	Browse	62.192.173.45
	file.exe	Get hash	malicious	Vidar	Browse	62.192.173.45
	file.exe	Get hash	malicious	Vidar	Browse	62.192.173.45
	Ordine 403012.docx.doc	Get hash	malicious	Unknown	Browse	62.192.173.45
	SecuriteInfo.com.Trojan.Crypt.23519.13317.exe	Get hash	malicious	Unknown	Browse	62.192.173.45
	SecuriteInfo.com.Trojan.Crypt.23519.13317.exe	Get hash	malicious	Unknown	Browse	62.192.173.45
	verify-captcha-987.b-cdn.net.ps1	Get hash	malicious	Clipboard Hijacker	Browse	62.192.173.45

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.748659647863066
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	10kmr9d7.dll
File size:	2'449'408 bytes
MD5:	7abbf9f2106c2dd1e69110c6c6b8dbc6
SHA1:	05cf0a54c0e62d170b6ff9bb0108b70164a0e681
SHA256:	44f5ebb4facaba45274f08437a1f980bbbdb209cbd016ead76e4ec1afaca4dc2
SHA512:	b577338b86d082f4f87e58342c54d5c2c80e17aa9bc983e558904aaaf8a23a6c780c5627e935c39bcabe63e3776310529f3066b06776a0f7869eff721a8bd3fd
SSDEEP:	49152:tR3rKKPT0xXxBg7KNvBtFXTM6utS1vdPUGu5hOAxNMQwR:fLeFDMb8F2Gu/fzwR
TLSH:	79B5AE17E3DA41F9DDB7C2388953C51BD7B2B8191370ABCF06A452681EA37E1127EB18
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............~...~...~.......~......z~...~...~.......~.......~.......~.......~.......\|.......~...~..3........~.......~.......~....M..~.

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180106e54
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA
Time Stamp:	0x662BC869 [Fri Apr 26 15:29:45 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7654de49588e8164879719d356bd8735

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FF160D2FF27h
call 00007FF160D30734h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FF160D2FDB4h
int3
int3
int3
dec eax
mov eax, esp
dec esp
mov dword ptr [eax+20h], ecx
dec esp
mov dword ptr [eax+18h], eax
dec eax
mov dword ptr [eax+10h], edx
push ebx
push esi
push edi
inc ecx
push esi
dec eax
sub esp, 38h
dec ebp
mov esi, ecx
dec ecx
mov ebx, eax
dec eax
mov esi, edx
mov byte ptr [eax-38h], 00000000h
dec eax
mov edi, edx
dec ecx
imul edi, eax
dec eax
add edi, ecx
dec eax
mov dword ptr [eax+08h], edi
dec eax
mov eax, ebx
dec eax
dec ebx
dec eax
mov dword ptr [esp+70h], ebx
dec eax
test eax, eax
je 00007FF160D2FF3Bh
dec eax
sub edi, esi
dec eax
mov dword ptr [esp+60h], edi
dec eax
mov ecx, edi
dec ecx
mov eax, esi
dec eax
mov edx, dword ptr [0003E71Ch]
call edx
jmp 00007FF160D2FEF9h
mov byte ptr [esp+20h], 00000001h
dec eax
add esp, 38h
inc ecx
pop esi
pop edi
pop esi
pop ebx
ret
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
dec eax
mov dword ptr [esp+08h], ecx
push edi
inc ecx
push esi
inc ecx
push edi
dec eax
sub esp, 50h
dec ebp
mov esi, ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1fca90	0x3bc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1fce4c	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21b000	0x3dc80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x209000	0x10650	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x259000	0x5a28	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1e83e0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1e8600	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1e82a0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x145000	0x5f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14379c	0x143800	3d0b6dc5a907120acd2a7b48d00b2e83	False	0.4948032385046368	data	6.492820105687993	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x145000	0xb92fc	0xb9400	bb96591fd85a5ed81095b5e982a81a6b	False	0.3853955802968961	data	5.754560167815736	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1ff000	0x9ed4	0x4c00	e5e06104c62e8c75c19b858e3ee1cbeb	False	0.21145148026315788	data	3.619053235111025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x209000	0x10650	0x10800	d56b95ed2378ce9c949567aa2dc594c0	False	0.4711322206439394	data	6.104938474417208	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x21a000	0x1f4	0x200	65c1f4817abba73158ce681a35785c62	False	0.5078125	data	4.176173183361914	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x21b000	0x3dc80	0x3de00	c84d88d4f874815287125f69ada14e47	False	0.9947324810606061	data	7.998012535592944	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x259000	0x5a28	0x5c00	02ba99b3c0d3324a1bdaf65569abc896	False	0.2720788043478261	data	5.4317179166648275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x21b0e8	0x2cc	data	English	United States	0.4790502793296089
RT_ANICURSOR	0x21b3b4	0x3d74a	data			0.9982480673123525
RT_MANIFEST	0x258b00	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
CRYPT32.dll	CertDuplicateCertificateContext, CertFindCertificateInStore, CertFreeCertificateContext, CertOpenStore, CertCloseStore, CertGetCertificateContextProperty, CertEnumCertificatesInStore
KERNEL32.dll	GetFileAttributesW, SetLastError, GetCurrentThreadId, SetEndOfFile, GetStdHandle, FindNextFileW, FindClose, GetModuleHandleA, GetCurrentDirectoryW, SetEvent, ResetEvent, ReleaseMutex, CreateMutexW, CreateEventW, WaitForMultipleObjects, InitializeCriticalSectionAndSpinCount, TerminateProcess, GetStartupInfoW, GetSystemTimeAsFileTime, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetEnvironmentVariableW, SetEnvironmentVariableW, GetFileType, DeleteFiber, QueryPerformanceCounter, ConvertFiberToThread, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, WriteConsoleW, HeapSize, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, GetLocalTime, GetTickCount, GetFileSize, HeapAlloc, GetProcessHeap, WaitForSingleObject, QueryDosDeviceW, GetLogicalDriveStringsW, FindFirstFileW, HeapFree, GetFileInformationByHandle, WriteFile, ReadFile, GetFileSizeEx, FlushFileBuffers, CreateFileW, GetWindowsDirectoryW, GetCurrentProcess, GetModuleFileNameW, FileTimeToSystemTime, MultiByteToWideChar, WideCharToMultiByte, LocalFree, FormatMessageW, DeleteCriticalSection, DecodePointer, InitializeCriticalSectionEx, VirtualQueryEx, GetModuleHandleW, Module32FirstW, CreateToolhelp32Snapshot, OpenProcess, GetCurrentProcessId, GetLastError, CloseHandle, GetProcAddress, FreeLibrary, LoadLibraryW, GetACP, IsValidCodePage, FindFirstFileExW, GetFullPathNameW, HeapReAlloc, SetStdHandle, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, SetFilePointerEx, GetConsoleOutputCP, PeekNamedPipe, GetDriveTypeW, SetConsoleCtrlHandler, ExitProcess, GetModuleHandleExW, EnterCriticalSection, LoadLibraryExW, RtlPcToFileHeader, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwindEx, RaiseException, OutputDebugStringW, IsDebuggerPresent, InitializeSListHead, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, GetStringTypeW, Sleep, SwitchToThread, LeaveCriticalSection
USER32.dll	GetProcessWindowStation, MessageBoxW, GetUserObjectInformationW
ADVAPI32.dll	RegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegEnumKeyExW, CryptAcquireContextW, CryptCreateHash, CryptReleaseContext, CryptDestroyHash, CryptEnumProvidersW, CryptSignHashW, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, ReportEventW, RegisterEventSourceW, DeregisterEventSource
OLEAUT32.dll	VariantClear
PSAPI.DLL	GetProcessImageFileNameW
bcrypt.dll	BCryptImportKeyPair, BCryptHashData, BCryptDestroyHash, BCryptGenRandom, BCryptCreateHash, BCryptCloseAlgorithmProvider, BCryptFinishHash, BCryptOpenAlgorithmProvider, BCryptVerifySignature, BCryptGetProperty, BCryptDestroyKey
VERSION.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
WS2_32.dll	recv, WSAGetLastError, WSAStartup, WSACleanup, send, closesocket, WSASetLastError

Exports

Name	Ordinal	Address
ActionsShim_CancelAllOperations	1	0x180007790
ActionsShim_Create	2	0x180006560
ActionsShim_Destroy	3	0x180006650
ActionsShim_FinishUpdate	4	0x180006b70
ActionsShim_GetDetectedThreats	5	0x180006d40
ActionsShim_GetDetectedThreatsV2	6	0x180006e40
ActionsShim_GetMajorAPIVersion	7	0x180006540
ActionsShim_GetMinorAPIVersion	8	0x180006540
ActionsShim_InitTargetDLL	9	0x180006820
ActionsShim_IsDLLNewlyLoaded	10	0x180006550
ActionsShim_PrepareUpdate	11	0x180006a50
ActionsShim_ProcessPendingActionsAfterReboot	12	0x180007690
ActionsShim_ProcessThreatActions	13	0x180007490
ActionsShim_ProcessThreatActionsV2	14	0x180007590
ActionsShim_SetLogCallback	15	0x1800066b0
ActionsShim_SetMaxLogLevel	16	0x180006710
ActionsShim_ShutdownTargetDLL	17	0x180006950
ActionsShim_Threat_Delete	18	0x1800073a0
ActionsShim_Threat_GetBasicData	19	0x180006f40
ActionsShim_Threat_GetRegValueDeleteData	20	0x180007090
ActionsShim_Threat_GetRegValueReplaceData	21	0x180007190
ActionsShim_Threat_GetTxtReplaceData	22	0x1800072a0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 16:24:03.922116041 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:03.922202110 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:03.922326088 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:03.936258078 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:03.936292887 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.492029905 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.492139101 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.543076038 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.543144941 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.544083118 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.544154882 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.546281099 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.546282053 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.546320915 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.797925949 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.798125029 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.798135996 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.798194885 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.798384905 CEST	49730	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.798425913 CEST	443	49730	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.815084934 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.815161943 CEST	443	49731	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:04.815258980 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.815716028 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:04.815749884 CEST	443	49731	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:05.337445021 CEST	443	49731	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:05.341603994 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:05.371284962 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:05.371304035 CEST	443	49731	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:05.372461081 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:05.372473955 CEST	443	49731	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:05.770363092 CEST	443	49731	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:05.770514965 CEST	443	49731	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:05.770699978 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:05.770700932 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:05.771100044 CEST	49731	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:05.771126032 CEST	443	49731	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:10.805861950 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:10.805918932 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:10.806039095 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:10.813563108 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:10.813601971 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.326992035 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.327126980 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.394947052 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.394993067 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.395838022 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.395895958 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.397484064 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.397506952 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.397520065 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.655251026 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.655369043 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.655389071 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.655462980 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.655644894 CEST	49732	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.655668974 CEST	443	49732	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.677625895 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.677711964 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:11.677814007 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.678021908 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:11.678046942 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:12.212924004 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:12.213047028 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:12.213556051 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:12.213586092 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:12.214766979 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:12.214778900 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:12.465231895 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:12.465332031 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:12.465364933 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:12.465388060 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:12.465415001 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:12.465439081 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:12.465501070 CEST	49733	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:12.465517998 CEST	443	49733	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:29.825124979 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:29.825231075 CEST	443	49740	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:29.825325966 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:29.825740099 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:29.825778008 CEST	443	49740	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:30.335266113 CEST	443	49740	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:30.335381031 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:30.335932970 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:30.335959911 CEST	443	49740	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:30.347806931 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:30.347867012 CEST	443	49740	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:30.580506086 CEST	443	49740	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:30.580599070 CEST	443	49740	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:30.580596924 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:30.580660105 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:30.580837011 CEST	49740	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:30.580876112 CEST	443	49740	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:32.530944109 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:32.531042099 CEST	443	49741	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:32.531163931 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:32.531512022 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:32.531549931 CEST	443	49741	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:33.351177931 CEST	443	49741	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:33.351392984 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:33.351919889 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:33.351947069 CEST	443	49741	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:33.363816977 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:33.363831043 CEST	443	49741	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:33.601562023 CEST	443	49741	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:33.601659060 CEST	443	49741	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:33.601722956 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:33.601722956 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:33.604288101 CEST	49741	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:33.604336023 CEST	443	49741	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:53.629453897 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:53.629539013 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:53.629630089 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:53.629930973 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:53.629966021 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.160311937 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.160386086 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.161169052 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.161187887 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.173180103 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.173193932 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.403084040 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.403155088 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.403177977 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.403224945 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.403264046 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.403315067 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.403398991 CEST	49742	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.403415918 CEST	443	49742	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.930675030 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.930718899 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:54.930789948 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.931139946 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:54.931160927 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:55.592783928 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:55.592901945 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:55.593482018 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:55.593509912 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:55.595280886 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:55.595293999 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:55.837378025 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:55.837457895 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:55.837474108 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:55.837521076 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:55.837544918 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:24:55.837603092 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:55.837891102 CEST	49744	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:24:55.837903023 CEST	443	49744	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:12.449069023 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:12.449150085 CEST	443	49745	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:12.449263096 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:12.449783087 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:12.449821949 CEST	443	49745	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:13.019397974 CEST	443	49745	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:13.019491911 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.020029068 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.020046949 CEST	443	49745	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:13.022020102 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.022032976 CEST	443	49745	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:13.268074989 CEST	443	49745	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:13.268156052 CEST	443	49745	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:13.268276930 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.268277884 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.268512011 CEST	49745	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.268549919 CEST	443	49745	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:13.886428118 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.886492014 CEST	443	49746	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:13.886593103 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.887018919 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:13.887041092 CEST	443	49746	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:15.029779911 CEST	443	49746	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:15.029944897 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:15.031110048 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:15.031141996 CEST	443	49746	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:15.035043955 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:15.035058975 CEST	443	49746	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:15.301609039 CEST	443	49746	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:15.301764011 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:15.301774025 CEST	443	49746	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:15.301866055 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:15.302308083 CEST	49746	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:15.302328110 CEST	443	49746	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:37.404977083 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:37.405069113 CEST	443	49747	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:37.405167103 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:37.405414104 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:37.405455112 CEST	443	49747	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:37.914118052 CEST	443	49747	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:37.914258957 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:37.914726019 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:37.914753914 CEST	443	49747	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:37.916152954 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:37.916167021 CEST	443	49747	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:38.417464018 CEST	443	49747	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:38.417629004 CEST	443	49747	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:38.417722940 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:38.417722940 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:38.418076992 CEST	49747	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:38.418119907 CEST	443	49747	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:45.323740959 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:45.323829889 CEST	443	49748	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:45.324157000 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:45.324534893 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:45.324588060 CEST	443	49748	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:45.866206884 CEST	443	49748	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:45.866307020 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:45.866861105 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:45.866883039 CEST	443	49748	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:45.868627071 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:45.868642092 CEST	443	49748	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:46.104569912 CEST	443	49748	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:46.104641914 CEST	443	49748	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:46.104783058 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:46.104783058 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:46.105034113 CEST	49748	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:46.105055094 CEST	443	49748	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:52.483527899 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:52.483572960 CEST	443	49749	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:52.483674049 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:52.484015942 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:52.484036922 CEST	443	49749	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:53.028017998 CEST	443	49749	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:53.028112888 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:53.030002117 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:53.030019999 CEST	443	49749	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:53.032059908 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:53.032071114 CEST	443	49749	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:53.271513939 CEST	443	49749	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:53.271611929 CEST	443	49749	62.192.173.45	192.168.2.4
Aug 9, 2024 16:25:53.271658897 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:53.271686077 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:53.271929026 CEST	49749	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:25:53.271949053 CEST	443	49749	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.172034025 CEST	49750	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.172113895 CEST	443	49750	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.172202110 CEST	49750	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.172832012 CEST	49750	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.172869921 CEST	443	49750	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.357520103 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.357574940 CEST	443	49751	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.357649088 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.357889891 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.357917070 CEST	443	49751	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.711682081 CEST	443	49750	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.712057114 CEST	49750	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.742474079 CEST	49750	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.742527008 CEST	443	49750	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.743863106 CEST	49750	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.743916988 CEST	443	49750	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.987991095 CEST	443	49751	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.988339901 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.989135981 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.989166975 CEST	443	49751	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:08.993000984 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:08.993055105 CEST	443	49751	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:09.019243956 CEST	443	49750	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:09.019447088 CEST	443	49750	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:09.019769907 CEST	49750	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:09.019857883 CEST	49750	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:09.019897938 CEST	443	49750	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:09.438656092 CEST	443	49751	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:09.438741922 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:09.438807964 CEST	443	49751	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:09.438904047 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:09.438968897 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:09.439054966 CEST	443	49751	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:09.439121008 CEST	49751	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:27.488775969 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:27.488862038 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:27.489034891 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:27.489391088 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:27.489428997 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:28.018111944 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:28.018223047 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:28.022644043 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:28.022667885 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:28.023113012 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:28.023191929 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:28.023705006 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:28.068506002 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:28.263897896 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:28.263998032 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:28.264074087 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:28.264075041 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:28.264249086 CEST	49752	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:28.264275074 CEST	443	49752	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.068523884 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.068552017 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.068710089 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.069464922 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.069483042 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.631675959 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.631777048 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.742119074 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.742126942 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.743350983 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.743355989 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.989223957 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.989289045 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.989299059 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.989314079 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:31.989350080 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.989370108 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.999552965 CEST	49753	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:31.999566078 CEST	443	49753	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:46.341609001 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:46.341648102 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:46.341723919 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:46.341932058 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:46.341944933 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:46.863352060 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:46.863437891 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:46.864414930 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:46.864427090 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:46.865609884 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:46.865616083 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:47.116389990 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:47.116573095 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:47.116586924 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:47.116609097 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:47.116698980 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:47.116714001 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:47.117038965 CEST	49754	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:47.117053032 CEST	443	49754	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:50.118880987 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.118976116 CEST	443	49755	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:50.119088888 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.119316101 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.119357109 CEST	443	49755	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:50.639082909 CEST	443	49755	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:50.639375925 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.640700102 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.640710115 CEST	443	49755	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:50.644547939 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.644556046 CEST	443	49755	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:50.886969090 CEST	443	49755	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:50.887140036 CEST	443	49755	62.192.173.45	192.168.2.4
Aug 9, 2024 16:26:50.887303114 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.887304068 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.921688080 CEST	49755	443	192.168.2.4	62.192.173.45
Aug 9, 2024 16:26:50.921755075 CEST	443	49755	62.192.173.45	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 16:24:03.902522087 CEST	53973	53	192.168.2.4	1.1.1.1
Aug 9, 2024 16:24:03.916788101 CEST	53	53973	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 9, 2024 16:24:03.902522087 CEST	192.168.2.4	1.1.1.1	0xbada	Standard query (0)	weblineinfo.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 9, 2024 16:24:03.916788101 CEST	1.1.1.1	192.168.2.4	0xbada	No error (0)	weblineinfo.com		62.192.173.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

weblineinfo.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:24:04 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 733 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:24:04 UTC	733	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 61 32 38 63 32 33 39 32 66 61 35 65 35 65 39 66 35 61 30 31 38 36 36 65 31 64 65 36 32 38 66 34 36 37 62 35 39 38 33 31 63 32 30 62 36 61 30 37 31 32 65 39 37 31 64 63 32 37 63 31 64 31 62 61 62 62 66 64 66 34 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258fa28c2392fa5e5e9f5a01866e1de628f467b59831c20b6a0712e971dc27c1d1babbfdf4
2024-08-09 14:24:04 UTC	303	IN	HTTP/1.1 200 OK Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca Content-Length: 519 Content-Type: application/json Date: Fri, 09 Aug 2024 14:24:04 GMT Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server: AtlassianEdge Connection: close
2024-08-09 14:24:04 UTC	519	IN	Data Raw: 7b 22 65 78 70 65 72 69 6d 65 6e 74 56 61 6c 75 65 73 22 3a 7b 22 66 65 61 74 75 72 65 5f 67 61 74 65 73 22 3a 7b 22 33 38 36 38 37 38 33 33 38 34 22 3a 7b 22 6e 61 6d 65 22 3a 22 37 34 39 32 37 37 35 32 33 33 39 32 22 2c 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 72 75 6c 65 5f 69 64 22 3a 22 70 6d 4a 7a 68 7a 77 70 4b 4c 37 48 64 4c 52 6f 63 61 71 4d 77 55 3a 31 30 30 2e 30 30 3a 33 22 2c 22 73 65 63 6f 6e 64 61 72 79 5f 65 78 70 6f 73 75 72 65 73 22 3a 5b 5d 7d 7d 2c 22 64 79 6e 61 6d 69 63 5f 63 6f 6e 66 69 67 73 22 3a 7b 22 34 32 30 30 33 32 38 38 31 30 22 3a 7b 22 6e 61 6d 65 22 3a 22 34 32 30 30 33 32 38 38 31 30 22 2c 22 76 61 6c 75 65 22 3a 7b 7d 2c 22 72 75 6c 65 5f 69 64 22 3a 22 70 72 65 73 74 61 72 74 22 2c 22 73 65 63 6f 6e 64 61 72 79 5f 65 Data Ascii: {"experimentValues":{"feature_gates":{"3868783384":{"name":"749277523392","value":true,"rule_id":"pmJzhzwpKL7HdLRocaqMwU:100.00:3","secondary_exposures":[]}},"dynamic_configs":{"4200328810":{"name":"4200328810","value":{},"rule_id":"prestart","secondary_e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:24:05 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:24:05 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 35 39 32 34 32 37 63 64 61 32 63 35 30 65 36 36 63 32 32 39 61 34 63 38 37 31 64 63 31 65 64 35 36 65 33 34 34 35 66 36 62 33 61 38 64 36 32 38 32 31 66 66 37 66 37 61 61 62 34 64 30 38 37 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789592427cda2c50e66c229a4c871dc1ed56e3445f6b3a8d62821ff7f7aab4d087
2024-08-09 14:24:05 UTC	302	IN	HTTP/1.1 200 OK Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca Content-Length: 41 Content-Type: application/json Date: Fri, 09 Aug 2024 14:24:05 GMT Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server: AtlassianEdge Connection: close
2024-08-09 14:24:05 UTC	41	IN	Data Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d Data Ascii: {"succes":false,"error":"user_not_found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:24:11 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 733 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:24:11 UTC	733	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 61 32 38 63 32 33 39 32 66 61 35 65 35 65 39 66 35 61 30 31 38 36 36 65 31 64 65 36 32 38 66 34 36 37 62 35 39 38 33 31 63 32 30 62 36 61 30 37 31 32 65 39 37 31 64 63 32 37 63 31 64 31 62 61 62 62 66 64 66 34 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258fa28c2392fa5e5e9f5a01866e1de628f467b59831c20b6a0712e971dc27c1d1babbfdf4
2024-08-09 14:24:11 UTC	303	IN	HTTP/1.1 200 OK Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca Content-Length: 519 Content-Type: application/json Date: Fri, 09 Aug 2024 14:24:11 GMT Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server: AtlassianEdge Connection: close
2024-08-09 14:24:11 UTC	519	IN	Data Raw: 7b 22 65 78 70 65 72 69 6d 65 6e 74 56 61 6c 75 65 73 22 3a 7b 22 66 65 61 74 75 72 65 5f 67 61 74 65 73 22 3a 7b 22 33 38 36 38 37 38 33 33 38 34 22 3a 7b 22 6e 61 6d 65 22 3a 22 37 34 39 32 37 37 35 32 33 33 39 32 22 2c 22 76 61 6c 75 65 22 3a 74 72 75 65 2c 22 72 75 6c 65 5f 69 64 22 3a 22 70 6d 4a 7a 68 7a 77 70 4b 4c 37 48 64 4c 52 6f 63 61 71 4d 77 55 3a 31 30 30 2e 30 30 3a 33 22 2c 22 73 65 63 6f 6e 64 61 72 79 5f 65 78 70 6f 73 75 72 65 73 22 3a 5b 5d 7d 7d 2c 22 64 79 6e 61 6d 69 63 5f 63 6f 6e 66 69 67 73 22 3a 7b 22 34 32 30 30 33 32 38 38 31 30 22 3a 7b 22 6e 61 6d 65 22 3a 22 34 32 30 30 33 32 38 38 31 30 22 2c 22 76 61 6c 75 65 22 3a 7b 7d 2c 22 72 75 6c 65 5f 69 64 22 3a 22 70 72 65 73 74 61 72 74 22 2c 22 73 65 63 6f 6e 64 61 72 79 5f 65 Data Ascii: {"experimentValues":{"feature_gates":{"3868783384":{"name":"749277523392","value":true,"rule_id":"pmJzhzwpKL7HdLRocaqMwU:100.00:3","secondary_exposures":[]}},"dynamic_configs":{"4200328810":{"name":"4200328810","value":{},"rule_id":"prestart","secondary_e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:24:12 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:24:12 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:24:12 UTC	302	IN	HTTP/1.1 200 OK Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca Content-Length: 41 Content-Type: application/json Date: Fri, 09 Aug 2024 14:24:12 GMT Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server: AtlassianEdge Connection: close
2024-08-09 14:24:12 UTC	41	IN	Data Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d Data Ascii: {"succes":false,"error":"user_not_found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:24:30 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:24:30 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 35 39 32 34 32 37 63 64 61 32 63 35 30 65 36 36 63 32 32 39 61 34 63 38 37 31 64 63 31 65 64 35 36 65 33 34 34 35 66 36 62 33 61 38 64 36 32 38 32 31 66 66 37 66 37 61 61 62 34 64 30 38 37 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789592427cda2c50e66c229a4c871dc1ed56e3445f6b3a8d62821ff7f7aab4d087
2024-08-09 14:24:30 UTC	302	IN	HTTP/1.1 200 OK Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca Content-Length: 41 Content-Type: application/json Date: Fri, 09 Aug 2024 14:24:30 GMT Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server: AtlassianEdge Connection: close
2024-08-09 14:24:30 UTC	41	IN	Data Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d Data Ascii: {"succes":false,"error":"user_not_found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:24:33 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:24:33 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:24:33 UTC	302	IN	HTTP/1.1 200 OK Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca Content-Length: 41 Content-Type: application/json Date: Fri, 09 Aug 2024 14:24:33 GMT Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server: AtlassianEdge Connection: close
2024-08-09 14:24:33 UTC	41	IN	Data Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d Data Ascii: {"succes":false,"error":"user_not_found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:24:54 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:24:54 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 35 39 32 34 32 37 63 64 61 32 63 35 30 65 36 36 63 32 32 39 61 34 63 38 37 31 64 63 31 65 64 35 36 65 33 34 34 35 66 36 62 33 61 38 64 36 32 38 32 31 66 66 37 66 37 61 61 62 34 64 30 38 37 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789592427cda2c50e66c229a4c871dc1ed56e3445f6b3a8d62821ff7f7aab4d087
2024-08-09 14:24:54 UTC	302	IN	HTTP/1.1 200 OK Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca Content-Length: 41 Content-Type: application/json Date: Fri, 09 Aug 2024 14:24:54 GMT Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server: AtlassianEdge Connection: close
2024-08-09 14:24:54 UTC	41	IN	Data Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d Data Ascii: {"succes":false,"error":"user_not_found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:24:55 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:24:55 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:24:55 UTC	302	IN	HTTP/1.1 200 OK Atl-Traceid: bd5dc8037c884e41b347a3eb314810ca Content-Length: 41 Content-Type: application/json Date: Fri, 09 Aug 2024 14:24:55 GMT Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"} Server: AtlassianEdge Connection: close
2024-08-09 14:24:55 UTC	41	IN	Data Raw: 7b 22 73 75 63 63 65 73 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 22 3a 22 75 73 65 72 5f 6e 6f 74 5f 66 6f 75 6e 64 22 7d Data Ascii: {"succes":false,"error":"user_not_found"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:25:13 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:25:13 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 35 39 32 34 32 37 63 64 61 32 63 35 30 65 36 36 63 32 32 39 61 34 63 38 37 31 64 63 31 65 64 35 36 65 33 34 34 35 66 36 62 33 61 38 64 36 32 38 32 31 66 66 37 66 37 61 61 62 34 64 30 38 37 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789592427cda2c50e66c229a4c871dc1ed56e3445f6b3a8d62821ff7f7aab4d087
2024-08-09 14:25:13 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:25:13 GMT Connection: close
2024-08-09 14:25:13 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49746	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:25:15 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:25:15 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:25:15 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:25:15 GMT Connection: close
2024-08-09 14:25:15 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49747	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:25:37 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:25:37 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:25:38 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:25:38 GMT Connection: close
2024-08-09 14:25:38 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49748	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:25:45 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:25:45 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 35 39 32 34 32 37 63 64 61 32 63 35 30 65 36 36 63 32 32 39 61 34 63 38 37 31 64 63 31 65 64 35 36 65 33 34 34 35 66 36 62 33 61 38 64 36 32 38 32 31 66 66 37 66 37 61 61 62 34 64 30 38 37 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789592427cda2c50e66c229a4c871dc1ed56e3445f6b3a8d62821ff7f7aab4d087
2024-08-09 14:25:46 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:25:45 GMT Connection: close
2024-08-09 14:25:46 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49749	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:25:53 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:25:53 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:25:53 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:25:53 GMT Connection: close
2024-08-09 14:25:53 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49750	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:26:08 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:26:08 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 35 39 32 34 32 37 63 64 61 32 63 35 30 65 36 36 63 32 32 39 61 34 63 38 37 31 64 63 31 65 64 35 36 65 33 34 34 35 66 36 62 33 61 38 64 36 32 38 32 31 66 66 37 66 37 61 61 62 34 64 30 38 37 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789592427cda2c50e66c229a4c871dc1ed56e3445f6b3a8d62821ff7f7aab4d087
2024-08-09 14:26:09 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:26:08 GMT Connection: close
2024-08-09 14:26:09 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49751	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:26:08 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:26:08 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:26:09 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:26:09 GMT Connection: close
2024-08-09 14:26:09 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49752	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:26:28 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:26:28 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:26:28 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:26:28 GMT Connection: close
2024-08-09 14:26:28 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49753	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:26:31 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:26:31 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 35 39 32 34 32 37 63 64 61 32 63 35 30 65 36 36 63 32 32 39 61 34 63 38 37 31 64 63 31 65 64 35 36 65 33 34 34 35 66 36 62 33 61 38 64 36 32 38 32 31 66 66 37 66 37 61 61 62 34 64 30 38 37 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789592427cda2c50e66c229a4c871dc1ed56e3445f6b3a8d62821ff7f7aab4d087
2024-08-09 14:26:31 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:26:31 GMT Connection: close
2024-08-09 14:26:31 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49754	62.192.173.45	443	7576	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:26:46 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:26:46 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 36 39 32 34 32 37 31 62 64 33 31 33 34 39 36 30 34 32 35 39 33 32 66 39 32 31 31 62 66 39 61 32 32 65 34 33 35 35 65 36 66 35 64 39 34 30 32 66 36 30 35 65 31 66 35 61 39 62 35 62 35 39 35 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad77896924271bd3134960425932f9211bf9a22e4355e6f5d9402f605e1f5a9b5b595
2024-08-09 14:26:47 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:26:47 GMT Connection: close
2024-08-09 14:26:47 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49755	62.192.173.45	443	7468	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-08-09 14:26:50 UTC	387	OUT	POST /flags/api/v2/frontend/experimentValues HTTP/1.1 Accept: / Content-Type: application/json X-Client-Name: feature-gate-js-client X-Client-Version: 4.8.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Host: weblineinfo.com Content-Length: 335 Connection: Keep-Alive Cache-Control: no-cache
2024-08-09 14:26:50 UTC	335	OUT	Data Raw: 7b 22 69 64 65 6e 74 69 66 69 65 72 73 22 3a 7b 22 74 72 65 6c 6c 6f 55 73 65 72 49 64 22 3a 22 30 36 65 66 31 39 64 35 37 63 22 2c 22 61 74 6c 61 73 73 69 61 6e 41 63 63 6f 75 6e 74 49 64 22 3a 22 35 32 33 32 33 31 3a 36 66 35 64 66 35 34 35 2d 64 35 34 64 2d 34 36 64 33 2d 38 65 31 34 2d 32 65 31 63 33 34 31 35 32 39 65 31 22 7d 2c 22 63 75 73 74 6f 6d 41 74 74 72 69 62 75 74 65 73 22 3a 7b 22 6c 6f 63 61 6c 65 22 3a 22 65 6e 22 2c 22 64 65 76 22 3a 22 31 31 64 35 34 35 61 37 65 30 39 66 34 37 35 37 63 63 65 32 31 62 62 66 35 39 63 36 32 35 38 66 38 61 64 37 37 38 39 35 39 32 34 32 37 63 64 61 32 63 35 30 65 36 36 63 32 32 39 61 34 63 38 37 31 64 63 31 65 64 35 36 65 33 34 34 35 66 36 62 33 61 38 64 36 32 38 32 31 66 66 37 66 37 61 61 62 34 64 30 38 37 Data Ascii: {"identifiers":{"trelloUserId":"06ef19d57c","atlassianAccountId":"523231:6f5df545-d54d-46d3-8e14-2e1c341529e1"},"customAttributes":{"locale":"en","dev":"11d545a7e09f4757cce21bbf59c6258f8ad7789592427cda2c50e66c229a4c871dc1ed56e3445f6b3a8d62821ff7f7aab4d087
2024-08-09 14:26:50 UTC	136	IN	HTTP/1.1 200 OK Content-Length: 14 Content-Type: text/plain; charset=utf-8 Date: Fri, 09 Aug 2024 14:26:50 GMT Connection: close
2024-08-09 14:26:50 UTC	14	IN	Data Raw: 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 Data Ascii: Page not found

Target ID:	0
Start time:	10:23:57
Start date:	09/08/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\10kmr9d7.dll"
Imagebase:	0x7ff6ce1b0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:23:57
Start date:	09/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:23:57
Start date:	09/08/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1
Imagebase:	0x7ff798fd0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:23:57
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_CancelAllOperations
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:23:57
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",#1
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:24:00
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Create
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:24:03
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\10kmr9d7.dll,ActionsShim_Destroy
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_CancelAllOperations
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Create
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Destroy
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetTxtReplaceData
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueReplaceData
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetRegValueDeleteData
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_GetBasicData
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_Threat_Delete
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:24:06
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ShutdownTargetDLL
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetMaxLogLevel
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_SetLogCallback
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActionsV2
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessThreatActions
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_ProcessPendingActionsAfterReboot
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_PrepareUpdate
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_IsDLLNewlyLoaded
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_InitTargetDLL
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMinorAPIVersion
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetMajorAPIVersion
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreatsV2
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_GetDetectedThreats
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	10:24:07
Start date:	09/08/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\10kmr9d7.dll",ActionsShim_FinishUpdate
Imagebase:	0x7ff668170000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.2%
Total number of Nodes:	948
Total number of Limit Nodes:	17

Executed Functions

Function 0000000180001D60 Relevance: 54.8, APIs: 10, Strings: 21, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180008370: Concurrency::cancel_current_task.LIBCPMT ref: 00000001800083D7
Part of subcall function 0000000180008370: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800083DD

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000265B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180002661
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000266D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180002673
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180002679
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000267F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180002685
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000268B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180002691
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180002697

Part of subcall function 0000000180106664: Concurrency::cancel_current_task.LIBCPMT ref: 0000000180106694
Part of subcall function 0000000180106664: Concurrency::cancel_current_task.LIBCPMT ref: 000000018010669A

Strings

-TES, xrefs: 00000001800021DA
4(P^, xrefs: 0000000180002193
X5O!, xrefs: 0000000180002217
H+H*, xrefs: 00000001800021EF
LE!$, xrefs: 00000001800021E8
L, xrefs: 000000018000208E
P%@A, xrefs: 000000018000217B
RD-A, xrefs: 00000001800021C3
T-FI, xrefs: 00000001800021E1
EICA, xrefs: 00000001800021AB
)7}$, xrefs: 00000001800021A3
Rar!, xrefs: 0000000180001E92
P[4\, xrefs: 0000000180002183
NTIV, xrefs: 00000001800021CB
Rar!Rar!, xrefs: 000000018000212F
PZX5, xrefs: 000000018000218B
IRUS, xrefs: 00000001800021D3
ANDA, xrefs: 00000001800021BB
MSCF, xrefs: 0000000180002028
)7CC, xrefs: 000000018000219B
R-ST, xrefs: 00000001800021B3

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: )7CC$)7}$$-TES$4(P^$ANDA$EICA$H+H*$IRUS$L$LE!$$MSCF$NTIV$P%@A$PZX5$P[4\$R-ST$RD-A$Rar!$Rar!Rar!$T-FI$X5O!
API String ID: 3936042273-42239843
Opcode ID: 1a2d1d1cae48639a1bf825e4c12e92b31543beafbb8b1ed0150fcf9411e74a73
Instruction ID: f65e32fc1529cad7a00d9ef93ac9e0bce8ed8251db96144b5fa9cecdc263a2d9
Opcode Fuzzy Hash: 1a2d1d1cae48639a1bf825e4c12e92b31543beafbb8b1ed0150fcf9411e74a73
Instruction Fuzzy Hash: 41424973A11BC489EB61CF75E8843DD33A5F7887A8F208715EA981AB99DF74C284C740

Function 0000000180006560 Relevance: 31.6, APIs: 2, Strings: 16, Instructions: 125
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 0000000180025760
NtProtectVirtualMemory.NTDLL ref: 0000000180025787

Strings

H, xrefs: 0000000180025680
v, xrefs: 000000018002566C
y, xrefs: 0000000180025651
g, xrefs: 000000018002567B
e, xrefs: 0000000180025662
i, xrefs: 0000000180025676
+, xrefs: 0000000180025685
k, xrefs: 00000001800256A3
M, xrefs: 000000018002565D
D, xrefs: 000000018002568A
%, xrefs: 000000018002568F
4, xrefs: 000000018002569E
U, xrefs: 0000000180025699
+, xrefs: 0000000180025671
z, xrefs: 0000000180025667
y, xrefs: 0000000180025694

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: MemoryVirtual$AllocateProtect
String ID: %$+$+$4$D$H$M$U$e$g$i$k$v$y$y$z
API String ID: 2931642484-2653694703
Opcode ID: 29ae91233c9e2a0f6e91985882b77d90a3ef669daaed8ef0da2c19573c3da0e6
Instruction ID: 65144e74e28f08dbd9014b17249a5266b53b2c5cc9101eb6481addb504c11909
Opcode Fuzzy Hash: 29ae91233c9e2a0f6e91985882b77d90a3ef669daaed8ef0da2c19573c3da0e6
Instruction Fuzzy Hash: C351D37220DBC486E7529764B40478AAB91E3897E8F544225F7D90BBC9DFBDC10DCB14

Function 000000018012A000 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: e1f295aa13e5ef76a22ddaed4986782ce05a382e3253e5ee7e8977a23b813279
Instruction ID: 944969eb6665ad90594a193c0f285eaebd773b5436d63678d6c4f0510345ffff
Opcode Fuzzy Hash: e1f295aa13e5ef76a22ddaed4986782ce05a382e3253e5ee7e8977a23b813279
Instruction Fuzzy Hash: 64419272310A5886EF85CF2AD91839973A2B74CFE0F49D026EE0D87B54EE7CC5498304

Function 000001D562FCD65A Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.1746111540.000001D562F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D562F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1d562f90000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction ID: c9e1defc526e0ee5ddaea0710439a88126e59a88e9852f827e13684eaa32a9ec
Opcode Fuzzy Hash: d7e753f29fc521fa2d0b6c7a6994e588844e22f1070003091da851a212630d82
Instruction Fuzzy Hash: 93F081B0628B408BE7449F2984CA676B7E1FBD8755F64452EE889C7361CB319842CB43

Function 000001D562FCD6CA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.1746111540.000001D562F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D562F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1d562f90000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction ID: 28d33e63a436d60fa468d90c65c192bcef93cb1386ed433a6c4c0ee212165df7
Opcode Fuzzy Hash: c03d8a45eb9b0d3ccc835ff03553e770b46152858ebd01b16508ffef1a6f20c3
Instruction Fuzzy Hash: 82F05470B24F448BD704AF2C888A67677D2FBE8745F94452EE848C7361DB35E5428B43

Function 0000000180002B60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsAlloc.KERNEL32 ref: 0000000180002B67
std::bad_exception::bad_exception.LIBCMT ref: 0000000180002BAA

Strings

cannot allocate thread context key, xrefs: 0000000180002B8B

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Allocstd::bad_exception::bad_exception
String ID: cannot allocate thread context key
API String ID: 287486779-1710566765
Opcode ID: 70f5ec321c4b3483aab5bc5a2522a323dc813696c1eb10960a0e64ce664ba700
Instruction ID: 3eb9b5f93a8efaf96118b30193394a4e6d026d19488291b2ffbd53e73d27dd25
Opcode Fuzzy Hash: 70f5ec321c4b3483aab5bc5a2522a323dc813696c1eb10960a0e64ce664ba700
Instruction Fuzzy Hash: 6A014F7172090DD1E692FB34E89A3D87365BB9D368FD08112D14D825F6DE28C75EC700

Function 000000018001FE80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 000000018001FE94
std::bad_exception::bad_exception.LIBCMT ref: 000000018001FEC5

Strings

Failed to initialize network subsystem, xrefs: 000000018001FEA6

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Startupstd::bad_exception::bad_exception
String ID: Failed to initialize network subsystem
API String ID: 36264510-1820565237
Opcode ID: 352e269cbea8bc61e3b80d515c178517ace928a2895d31e5eb89a4d4d5db4166
Instruction ID: 2ad56a504399f77fca66a98e9298a4838375de0c8b08391d47cfbd9bbf6bfd2d
Opcode Fuzzy Hash: 352e269cbea8bc61e3b80d515c178517ace928a2895d31e5eb89a4d4d5db4166
Instruction Fuzzy Hash: B1F03772214D4DD1EBA1EB14E8893E96363F799354FC09025A28D478BBEE6CC70DCB00

Function 000001D562FCC24A Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 000001D562FCC4B4

Memory Dump Source

Source File: 00000005.00000003.1746111540.000001D562F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D562F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1d562f90000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
Instruction ID: a0ddde8c974665b230d9b5568c670cdb52e63849f105c27492e28f2a9abe3987
Opcode Fuzzy Hash: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
Instruction Fuzzy Hash: 81B1833121CE088FDB54EF1CD885BAAB7E1FB98350F51456AE44EC7295DB34E845CB82

Function 000001D562FCCE0A Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 000001D562FCCE47

Memory Dump Source

Source File: 00000005.00000003.1746111540.000001D562F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D562F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_1d562f90000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dda5bd23e4ac47bd42f6dd929fb15fd9a0e68714a6453c9134859c40f5c4eed3
Instruction ID: 4a9eb1ea1dcbface17b67bfab37fa50aaa580aaf209ac93b0438faf4b05f3f00
Opcode Fuzzy Hash: dda5bd23e4ac47bd42f6dd929fb15fd9a0e68714a6453c9134859c40f5c4eed3
Instruction Fuzzy Hash: 48012D30729D2A4BE7D9A779A8D1BE3B6C2F795350F944056D80EC72C6D925CCC14380

Function 000000018013400C Relevance: 1.5, APIs: 1, Instructions: 38
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018012C6CC: HeapAlloc.KERNEL32(?,?,00000000,0000000180126ECB), ref: 000000018012C70A

RtlReAllocateHeap.NTDLL(?,?,00000000,000000018012A65B,?,?,?,000000018012A0B7,?,?,?,0000000180129FAD,?,?,?,000000018012A38E), ref: 0000000180134079

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$AllocAllocate
String ID:
API String ID: 2177240990-0
Opcode ID: cbf9e1bcc966571a6f1044025fffae21e333bb6e3deebf2d98a299e414a4521b
Instruction ID: f695400d6f30680e5f9617c48cc471e8a6d1151c8eb51c0e9e368cd19eb7ef02
Opcode Fuzzy Hash: cbf9e1bcc966571a6f1044025fffae21e333bb6e3deebf2d98a299e414a4521b
Instruction Fuzzy Hash: 7E016D7230060942FEDAAB6165893EA13915B8C7F0F1AD221BB25462D6DE2CD6084700

Function 000000018012EB94 Relevance: 1.5, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,?,00000000,000000018012AC8A,?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012EBE9

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1bbd031e9b40aaa3df7e7cfd2382faa7c78f8fa622478c522076619262ec1d53
Instruction ID: 2f222e57a63ab880ed9cbf42d716b4e0d6c647b669ae0dc4a7462a43906732ee
Opcode Fuzzy Hash: 1bbd031e9b40aaa3df7e7cfd2382faa7c78f8fa622478c522076619262ec1d53
Instruction Fuzzy Hash: 16F01DB530260946FEE7D6A999593D513D55B4EBA0F0CD4309D0F863D6EE5DC6884310

Non-executed Functions

Function 0000000180008770 Relevance: 72.1, APIs: 24, Strings: 17, Instructions: 308libraryprocessloaderCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000001800087A5
GetLastError.KERNEL32 ref: 00000001800087C0
Sleep.KERNEL32 ref: 00000001800087E1
CreateToolhelp32Snapshot.KERNEL32 ref: 00000001800087EE
Module32FirstW.KERNEL32 ref: 0000000180008813
CloseHandle.KERNEL32 ref: 000000018000882C
OpenProcess.KERNEL32 ref: 0000000180008844
GetLastError.KERNEL32 ref: 0000000180008865
GetLastError.KERNEL32 ref: 00000001800088EA
GetModuleHandleW.KERNEL32 ref: 000000018000893E
GetProcAddress.KERNEL32 ref: 000000018000894E
GetModuleHandleW.KERNEL32 ref: 00000001800089E4
LoadLibraryW.KERNEL32 ref: 00000001800089F6
GetProcAddress.KERNEL32 ref: 0000000180008A0E
GetLastError.KERNEL32 ref: 0000000180008A72
GetModuleHandleW.KERNEL32 ref: 0000000180008AB0
CloseHandle.KERNEL32 ref: 0000000180008B28
VirtualQueryEx.KERNEL32 ref: 0000000180008B42
CloseHandle.KERNEL32 ref: 0000000180008C3C
GetLastError.KERNEL32 ref: 0000000180008C59
CloseHandle.KERNEL32 ref: 0000000180008C9D
CloseHandle.KERNEL32 ref: 0000000180008CAD

Strings

ImageNotify: Image has unusual memory protection!! %u - %s, xrefs: 0000000180008B98
mb::common::crypto::VerifyImage, xrefs: 000000018000888F, 0000000180008910, 0000000180008982, 00000001800089C3, 0000000180008A42, 0000000180008A98, 0000000180008B01, 0000000180008BA4, 0000000180008BFE, 0000000180008C6F, 0000000180008CF0
psapi.dll, xrefs: 00000001800089EF
Failed to load psapi.dll = %u, xrefs: 0000000180008A8C
GetModuleInformation = %p, xrefs: 00000001800089AB, 0000000180008A2A
kernel32.dll, xrefs: 0000000180008937
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Crypto.cpp, xrefs: 0000000180008879, 00000001800088FA, 0000000180008976, 00000001800089B7, 0000000180008A36, 0000000180008A82, 0000000180008AF5, 0000000180008B8D, 0000000180008BF2, 0000000180008C64, 0000000180008CDA
K32GetModuleInformation, xrefs: 0000000180008947
VerifyImage failed to get module handle - %u, xrefs: 0000000180008904
ImageNotify: Image has unusual memory protection!! (%zu) (%u) PID = %u - %s, xrefs: 0000000180008C13
VerifyImage Failed to open the process %u- %u, xrefs: 0000000180008880
K32GetModuleInformation = %p, xrefs: 000000018000896A
GetModuleInformation, xrefs: 0000000180008A04
VerifyImage failed to get module information - %u, xrefs: 0000000180008CE4
Crypto, xrefs: 00000001800087AB
VerifyImage got base address from module handle %p, xrefs: 0000000180008AE9
VerifyImage failed to get base address from module handle %u (GetModInfo = %p), xrefs: 0000000180008C76

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Handle$CloseErrorLast$Module$AddressCreateProcSnapshotToolhelp32$FirstLibraryLoadModule32OpenProcessQuerySleepVirtual
String ID: Crypto$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Crypto.cpp$Failed to load psapi.dll = %u$GetModuleInformation$GetModuleInformation = %p$ImageNotify: Image has unusual memory protection!! %u - %s$ImageNotify: Image has unusual memory protection!! (%zu) (%u) PID = %u - %s$K32GetModuleInformation$K32GetModuleInformation = %p$VerifyImage Failed to open the process %u- %u$VerifyImage failed to get base address from module handle %u (GetModInfo = %p)$VerifyImage failed to get module handle - %u$VerifyImage failed to get module information - %u$VerifyImage got base address from module handle %p$kernel32.dll$mb::common::crypto::VerifyImage$psapi.dll
API String ID: 1552750388-2544890722
Opcode ID: cbc42031f762b81ed146b49916ee564eac4c9e52cfbada4c05aeaa6be7a08a72
Instruction ID: 788443a6203ae7b63ad1ef169ede3e5baaab21628117a0fbacbdca54153a5daf
Opcode Fuzzy Hash: cbc42031f762b81ed146b49916ee564eac4c9e52cfbada4c05aeaa6be7a08a72
Instruction Fuzzy Hash: B4E12876204B4882E7A2CF11F8887D977A5F78CBA5F448116EA8E477A5DF38C60DCB04

Function 0000000180015BF0 Relevance: 52.7, APIs: 6, Strings: 24, Instructions: 222COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 0000000180015C6E
BCryptDestroyKey.BCRYPT ref: 0000000180015F4A
BCryptCloseAlgorithmProvider.BCRYPT ref: 0000000180015F64

Strings

RSAPUBLICBLOB, xrefs: 0000000180015CC9
ise, Inc, xrefs: 0000000180015E97
SHA256, xrefs: 0000000180015D60
SHA384, xrefs: 0000000180015D57
SHA1, xrefs: 0000000180015D69
ConnectW, xrefs: 0000000180015E88
**** Error 0x%x returned by BCryptOpenAlgorithmProvider, xrefs: 0000000180015C7F
SHA512, xrefs: 0000000180015D4E
VerifyTrusted, xrefs: 0000000180015ECF, 0000000180015F20
MD5, xrefs: 0000000180015D72
****> Failed to import public key - %x, xrefs: 0000000180015F05
, xrefs: 0000000180015D3F
Kaseya Limited, xrefs: 0000000180015E43
Malwareb, xrefs: 0000000180015E03
Failed to import the public key - %x, xrefs: 0000000180015CF6
Kaseya certificate is trusted!, xrefs: 0000000180015E58
0, xrefs: 0000000180015D44
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp, xrefs: 0000000180015D02, 0000000180015EC3, 0000000180015F15
ImportRsaPublicKeyX, xrefs: 0000000180015D0E
ConnectWise certificate is trusted!, xrefs: 0000000180015EB3
ytes, xrefs: 0000000180015E12
@, xrefs: 0000000180015D49
MbCommonSigCRYPTUSR, xrefs: 0000000180015C8C, 0000000180015CA1
RSA, xrefs: 0000000180015C54

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Crypt$AlgorithmProvider$CloseDestroyOpen
String ID: $**** Error 0x%x returned by BCryptOpenAlgorithmProvider$****> Failed to import public key - %x$0$@$ConnectW$ConnectWise certificate is trusted!$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp$Failed to import the public key - %x$ImportRsaPublicKeyX$Kaseya Limited$Kaseya certificate is trusted!$MD5$Malwareb$MbCommonSigCRYPTUSR$RSA$RSAPUBLICBLOB$SHA1$SHA256$SHA384$SHA512$VerifyTrusted$ise, Inc$ytes
API String ID: 2054559242-2717880233
Opcode ID: cc0a3cb7e0da9c7ff66ae0a5c9362b601b2ca27709e9a57ede8521292f8f2120
Instruction ID: 91263c3910ef83fdbdd24a69e8ba3a9f61853925db0fc0cbaca4464654ca9d14
Opcode Fuzzy Hash: cc0a3cb7e0da9c7ff66ae0a5c9362b601b2ca27709e9a57ede8521292f8f2120
Instruction Fuzzy Hash: 3DA16B76604F88C5EBA68B05E4483E977A5F78CBD5F858016EA894B7A4DF38CA4DC700

Function 0000000180015700 Relevance: 51.1, APIs: 10, Strings: 19, Instructions: 322COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0000000180015848
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015854
BCryptOpenAlgorithmProvider.BCRYPT ref: 0000000180015907
BCryptGetProperty.BCRYPT ref: 000000018001594F
BCryptGetProperty.BCRYPT ref: 00000001800159EE
BCryptCloseAlgorithmProvider.BCRYPT ref: 0000000180015B86
BCryptDestroyHash.BCRYPT ref: 0000000180015B96

Strings

HashDigestLength, xrefs: 00000001800159E7
**** Invalid hash size: %u, need %u, xrefs: 0000000180015A4A
**** Invalid hash buffer: %p, xrefs: 0000000180015A85
SHA256, xrefs: 00000001800158E3
SHA384, xrefs: 00000001800158DA
SHA1, xrefs: 00000001800158F5
ObjectLength, xrefs: 0000000180015948
**** Error 0x%x returned by BCryptHashData, xrefs: 0000000180015BCF
**** Error 0x%x returned by BCryptCreateHash, xrefs: 0000000180015ACF
SHA512, xrefs: 00000001800158D1
MD5, xrefs: 00000001800158EC
**** Error 0x%x returned by BCryptOpenAlgorithmProvider - Hash, xrefs: 0000000180015918
MbHashMemory, xrefs: 00000001800159AE, 0000000180015A33, 0000000180015B58
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp, xrefs: 00000001800159A2, 0000000180015A28, 0000000180015B4C
**** Error 0x%x returned by BCryptFinishHash, xrefs: 0000000180015B38
**** memory allocation failed, xrefs: 0000000180015988
MbCommonSigCRYPTUSR, xrefs: 0000000180015998, 0000000180015A56, 0000000180015B5F
**** Error 0x%x returned by BCryptGetProperty getting object length, xrefs: 0000000180015960
**** Error 0x%x returned by BCryptGetProperty getting hash length, xrefs: 00000001800159FF

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Crypt$AlgorithmPropertyProvider$CloseConcurrency::cancel_current_taskDestroyHashOpen_invalid_parameter_noinfo_noreturn
String ID: **** Error 0x%x returned by BCryptCreateHash$**** Error 0x%x returned by BCryptFinishHash$**** Error 0x%x returned by BCryptGetProperty getting hash length$**** Error 0x%x returned by BCryptGetProperty getting object length$**** Error 0x%x returned by BCryptHashData$**** Error 0x%x returned by BCryptOpenAlgorithmProvider - Hash$**** Invalid hash buffer: %p$**** Invalid hash size: %u, need %u$**** memory allocation failed$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp$HashDigestLength$MD5$MbCommonSigCRYPTUSR$MbHashMemory$ObjectLength$SHA1$SHA256$SHA384$SHA512
API String ID: 860087726-4021669043
Opcode ID: 5c1f8620c86830096c7b504056d06b58c2052937ddca11c143a02181f65b63d5
Instruction ID: 9e2ce5262259e5bcabe6f94ea6a9927640127448378a215be27b5a32b5f0547c
Opcode Fuzzy Hash: 5c1f8620c86830096c7b504056d06b58c2052937ddca11c143a02181f65b63d5
Instruction Fuzzy Hash: 30D16F72204B48C5EBA2CB55F4847EDB7A1F78C7E5F808116EA894BBA5DF78C649C700

Function 0000000180015F90 Relevance: 36.9, APIs: 6, Strings: 15, Instructions: 151COMMON

Download Yara Rule

APIs

BCryptOpenAlgorithmProvider.BCRYPT ref: 0000000180015FEA
BCryptDestroyKey.BCRYPT ref: 000000018001604B
BCryptCloseAlgorithmProvider.BCRYPT ref: 000000018001605D
BCryptImportKeyPair.BCRYPT ref: 00000001800160BB
BCryptVerifySignature.BCRYPT ref: 00000001800161AD
BCryptDestroyKey.BCRYPT ref: 00000001800161FA

Strings

RSAPUBLICBLOB, xrefs: 00000001800160A9
**** Failed to import public key - %x, xrefs: 0000000180016117
SHA256, xrefs: 0000000180016163
SHA384, xrefs: 0000000180016155
SHA1, xrefs: 000000018001617F
Verify signature returns %x, xrefs: 00000001800161BE
**** Error 0x%x returned by BCryptOpenAlgorithmProvider, xrefs: 0000000180015FFF
SHA512, xrefs: 0000000180016149
MD5, xrefs: 0000000180016171
Failed to import the public key - %x, xrefs: 00000001800160D7
VerifyData, xrefs: 0000000180016021, 00000001800161D6
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp, xrefs: 0000000180016016, 00000001800160E3, 00000001800161CA
ImportRsaPublicKeyX, xrefs: 00000001800160EF
MbCommonSigCRYPTUSR, xrefs: 000000018001600C, 00000001800160C1
RSA, xrefs: 0000000180015FD7

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Crypt$AlgorithmDestroyProvider$CloseImportOpenPairSignatureVerify
String ID: **** Error 0x%x returned by BCryptOpenAlgorithmProvider$**** Failed to import public key - %x$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\CryptoUser.cpp$Failed to import the public key - %x$ImportRsaPublicKeyX$MD5$MbCommonSigCRYPTUSR$RSA$RSAPUBLICBLOB$SHA1$SHA256$SHA384$SHA512$Verify signature returns %x$VerifyData
API String ID: 2019841491-4080738847
Opcode ID: fa68690fadab714d053d2eb5b514d88ae2da970e409a4c86a8b986e7abd24159
Instruction ID: ed980101c0dda834f3209737b7ad7eaa71b32689e90ce2458d719ec637e924eb
Opcode Fuzzy Hash: fa68690fadab714d053d2eb5b514d88ae2da970e409a4c86a8b986e7abd24159
Instruction Fuzzy Hash: F361AC76204B4892E7A2CF11F8947DA77A5F78C7A4F948116EA8E43B65DF38C64DCB00

Function 00000001800150D0 Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 238COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000000018001510C
OpenProcess.KERNEL32 ref: 000000018001512C
GetLastError.KERNEL32 ref: 000000018001513E
GetProcessImageFileNameW.PSAPI ref: 00000001800151F7
GetLastError.KERNEL32 ref: 0000000180015205
GetProcessImageFileNameW.PSAPI ref: 0000000180015298
GetLastError.KERNEL32 ref: 0000000180015375
CloseHandle.KERNEL32 ref: 000000018001542C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001545C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015462
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015468

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp, xrefs: 0000000180015193, 00000001800153C2
GetProcessImageFileName for [%d] failed with error [%d]. Cannot get the process path!, xrefs: 000000018001539C
ProcessUtils, xrefs: 0000000180015179, 00000001800153A8
OpenProcess call with pid [%d] failed with error [%d]. Cannot get the process path!, xrefs: 000000018001516D
mb::common::system::ProcessUtils::GetProcessPath, xrefs: 000000018001519A, 00000001800153C9

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Process$ErrorLast_invalid_parameter_noinfo_noreturn$FileImageNameOpen$CloseHandle
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\ProcessUtils.cpp$GetProcessImageFileName for [%d] failed with error [%d]. Cannot get the process path!$OpenProcess call with pid [%d] failed with error [%d]. Cannot get the process path!$ProcessUtils$mb::common::system::ProcessUtils::GetProcessPath
API String ID: 1575040863-3696580403
Opcode ID: 29f233a9cbda2f60c6aaac86fea4f902b3204e52b0f38eaf970a43707461ded7
Instruction ID: e96932dfd46c146b027ab0e3fe9f41d0e7c323a40ef06e91f34071805e990d49
Opcode Fuzzy Hash: 29f233a9cbda2f60c6aaac86fea4f902b3204e52b0f38eaf970a43707461ded7
Instruction Fuzzy Hash: EFA1AD72711F48C5EB92CF65E4883DD23A1E78DBE5F408621EA9D1BB99DE78C649C300

Function 0000000180139F04 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 0000000180139F52
_invalid_parameter_noinfo.LIBCMT ref: 000000018013A5BE
_invalid_parameter_noinfo.LIBCMT ref: 000000018013A734
_invalid_parameter_noinfo.LIBCMT ref: 000000018013A9F2
_invalid_parameter_noinfo.LIBCMT ref: 000000018013AC12
_invalid_parameter_noinfo.LIBCMT ref: 000000018013AE4F
memcpy_s.LIBCPMT ref: 000000018013AF2A
memcpy_s.LIBCPMT ref: 000000018013AFD5
memcpy_s.LIBCPMT ref: 000000018013B0A4

Strings

1#SNAN, xrefs: 000000018013A062
1#QNAN, xrefs: 000000018013A06B
1#IND, xrefs: 000000018013A03F
1#INF, xrefs: 000000018013A07B

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 155f8ec017a0ba7ffc1716aa04d01c066c65c88c059d2bce09e4d6e3f582fb89
Instruction ID: e64712b9f006329b85b2faee8822a5d2b8dc3ae68b58e218b1303014f36bdc9b
Opcode Fuzzy Hash: 155f8ec017a0ba7ffc1716aa04d01c066c65c88c059d2bce09e4d6e3f582fb89
Instruction Fuzzy Hash: 0AB2E3727142888BF7A6CF64D8487ED77A1F3583A8F919115DA0A57E88DF39DB08CB40

Function 000000018000FE05 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 277COMMON

Download Yara Rule

Strings

ERROR, xrefs: 000000018001012F
TRACE, xrefs: 0000000180010196
INFO, xrefs: 0000000180010161
NONE, xrefs: 0000000180010113
O), xrefs: 000000018001023C
Date{0}Time{0}Tick Count{0}Process ID{0}Thread ID{0}Log Level{0}Context Tag{0}Function Name{0}File Name{0}Line Number{0}Message, xrefs: 00000001800101A6
DEBUG, xrefs: 000000018001017A
WARNING, xrefs: 0000000180010148
UNKNOWN, xrefs: 0000000180010018
{0}, xrefs: 000000018001021B

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: DEBUG$Date{0}Time{0}Tick Count{0}Process ID{0}Thread ID{0}Log Level{0}Context Tag{0}Function Name{0}File Name{0}Line Number{0}Message$ERROR$INFO$NONE$TRACE$UNKNOWN$WARNING${0}$O)
API String ID: 0-1175394839
Opcode ID: 3ec266ce1dfb9ad681a2d774538e3080bea715b79c42faf1737142f89fa23282
Instruction ID: e728865471310377dd45c6c8a3a48b35043e9632576cc2786ca7e8ba21f050cb
Opcode Fuzzy Hash: 3ec266ce1dfb9ad681a2d774538e3080bea715b79c42faf1737142f89fa23282
Instruction Fuzzy Hash: 55B1CF72610B8881EB52DF25E4943DD7361F78DBD8FA1D212EAAC076A5DF78C689C340

Function 00000001800143C0 Relevance: 16.9, APIs: 11, Instructions: 419COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 00000001800144A6
QueryDosDeviceW.KERNEL32 ref: 0000000180014588

Part of subcall function 0000000180106750: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001800244B1,?,?,?,0000000180002C19), ref: 0000000180106760

Part of subcall function 00000001801066E4: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001800244DB,?,?,?,0000000180002C19), ref: 00000001801066F4
Part of subcall function 00000001801066E4: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00000001800244DB,?,?,?,0000000180002C19), ref: 0000000180106734

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001496A
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180014976
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001497C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180014988
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001498E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180014994
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001499A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800149A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800149A6

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExclusiveLock$Acquire$Concurrency::cancel_current_taskDeviceDriveLogicalQueryReleaseStrings
String ID:
API String ID: 4260757983-0
Opcode ID: d557855fa708ce906f49ab260f81f0c610c0e0c19cfdf631ec2296b3be148232
Instruction ID: db5d558c1e9556029db17fd4af993c84ea7a7e714190a018784b6b6843ff1089
Opcode Fuzzy Hash: d557855fa708ce906f49ab260f81f0c610c0e0c19cfdf631ec2296b3be148232
Instruction Fuzzy Hash: 19025172B10F8985FB42DB65E4453ED2362A78D7E8F509311EAA8166E9DF78C688C300

Function 0000000180115DC0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000180115E39
RtlLookupFunctionEntry.KERNEL32 ref: 0000000180115E51
RtlVirtualUnwind.KERNEL32 ref: 0000000180115E8C
IsDebuggerPresent.KERNEL32 ref: 0000000180115EC5
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180115ECF
UnhandledExceptionFilter.KERNEL32 ref: 0000000180115EDA

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 8b76dab4a3857abd9779c3005433230d7221e9e5bf1173b1d060ab8efcc8499b
Instruction ID: 6fbe0a5ab35caa0a7a8088efd5404cf088294dffa798bee2e61c09e7e7bb2285
Opcode Fuzzy Hash: 8b76dab4a3857abd9779c3005433230d7221e9e5bf1173b1d060ab8efcc8499b
Instruction Fuzzy Hash: 04319236214F8486DBA1CF25E8843DE73A0F78C768F544116EA9D47BA5EF38C649CB00

Function 0000000180107848 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00000001801078A9
IsDebuggerPresent.KERNEL32 ref: 00000001801078C1
OutputDebugStringW.KERNEL32 ref: 00000001801078D2

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00000001801078CB

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: ac4f2ae6db917f4f87e37bddf6db85f629462927a0db851ef5fe58545d8aa7dc
Instruction ID: c62aa922f7e8e0fdb41f07d84f43fcc2a9736de30d8fad2d158327afe1407b89
Opcode Fuzzy Hash: ac4f2ae6db917f4f87e37bddf6db85f629462927a0db851ef5fe58545d8aa7dc
Instruction Fuzzy Hash: 13115E32310B88A7F786DB22E6583E933A1FB4C365F44C025CB5942A61EF78D6B8C710

Function 0000000180107684 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00000001801076B0
GetCurrentThreadId.KERNEL32 ref: 00000001801076BE
GetCurrentProcessId.KERNEL32 ref: 00000001801076CA
QueryPerformanceCounter.KERNEL32 ref: 00000001801076DA

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 8cb0d471114c2351560cf57080cdf1a54f3117c3f47b117ae357acb3e1abe895
Instruction ID: eb508fc792b5aef0349723997834eec7494c9d46332be5394ead55717787b15d
Opcode Fuzzy Hash: 8cb0d471114c2351560cf57080cdf1a54f3117c3f47b117ae357acb3e1abe895
Instruction Fuzzy Hash: 22110C36711F048AEB81CF64E8593E833A5F75DB68F441E25EE6D86BA4DF78C2588340

Function 0000000180123610 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 0000000180123676
memcpy_s.LIBCPMT ref: 00000001801236A1

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 58c5b441fcc557dde308f798edace5a3fe026a1be206aa60db9152cb5b0e9c63
Instruction ID: dea16717a6459461c981bc694ef17a16d0c3dd845920b794801fa674b0c0ca1a
Opcode Fuzzy Hash: 58c5b441fcc557dde308f798edace5a3fe026a1be206aa60db9152cb5b0e9c63
Instruction Fuzzy Hash: F9C139B271428987EB75CF19E04D79AB7A1F388B94F40C225DB8A57784DB39DA09CB40

Function 0000000180126B04 Relevance: 4.8, APIs: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180126BE8
SetConsoleCtrlHandler.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180125818), ref: 0000000180126E04
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180125818), ref: 0000000180126E17

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ConsoleCtrlErrorHandlerLast_invalid_parameter_noinfo
String ID:
API String ID: 2654339681-0
Opcode ID: b03e703916e1046b10f3869a232b6324562162d81a8b82174c66de663d7c94bc
Instruction ID: 0cad5d6a7708ec7627c2b370556e12f9c2e07c11c99113340310ae9708483d7b
Opcode Fuzzy Hash: b03e703916e1046b10f3869a232b6324562162d81a8b82174c66de663d7c94bc
Instruction Fuzzy Hash: F6C1BEB260164C86FAE7DB28D45C3EA27A1E79C7A2F55C425DA4A077F5DE38CB4D8300

Function 0000000180130228 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,000000018012B806), ref: 000000018013029C

Strings

GetLocaleInfoEx, xrefs: 0000000180130244, 0000000180130255

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: c58fa79b402e6919386ef5694a0162a6e22420b1c41b766446516c9eeb2e969a
Instruction ID: 8364a61e272f7459822ab890d2611de5c775059b9af069b8d611d1f8da2e32a8
Opcode Fuzzy Hash: c58fa79b402e6919386ef5694a0162a6e22420b1c41b766446516c9eeb2e969a
Instruction Fuzzy Hash: D601A734700A448AE7C29B86B4483DBB7A1BB9CFE0F95C0259E4913B66CE38CA498340

Function 00000001801310C8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 0000000180131317
RaiseException.KERNEL32 ref: 0000000180131328

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 351bdbe885c120d7f1782725b4111b1a2e01d45fdac977c756f5949d11557b11
Instruction ID: a5246351395ead6ace41139514bdf3c781a7c67c369d30a528861335f28cd911
Opcode Fuzzy Hash: 351bdbe885c120d7f1782725b4111b1a2e01d45fdac977c756f5949d11557b11
Instruction Fuzzy Hash: DDB11F77600B888FEB56CF29C88A39D7BA0F348B68F16C915DB5987BA4CB39C555C700

Function 000000018011A3C0 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 000000018011A770
, xrefs: 000000018011A52E

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: f37e5461d795ae9f8fc3c5a30e3aa09c1da45a80f3de5b0be8a66d2bc7a72cad
Instruction ID: 49e058d1f621dd75d3ae7e20055d9f1bf5ae8eb1af5a11b8716a30c85fa3d411
Opcode Fuzzy Hash: f37e5461d795ae9f8fc3c5a30e3aa09c1da45a80f3de5b0be8a66d2bc7a72cad
Instruction Fuzzy Hash: 44E1D732204E4886FBEE8E2981583AD3BA1F74DB68F98E215DA46077D4DF35CA59C700

Function 000000018012CC98 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 000000018012CE22
e+000, xrefs: 000000018012CDA5

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: a0b4a98d576a10a6e3a0da15dd5e8e4746293ad3541659e3aa334c552677f52b
Instruction ID: f6e58dc7970a1d26dd0adf9c08be4621f1eb0c8160bce8016cb9768a45f6ae82
Opcode Fuzzy Hash: a0b4a98d576a10a6e3a0da15dd5e8e4746293ad3541659e3aa334c552677f52b
Instruction Fuzzy Hash: D6517AB27146CC46E7A6CE35A808799BB91E35CBA4F49D221CBA44BAC5CF39C649C700

Function 000000018012D318 Relevance: 1.6, APIs: 1, Instructions: 324COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000018012D75E

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 32ae0cb38b3b69d83d12af6681f0a3ce2392bd4ef5a70b5fea58a58a172fff2d
Instruction ID: ecb3a429b116fcf64368373afd7e3ac527559c729b42e18b68529803189b8f9e
Opcode Fuzzy Hash: 32ae0cb38b3b69d83d12af6681f0a3ce2392bd4ef5a70b5fea58a58a172fff2d
Instruction Fuzzy Hash: 1DD1C3B260478886E7F6DF25E0483A97B90F78D7A4F54C225DB8947B95DF7CC6488B00

Function 000000018012FDA8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00000001801301F7,?,?,?,?,?,?,?,?,00000000,0000000180138A00), ref: 000000018012FDF7

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 7a83e8bc964b767d18a3dccc9881b21e24547f6a8c854c59aa3a223554baed0a
Instruction ID: 02696fc78f1fcaa263e9141234fab4a06aa5e1d6719a252db0625d7baa23e7be
Opcode Fuzzy Hash: 7a83e8bc964b767d18a3dccc9881b21e24547f6a8c854c59aa3a223554baed0a
Instruction Fuzzy Hash: B4F03CB2300B4887E785DB29E8983DA7367F79CBC0F94D029EA4983765DE78C6598300

Function 000000018012C804 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 000000018012CB46

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 3c05b74dc7d3b59526d61f6f1df35647b34b7f0f29bb2ff571977b3eaa776d9e
Instruction ID: 0ad7334c65485f9f62971b9ca8978406d82dbfa592b7c05e8838b2e1b4e3bdfb
Opcode Fuzzy Hash: 3c05b74dc7d3b59526d61f6f1df35647b34b7f0f29bb2ff571977b3eaa776d9e
Instruction Fuzzy Hash: 39A145B37057CC86EBA6CB29A4147EA7B90E359BE4F05C122DF8947795EA3DC609C700

Function 0000000180118A10 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

, xrefs: 0000000180118BEC

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8e8e8880b988a86fe12b3d04fec3431f0dcfae1117074ff7f9f921cd0f14eac8
Instruction ID: 92ca1c19978f7e98e1dc79a382196f8d49c5b8aae83ff91a3c9d075087d87231
Opcode Fuzzy Hash: 8e8e8880b988a86fe12b3d04fec3431f0dcfae1117074ff7f9f921cd0f14eac8
Instruction Fuzzy Hash: 7AB1A172105F5886EBAA8F29C0983EC3BA0F74DB68F28E116CB4A47395CF31C659C755

Function 0000000180117290 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: b266238800c3099d4c7d16965a207078b382afbec0b3959330b3dbe103fe048b
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: D2518236320E5882E7AA8B29C04839C37B1F74DB78F24A111DE5917B98CB36DA57D740

Function 0000000180117AB0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 03f34c0eb881ddf5f502b3628062a6a47f64f1b8239020765bd4c6c594425803
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 37518076314E5886E7AA8F29D04839D37B1E74CF78F24A111CE4917BA8DB36DA47C780

Function 00000001801176A0 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: c90048feb344b5a07ce75a192268b1176897b3dbb599d5942664696d53f56c25
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 77517F36710E5886E7AA8B29D04C39837B1E34DB78F24A111CE4917BE8CB36DA47C780

Function 00000001801178AC Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf36178eee3e05a9df7ae4174492d72a955a1e5a924f83978aff5b384c443cef
Instruction ID: cc2829d54de1894aea31ff42c54a9275b60a420315146979c47b57ee77199df6
Opcode Fuzzy Hash: bf36178eee3e05a9df7ae4174492d72a955a1e5a924f83978aff5b384c443cef
Instruction Fuzzy Hash: FA517F36320E5886E7AA8B29D05839C77B0E74CB7CF28E111CE4917B95DB36CA5BC740

Function 0000000180017460 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 176fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000180017512
GetLastError.KERNEL32 ref: 0000000180017521

Strings

VerifyFile attempting to open %ws, xrefs: 00000001800174AD
File Not Found - %x, xrefs: 0000000180017532
Read file Error, xrefs: 00000001800176FF
Error allocating memory for file data, xrefs: 0000000180017606
%ws verification status - %x - IsMbam = %u, xrefs: 00000001800176A9
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\FileVerify.cpp, xrefs: 00000001800174C5, 000000018001753E, 000000018001759B, 0000000180017618, 00000001800176B4, 0000000180017711
File Size Error, xrefs: 0000000180017589
MbCommonSigVerify, xrefs: 00000001800174B9
VerifyFile, xrefs: 00000001800174CF, 000000018001754A, 00000001800175A7, 0000000180017624, 00000001800176C0, 000000018001771D

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: %ws verification status - %x - IsMbam = %u$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\FileVerify.cpp$Error allocating memory for file data$File Not Found - %x$File Size Error$MbCommonSigVerify$Read file Error$VerifyFile$VerifyFile attempting to open %ws
API String ID: 1214770103-1110068639
Opcode ID: 307ac1770580ba3d592c58be44ea0f0f5cd9a0c4409d3336b534dacfa44d8c4d
Instruction ID: 11652f6c9eee8c16f10a3420f6e9143ef996b92be0c75af00192d30ce4594539
Opcode Fuzzy Hash: 307ac1770580ba3d592c58be44ea0f0f5cd9a0c4409d3336b534dacfa44d8c4d
Instruction Fuzzy Hash: 7B815C76204B8886E7A1CB11E84479E77A4F78DBE4F408115EA9D47BA6DF3CC608CB00

Function 0000000180014F29 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015072
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015078
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001507E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015090
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015096
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001509C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150C6

Strings

\\.\Globalroot, xrefs: 0000000180014F37

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: \\.\Globalroot
API String ID: 3668304517-3084389310
Opcode ID: c1c51882aed7f50c725de7d56c11ff9d4f12b11390d09ca5d81619b85898036f
Instruction ID: 63d7ba85a87c813fe84413dbf665f9926105d667c37b972e7311ef1f595220e1
Opcode Fuzzy Hash: c1c51882aed7f50c725de7d56c11ff9d4f12b11390d09ca5d81619b85898036f
Instruction Fuzzy Hash: BD418472B11E4985FF47EB78D0493ED12229B8D7F4F40AB01BA6816AEADE65C249C340

Function 0000000180007980 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 295libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180022EE0: WaitForMultipleObjects.KERNEL32 ref: 0000000180022F17
Part of subcall function 0000000180022EE0: ResetEvent.KERNEL32 ref: 0000000180022F33
Part of subcall function 0000000180022EE0: ResetEvent.KERNEL32 ref: 0000000180022F3D
Part of subcall function 0000000180022EE0: ReleaseMutex.KERNEL32 ref: 0000000180022F46

LoadLibraryW.KERNEL32 ref: 00000001800079E3
GetFileVersionInfoSizeW.VERSION ref: 0000000180007B43
GetFileVersionInfoW.VERSION ref: 0000000180007B9B
VerQueryValueW.VERSION ref: 0000000180007BC4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180007DA2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180007DA8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180007DAE

Strings

D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp, xrefs: 0000000180007B23, 0000000180007C59, 0000000180007D12
File version %u.%u.%u.%u for '%s', xrefs: 0000000180007C3A
Failed to load function ptrs for '%s', xrefs: 0000000180007B04
mb::common::system::DynamicLibrary::Load, xrefs: 0000000180007B2A, 0000000180007C60, 0000000180007D19
Failed to load '%s', %s, xrefs: 0000000180007CF3

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$EventFileInfoResetVersion$LibraryLoadMultipleMutexObjectsQueryReleaseSizeValueWait
String ID: D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp$Failed to load '%s', %s$Failed to load function ptrs for '%s'$File version %u.%u.%u.%u for '%s'$mb::common::system::DynamicLibrary::Load
API String ID: 4026781392-3082813674
Opcode ID: b1015c23e17ff9f6e18201f766be76b5944456af77c8d30d255385afce82add6
Instruction ID: cbabf07e28f1668f3db32a59947f7a559444b3bbfa617106ad4ec1bbbac74f0c
Opcode Fuzzy Hash: b1015c23e17ff9f6e18201f766be76b5944456af77c8d30d255385afce82add6
Instruction Fuzzy Hash: 14D1CD72B10B4895EB91DF65E4843EC33B1F798BD8F008616EA5D17AA9DF38C699C340

Function 0000000180014D63 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150C6

Strings

\\?\, xrefs: 0000000180014DB4

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: \\?\
API String ID: 3668304517-4282027825
Opcode ID: c153c970744e3ff2ac1a733991df761227dc1e397997b5b26c4c23c3766a7f33
Instruction ID: 63a2ac9ff495613dcd4add744bea60c538b8f00e60c4357e3b1501531ff59648
Opcode Fuzzy Hash: c153c970744e3ff2ac1a733991df761227dc1e397997b5b26c4c23c3766a7f33
Instruction Fuzzy Hash: 3951B672B11F4985FF46DB78D0493EC23629B8D7F4F40D701AA6C16AEADE65C289C380

Function 0000000180014A5A Relevance: 18.2, APIs: 12, Instructions: 170COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015084
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015090
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180015096
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001509C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150A2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150AE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800150C6

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 1aceb5f987f3b3742d416ac2d6fb94983d95fa97e2ad7047d90991908b41cd68
Instruction ID: 37caab9f01e1003b77e7c8090618f661dfee8657723bdb68d57d04bec796e96a
Opcode Fuzzy Hash: 1aceb5f987f3b3742d416ac2d6fb94983d95fa97e2ad7047d90991908b41cd68
Instruction Fuzzy Hash: 08618272B11E4985FF46DB78C0493ED13229B8D7F8F409B01BA6C1A6EADE65C289C340

Function 000000018012AAB0 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000018012AABF
FlsGetValue.KERNEL32 ref: 000000018012AAD4
FlsSetValue.KERNEL32 ref: 000000018012AAF5
FlsSetValue.KERNEL32 ref: 000000018012AB22
FlsSetValue.KERNEL32 ref: 000000018012AB33
FlsSetValue.KERNEL32 ref: 000000018012AB44
SetLastError.KERNEL32 ref: 000000018012AB5F
FlsGetValue.KERNEL32 ref: 000000018012AB95
FlsSetValue.KERNEL32 ref: 000000018012ABB4

Part of subcall function 000000018012EB94: RtlAllocateHeap.NTDLL(?,?,00000000,000000018012AC8A,?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012EBE9

FlsSetValue.KERNEL32 ref: 000000018012ABDC

Part of subcall function 000000018012C690: HeapFree.KERNEL32 ref: 000000018012C6A6
Part of subcall function 000000018012C690: GetLastError.KERNEL32 ref: 000000018012C6B0

FlsSetValue.KERNEL32 ref: 000000018012ABED
FlsSetValue.KERNEL32 ref: 000000018012ABFE

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Value$ErrorLast$Heap$AllocateFree
String ID:
API String ID: 3174826731-0
Opcode ID: d27ea102324cb3148a835abbd1a234bb90ff1a8b5c084474f55cc09aa745f896
Instruction ID: 525182d9fe85fdeaa0cb1f2338849a7f9d30ddb055702e12c3b71842699ac447
Opcode Fuzzy Hash: d27ea102324cb3148a835abbd1a234bb90ff1a8b5c084474f55cc09aa745f896
Instruction Fuzzy Hash: 3D41537030120C47FAEBE7B1699D3EA63835B4C7B0F94D724A9364B6D6ED68D6498300

Function 0000000180007E30 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 232libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000000180007EBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000817D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008183
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008189
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000818F

Strings

Could not load '%s' function ptr from DLL, %s, xrefs: 0000000180007FF0
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp, xrefs: 000000018000800F, 0000000180008104
Could not load '%s' function ptr from DLL because DLL is not loaded, xrefs: 00000001800080E5
mb::common::system::DynamicLibrary::GetFunctionAddress, xrefs: 0000000180008016, 000000018000810B

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AddressProc
String ID: Could not load '%s' function ptr from DLL because DLL is not loaded$Could not load '%s' function ptr from DLL, %s$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp$mb::common::system::DynamicLibrary::GetFunctionAddress
API String ID: 1230731272-560569770
Opcode ID: 1fef4f74c05ee2d78553d6c1d76f499fa895c5e38613afa3b0117b4ca4a0fd19
Instruction ID: 2d62702eddbb558de309e16dbec1e386c5a102024c7951b4589988eaaaf8c99c
Opcode Fuzzy Hash: 1fef4f74c05ee2d78553d6c1d76f499fa895c5e38613afa3b0117b4ca4a0fd19
Instruction Fuzzy Hash: 24A17F72B11B4895EB91DB69D4543ED33A1FB487E8F40D612EAAC07A99DF39C689C300

Function 0000000180116914 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180116954
_invalid_parameter_noinfo.LIBCMT ref: 0000000180116D1C
_invalid_parameter_noinfo.LIBCMT ref: 0000000180116FBB

Strings

f, xrefs: 00000001801169EC
f, xrefs: 0000000180116A56
f, xrefs: 0000000180116BA1
p, xrefs: 0000000180116A5E
p, xrefs: 00000001801169F9

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 60cc5941032d4e73c70e6236033a5792d810f6054c6545baca1d3859597e7a10
Instruction ID: 1da7f3d17b81cf6398a85a4ad5d22cd62852d82a194764ff71d46eb388f96ab5
Opcode Fuzzy Hash: 60cc5941032d4e73c70e6236033a5792d810f6054c6545baca1d3859597e7a10
Instruction Fuzzy Hash: 6E12F67270494A86FBAB9B14F15C3F97261F348770F84D015E6C547AE8DF3ACA898B50

Function 0000000180009CD0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 319COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180009E4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180009E51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180009F62
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180009F68
__std_exception_copy.LIBVCRUNTIME ref: 000000018000A048
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A11C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000A122

Strings

ios_base::failbit set, xrefs: 0000000180009F80

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy
String ID: ios_base::failbit set
API String ID: 3630682930-3924258884
Opcode ID: c009e20e0163d43c03b6c8245f5196e59524e9394bb8ed14474b75b32bd38d0c
Instruction ID: b92572973f6f056b71fb1a3a17d0bce48dbe57363f560e11b7e88f697490d759
Opcode Fuzzy Hash: c009e20e0163d43c03b6c8245f5196e59524e9394bb8ed14474b75b32bd38d0c
Instruction Fuzzy Hash: 0EC1D032615B8881EB92DB25E4453ED7361E78DBE4F10D221EAAC067E6DF78C699C300

Function 00000001800136F0 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800139E1

Strings

NUL, xrefs: 0000000180013965
LPT, xrefs: 00000001800137FB
PRN, xrefs: 00000001800138FC
AUX, xrefs: 000000018001392E
\\.\, xrefs: 00000001800137A6
CON, xrefs: 00000001800138C7
COM, xrefs: 0000000180013837

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: AUX$COM$CON$LPT$NUL$PRN$\\.\
API String ID: 3668304517-431953350
Opcode ID: 50c9fd94dec52d2418c9c4644ecb9a1058296973547e3872325ecbe4daeaa39f
Instruction ID: 38d949412858d7621a5721e595f2d056ef18627934969283c6c0347f1df82c58
Opcode Fuzzy Hash: 50c9fd94dec52d2418c9c4644ecb9a1058296973547e3872325ecbe4daeaa39f
Instruction Fuzzy Hash: 747194B3714A88D1EFA28B25D0153E9B3A1F369BD4F94C112FA8D47694DE69CF4AC700

Function 0000000180008580 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 122COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000018000300F), ref: 00000001800085B9

Part of subcall function 00000001800150D0: OpenProcess.KERNEL32 ref: 000000018001510C
Part of subcall function 00000001800150D0: OpenProcess.KERNEL32 ref: 000000018001512C
Part of subcall function 00000001800150D0: GetLastError.KERNEL32 ref: 000000018001513E
Part of subcall function 00000001800150D0: CloseHandle.KERNEL32 ref: 000000018001542C

Part of subcall function 0000000180015470: GetModuleHandleW.KERNEL32 ref: 00000001800154DA
Part of subcall function 0000000180015470: GetProcAddress.KERNEL32 ref: 00000001800154EA

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008760

Strings

mb::common::crypto::VerifyProcessEx, xrefs: 0000000180008620, 00000001800086F2
Process did not verify - %x - %u, xrefs: 00000001800086C5
Crypto, xrefs: 00000001800085FF, 00000001800086D7
Process in-memory image did not verify - %u - %s, xrefs: 0000000180008699
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Crypto.cpp, xrefs: 0000000180008619, 00000001800086EB
VerifyProcess failed to get process path - %u, xrefs: 00000001800085F3

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Process$HandleOpen$AddressCloseCurrentErrorLastModuleProc_invalid_parameter_noinfo_noreturn
String ID: Crypto$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\Crypto.cpp$Process did not verify - %x - %u$Process in-memory image did not verify - %u - %s$VerifyProcess failed to get process path - %u$mb::common::crypto::VerifyProcessEx
API String ID: 3975211933-3964609968
Opcode ID: 8d988610b517b66eb06978deedab6b2115b64aa6f0835ac1fc9e9ed062743cc5
Instruction ID: 002036f762da34ff8db0a22a3868040925bfe3c3438f5634a40e792c62256954
Opcode Fuzzy Hash: 8d988610b517b66eb06978deedab6b2115b64aa6f0835ac1fc9e9ed062743cc5
Instruction Fuzzy Hash: F1511F76608B8982EB51CB54F49439AB7A1F78C7E4F508116FACD47699DF78C648CB00

Function 0000000180015470 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 169libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180106750: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001800244B1,?,?,?,0000000180002C19), ref: 0000000180106760

GetModuleHandleW.KERNEL32 ref: 00000001800154DA
GetProcAddress.KERNEL32 ref: 00000001800154EA

Part of subcall function 00000001801066E4: AcquireSRWLockExclusive.KERNEL32(?,?,?,00000001800244DB,?,?,?,0000000180002C19), ref: 00000001801066F4
Part of subcall function 00000001801066E4: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00000001800244DB,?,?,?,0000000180002C19), ref: 0000000180106734

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800156EC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800156F2

Strings

ntdll.dll, xrefs: 00000001800154D3
NtQuerySystemInformation, xrefs: 00000001800154E3

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExclusiveLock$Acquire_invalid_parameter_noinfo_noreturn$AddressHandleModuleProcRelease
String ID: NtQuerySystemInformation$ntdll.dll
API String ID: 2734340950-3774135904
Opcode ID: 7b008e91cb76bd202fba05ef95906712dc144a287f15d9e36831c7d287c40dcb
Instruction ID: a10bd6991d194b5c177b67f4aac7a101da8466237153ef4756e3699e838ac3bb
Opcode Fuzzy Hash: 7b008e91cb76bd202fba05ef95906712dc144a287f15d9e36831c7d287c40dcb
Instruction Fuzzy Hash: 0561A272711F48D9FB52DB75D8483DD33A2AB4C7E8F50C225AA980B6E9DE74C689C340

Function 000000018012FE24 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,0000000180130618,?,?,?,?,00000001801288C5,?,?,?,?,000000018010594C,?,?,00000000), ref: 000000018012FFA0
GetProcAddress.KERNEL32(?,?,0000000180130618,?,?,?,?,00000001801288C5,?,?,?,?,000000018010594C,?,?,00000000), ref: 000000018012FFAC

Strings

api-ms-, xrefs: 000000018012FEEA
ext-ms-, xrefs: 000000018012FEFD

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 7198340eb933fcddaf87aa1fa73f54ae1c1aa156182e913faa117afdfadb1161
Instruction ID: 03516c87bbbf3b13ccd75a7c17be7f6a40f8331a520ceada4aaaef6bbc0e6d97
Opcode Fuzzy Hash: 7198340eb933fcddaf87aa1fa73f54ae1c1aa156182e913faa117afdfadb1161
Instruction Fuzzy Hash: 4641D472321B1985FBA7DB1699087E62392B74DBF0F49C129ED0987799EE38C60D8700

Function 000000018000EC10 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 178COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EC9B
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018000EE88
Concurrency::cancel_current_task.LIBCPMT ref: 000000018000EEB7

Strings

true, xrefs: 000000018000ED86
bad locale name, xrefs: 000000018000EEBD
false, xrefs: 000000018000ED70

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 2115809835-1062449267
Opcode ID: 3eb764857571638ea639fc852bc58915e2b5e0f2f3e3f844ef9de042b42a80e1
Instruction ID: 0a47188049085c96de077126a6a7bc261e24a0e280c1158c0fa2977b959a987f
Opcode Fuzzy Hash: 3eb764857571638ea639fc852bc58915e2b5e0f2f3e3f844ef9de042b42a80e1
Instruction Fuzzy Hash: 0E819032205BC886EB56CF30E8843DE77A4FB98798F549115FA8817B69DF38C699C740

Function 0000000180022EE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180022CB0: WaitForSingleObject.KERNEL32 ref: 0000000180022CC4
Part of subcall function 0000000180022CB0: ResetEvent.KERNEL32 ref: 0000000180022CDB

WaitForMultipleObjects.KERNEL32 ref: 0000000180022F17
ResetEvent.KERNEL32 ref: 0000000180022F33
ResetEvent.KERNEL32 ref: 0000000180022F3D
ReleaseMutex.KERNEL32 ref: 0000000180022F46
std::bad_exception::bad_exception.LIBCMT ref: 0000000180022F7C

Strings

cannot lock reader/writer lock, xrefs: 0000000180022F5D

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: EventReset$Wait$MultipleMutexObjectObjectsReleaseSinglestd::bad_exception::bad_exception
String ID: cannot lock reader/writer lock
API String ID: 2438275785-3465051855
Opcode ID: da3257100d4325e52a0612eeb12e31ec67f956241cd1235f159f0b4ad8865caf
Instruction ID: 928cd7e5a2a3c19c91096689682fe9f00081523089b4839ba0cf6de9e0aa202b
Opcode Fuzzy Hash: da3257100d4325e52a0612eeb12e31ec67f956241cd1235f159f0b4ad8865caf
Instruction Fuzzy Hash: D0115172220A0D92EB92DF20E8947D97371F798F98F808021EA5D436AADF38C64DC740

Function 000000018010627C Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00000001801062EE
MultiByteToWideChar.KERNEL32 ref: 0000000180106396
LCMapStringEx.KERNEL32 ref: 00000001801063CD
LCMapStringEx.KERNEL32 ref: 0000000180106426
LCMapStringEx.KERNEL32 ref: 00000001801064D3
WideCharToMultiByte.KERNEL32 ref: 0000000180106515

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 2059b5de93772b6589164b545c0d660cdabe6dbd7163e6b83504d15557ee1706
Instruction ID: a9fb6d0c5e32a15882cdf7d6f766ac3614fca2e62d703d427023a8a9716f6c71
Opcode Fuzzy Hash: 2059b5de93772b6589164b545c0d660cdabe6dbd7163e6b83504d15557ee1706
Instruction Fuzzy Hash: B681C572300B4886EBA1CF11E4583A977E1F788BF8F548215EA9957BE8DF7CC6098700

Function 000000018000E930 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E95B
std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E980
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018000E9AA
std::_Facet_Register.LIBCPMT ref: 000000018000EA21
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018000EA3B
Concurrency::cancel_current_task.LIBCPMT ref: 000000018000EA63

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e74defd6e44153776dcf575d9a0119c280fa8a440b153087fd78519c6dbb8ca4
Instruction ID: a17a6a9c76327ac1197ff84e204077398036305ebdd83819081fcd8ba0eb649b
Opcode Fuzzy Hash: e74defd6e44153776dcf575d9a0119c280fa8a440b153087fd78519c6dbb8ca4
Instruction Fuzzy Hash: 7F315432305B4885EBA6DF15E8443DA73A2F79DBE4F488221EA8D577A5DF38C649C700

Function 000000018000E7F5 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E81B
std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E840
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018000E86A
std::_Facet_Register.LIBCPMT ref: 000000018000E8E1
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018000E8FB
Concurrency::cancel_current_task.LIBCPMT ref: 000000018000E923

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 2742c7814c3d9141867964d29c3211bf07c947db12c32302beb503fc19865477
Instruction ID: c59888543ef58e5a734107e20c96db3b83024bccbeb0ae9d9f276c0960d4cf20
Opcode Fuzzy Hash: 2742c7814c3d9141867964d29c3211bf07c947db12c32302beb503fc19865477
Instruction Fuzzy Hash: 7E317E32200B4884EBA6DB15E4443DA73A2F74DBE4F58C621EA9D173A6DE78C649C300

Function 000000018012AC28 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012AC37
FlsSetValue.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012AC6D
FlsSetValue.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012AC9A
FlsSetValue.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012ACAB
FlsSetValue.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012ACBC
SetLastError.KERNEL32(?,?,8000000000000000,0000000180124C05,?,?,?,?,000000018012C6C4), ref: 000000018012ACD7

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 82dcef6f6a0cd53a4586de6cfa2a6e90bb4c4849da3c8449c30497d264cdbb86
Instruction ID: d213d25cf1d276d5630f7abeba5ae812c027ebe3f7d0956fbb059bd98219fbf6
Opcode Fuzzy Hash: 82dcef6f6a0cd53a4586de6cfa2a6e90bb4c4849da3c8449c30497d264cdbb86
Instruction Fuzzy Hash: 66116D7020164C47FADBE7A1699D3EA63825B8CBF0F94C724A937477D6EE28C6194300

Function 0000000180005510 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180005548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800055AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000560E
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180005614

Strings

string too long, xrefs: 00000001800055C4

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: string too long
API String ID: 3936042273-2556327735
Opcode ID: a2f15db28bc96a0d3fe94e1749557d9fb73bed376aeb445b49e40e8c97343fc8
Instruction ID: f6307991c770a111e731ac363c3614bd6e4c1c5c81b05f7b3cc911774e9de69b
Opcode Fuzzy Hash: a2f15db28bc96a0d3fe94e1749557d9fb73bed376aeb445b49e40e8c97343fc8
Instruction Fuzzy Hash: 1721C6B1711A4881EE8AE725D4493ED32929B4CBF5F90CA11E66D077D1DE29C6998300

Function 0000000180022D30 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32 ref: 0000000180022D62
ResetEvent.KERNEL32 ref: 0000000180022D78
ReleaseMutex.KERNEL32 ref: 0000000180022D81
std::bad_exception::bad_exception.LIBCMT ref: 0000000180022DAF

Strings

cannot lock reader/writer lock, xrefs: 0000000180022D90

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: EventMultipleMutexObjectsReleaseResetWaitstd::bad_exception::bad_exception
String ID: cannot lock reader/writer lock
API String ID: 2739960895-3465051855
Opcode ID: 1af4f7dfb9ebc9c0bdea181eb432d002f952579437f4c92c9cbce27466e656b0
Instruction ID: 10f920412d7c47fb8d58a7fe2a1a522ce3c77fd6108f22b1ef94d16f7f12780f
Opcode Fuzzy Hash: 1af4f7dfb9ebc9c0bdea181eb432d002f952579437f4c92c9cbce27466e656b0
Instruction Fuzzy Hash: 64015272324E4D92EBA1DF14E8947D96361F798BA8F908111EA9D436A9DF68C74CC700

Function 0000000180022E50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180022E64
SetEvent.KERNEL32 ref: 0000000180022E7A
SetEvent.KERNEL32 ref: 0000000180022E8A
std::bad_exception::bad_exception.LIBCMT ref: 0000000180022EC1

Strings

cannot unlock reader/writer lock, xrefs: 0000000180022EA2

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Event$ObjectSingleWaitstd::bad_exception::bad_exception
String ID: cannot unlock reader/writer lock
API String ID: 3180635873-371100150
Opcode ID: 8c42cc83d1dc5662322d6a4df776fd4029acb352a784f7d713df5e6f3d36fb27
Instruction ID: d7938ff99a365b3d87c448e0d198d97c5280b858174ccc0be31b4ddeb6fe8eec
Opcode Fuzzy Hash: 8c42cc83d1dc5662322d6a4df776fd4029acb352a784f7d713df5e6f3d36fb27
Instruction Fuzzy Hash: 53017172210A0D92EB92DF34D8943D92361F798BA8F508221A69D471B6DF38CB4DC740

Function 0000000180001D20 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000000180001D2D
GetProcAddress.KERNEL32 ref: 0000000180001D40

Strings

FindFirstStreamW, xrefs: 0000000180001D36
kernel32.dll, xrefs: 0000000180001D26
FindNextStreamW, xrefs: 0000000180001D46

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindFirstStreamW$FindNextStreamW$kernel32.dll
API String ID: 1646373207-4044117955
Opcode ID: 89e552c4e88594f4528d331deacfdfd5774308e9a2a5faa3174df9f7c776611f
Instruction ID: 82d929f7dce70f2d4cc30c438cf3b185241df2672d86fdfca1400b9e468a4217
Opcode Fuzzy Hash: 89e552c4e88594f4528d331deacfdfd5774308e9a2a5faa3174df9f7c776611f
Instruction Fuzzy Hash: A8D0E274610E09D0EB868B11E8983D86322AB1DBA0F858021891906231AE78C78EC300

Function 0000000180130DAC Relevance: 7.7, APIs: 5, Instructions: 196COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0000000180130DEB
_set_statfp.LIBCMT ref: 0000000180130E09
_set_statfp.LIBCMT ref: 0000000180130E32
_set_statfp.LIBCMT ref: 000000018013106E

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 4c0fcecc25532a6bca2445fc70d44c848c979418bf5aad8969812cd20ace7fdb
Instruction ID: bf21a2e4e3eed7cd890d8279d15e8f828ffcafd917cef997570f9cfaa1a5c951
Opcode Fuzzy Hash: 4c0fcecc25532a6bca2445fc70d44c848c979418bf5aad8969812cd20ace7fdb
Instruction Fuzzy Hash: 7481F732204A8C89F6F78B74A4583EAA790AB5D7B4F06C711FE56265A4DF3CC7898700

Function 000000018013319C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00000001801331C4
_set_statfp.LIBCMT ref: 00000001801331DF
_set_statfp.LIBCMT ref: 00000001801331FB
_set_statfp.LIBCMT ref: 0000000180133237

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 875aa39bdbfff885f1eaa1d50411e9c2b76fb06a4bc3d51bafdc59c774b2410f
Instruction ID: 12bd030bb14459057d4e795199f88650652e390fad2f0e14d604fef560c65bce
Opcode Fuzzy Hash: 875aa39bdbfff885f1eaa1d50411e9c2b76fb06a4bc3d51bafdc59c774b2410f
Instruction Fuzzy Hash: 6B11A932A14A0D09F7E61168F84F3E653426B5C370F1BC63CEA764A2DA8F1CCB494318

Function 000000018012ACF0 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD0F
FlsSetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD2E
FlsSetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD56
FlsSetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD67
FlsSetValue.KERNEL32(?,?,?,0000000180115D4F,?,?,00000000,0000000180115FEA,?,?,?,?,8000000000000000,0000000180115F76), ref: 000000018012AD78

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4393a27b5c4b3db8017f8f650ba8dda9aa2dc6ef0d4ad1d395ec6791fb07ea56
Instruction ID: 5395f719372555535939784c7be95c2335b10427f043919dc8125f3aba7b9476
Opcode Fuzzy Hash: 4393a27b5c4b3db8017f8f650ba8dda9aa2dc6ef0d4ad1d395ec6791fb07ea56
Instruction Fuzzy Hash: D41166B070060C42FADBD7A5699D3E963825B4C7F1F84C724A93A46BD6ED28D6094300

Function 0000000180010A10 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 340COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180010F4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180010F55

Strings

NULL, xrefs: 0000000180010C28
UNKNOWN, xrefs: 0000000180010BF3

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: NULL$UNKNOWN
API String ID: 3668304517-1702702805
Opcode ID: 5a53d26a1a5bbb904569064fe1efa1fe02fcc7a8f52a4aaa2ae3858da6874c8a
Instruction ID: 72e003983931457cbed81e393341778105e41611213a4bd58213932db65429f8
Opcode Fuzzy Hash: 5a53d26a1a5bbb904569064fe1efa1fe02fcc7a8f52a4aaa2ae3858da6874c8a
Instruction Fuzzy Hash: 52E1DBB2700A4886EB45DF65D4843DE73A2F389BD8F408112EE5C47BA9DF78C699C780

Function 00000001800106E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 216timeCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800108C0
GetLocalTime.KERNEL32 ref: 000000018001091F
GetTickCount.KERNEL32 ref: 000000018001098F

Strings

NULL, xrefs: 0000000180010710

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CountLocalTickTime_invalid_parameter_noinfo_noreturn
String ID: NULL
API String ID: 2617042107-324932091
Opcode ID: a28921490d57aeb845739df719c729e3a787046ccc08f6e18cbdcb93d3b3afc5
Instruction ID: 0302fca370165518a614849ae6957893dbb9724cfd82eb150d4bd385d77409e6
Opcode Fuzzy Hash: a28921490d57aeb845739df719c729e3a787046ccc08f6e18cbdcb93d3b3afc5
Instruction Fuzzy Hash: DF819272618B8885D751DF66A4443AAB7A1F7C9BE0F508215FED843B99DF7CC189CB00

Function 0000000180013440 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800136D3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800136DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800136E5

Strings

\\?\, xrefs: 0000000180013682

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: \\?\
API String ID: 3668304517-4282027825
Opcode ID: 7474011f91476d4f1f395424f9e6538de8aded65c8bbec649ce6fef0c6d9fbb7
Instruction ID: e3da2e98e83031a46e163e82dd4a2df939d91234efc63fa8098c881fd51fdd5e
Opcode Fuzzy Hash: 7474011f91476d4f1f395424f9e6538de8aded65c8bbec649ce6fef0c6d9fbb7
Instruction Fuzzy Hash: 5571B172F10B8895FB42DBB4D4053EC2362A7997E8F40D712AE5C26ADADE74D299C340

Function 0000000180007E40 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 159libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000000180007EBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000817D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008183
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008189
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000818F

Strings

Could not load '%s' function ptr from DLL, %s, xrefs: 0000000180007FF0
D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp, xrefs: 000000018000800F
mb::common::system::DynamicLibrary::GetFunctionAddress, xrefs: 0000000180008016

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AddressProc
String ID: Could not load '%s' function ptr from DLL, %s$D:\Jenkins\workspace\N_MBCommon-vs2022\src\mbcommon\DynamicLibrary.cpp$mb::common::system::DynamicLibrary::GetFunctionAddress
API String ID: 1230731272-4139386056
Opcode ID: b34e889fd022bbeee9e1fa76f47b9e9ad2bafbb3a5cc8b6230be30ab7d054667
Instruction ID: 8f446e428537b61bb469f5dc6ffa7d697688d599811667f0c1dc1d600c907061
Opcode Fuzzy Hash: b34e889fd022bbeee9e1fa76f47b9e9ad2bafbb3a5cc8b6230be30ab7d054667
Instruction Fuzzy Hash: EF617C72B11B8495EB91CB69D4543ED33A1FB487E8F40D611EEAC17AA9DF39C689C300

Function 000000018000F960 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F9CA
_Getctype.LIBCPMT ref: 000000018000FA2A
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018000FAE2

Strings

bad locale name, xrefs: 000000018000FB05

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$GetctypeLockit::_Lockit::~_
String ID: bad locale name
API String ID: 4031452535-1405518554
Opcode ID: 478bf454d2c5dc8698a69319a5ae243412ac62571b83a77d00aeeb4afc9df37b
Instruction ID: e46e7240f11e8861bd97b3fc796cf63e4a9d5239baa8a6bc634fefc30cdde4d8
Opcode Fuzzy Hash: 478bf454d2c5dc8698a69319a5ae243412ac62571b83a77d00aeeb4afc9df37b
Instruction Fuzzy Hash: A751AD32705B888AFB92DB70D4903ED33B0FB48798F448125EE8927A56DF34C25AD740

Function 0000000180005370 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800053C8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800054BA
Concurrency::cancel_current_task.LIBCPMT ref: 00000001800054C0

Strings

D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\UUID.cpp, xrefs: 00000001800053D3

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\UUID.cpp
API String ID: 3936042273-2945662684
Opcode ID: 5e185dececa9ffba5f991f3b2136fd39395a2c4a35c5d19d9c8cad2849e43297
Instruction ID: 184b889ee7b8437c24e17c986fc0991f08bc74d679e07afdf23ead7db32f2553
Opcode Fuzzy Hash: 5e185dececa9ffba5f991f3b2136fd39395a2c4a35c5d19d9c8cad2849e43297
Instruction Fuzzy Hash: 6B41F77270174C85FA56DB25A4043ED3291970DBEAF648720EEAD077D2EF79C6D98340

Function 0000000180022CB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180022CC4
ResetEvent.KERNEL32 ref: 0000000180022CDB
std::bad_exception::bad_exception.LIBCMT ref: 0000000180022D12

Strings

cannot lock reader/writer lock, xrefs: 0000000180022CF3

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: EventObjectResetSingleWaitstd::bad_exception::bad_exception
String ID: cannot lock reader/writer lock
API String ID: 2155282129-3465051855
Opcode ID: 04afe7aeb50be484474440e41a6ba2e6a53ef334bd5f62e7df4d7ad6249427b5
Instruction ID: 957882a243363fd6d7becb3249b184c5a90b221fcb011ca086b4eca50b7a50e4
Opcode Fuzzy Hash: 04afe7aeb50be484474440e41a6ba2e6a53ef334bd5f62e7df4d7ad6249427b5
Instruction Fuzzy Hash: F001447221094DD1EB92DF24E8947D96372F798B98F508111EA5D475B6DE2CCB4DC700

Function 0000000180022DD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 0000000180022DE4
SetEvent.KERNEL32 ref: 0000000180022DFD
std::bad_exception::bad_exception.LIBCMT ref: 0000000180022E34

Strings

cannot lock reader/writer lock, xrefs: 0000000180022E15

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: EventObjectSingleWaitstd::bad_exception::bad_exception
String ID: cannot lock reader/writer lock
API String ID: 2550396280-3465051855
Opcode ID: 8668b01ef895fa9c907ac601cdbf758bfc3ef4e0a08812f0761a6ab266ec204c
Instruction ID: 81ac2efecde3d820960b4444860f485e3e67599f3676025276b3880028ebf80e
Opcode Fuzzy Hash: 8668b01ef895fa9c907ac601cdbf758bfc3ef4e0a08812f0761a6ab266ec204c
Instruction Fuzzy Hash: BE01867221494D92EFA2DF34E8543D92361F79CBA8F508211AA5D461E5DF78CB4DC700

Function 0000000180004EF0 Relevance: 6.3, APIs: 4, Instructions: 293COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180004F73
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180004FBB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180005031
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800052DB

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: b2c45699f4e96eed30ae793f53bffa8189e6b1516e1df3511c241bc08676e161
Instruction ID: d3ca66fb5dc8ef5d60f2ba4e6a04f48cd7171f11350cc8f66b5cc806ebf3fdaf
Opcode Fuzzy Hash: b2c45699f4e96eed30ae793f53bffa8189e6b1516e1df3511c241bc08676e161
Instruction Fuzzy Hash: B7B181B2311A8881EF85CF25D4983ED3366F749FD8F548122EA9D0BB99DF79C5998300

Function 000000018000592A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 223COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180005A3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180005C8F

Strings

ActionsShim, xrefs: 0000000180005AC7

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ActionsShim
API String ID: 3668304517-3444104735
Opcode ID: 15ef7686102915452db76d5188d50b71f09ce339104a48d757c6c0837b23a0f3
Instruction ID: 3e157ecc3d4080ae9d86b064c881996505c3036df48e40823568e20f45b0052f
Opcode Fuzzy Hash: 15ef7686102915452db76d5188d50b71f09ce339104a48d757c6c0837b23a0f3
Instruction Fuzzy Hash: DE916B32210B8482EB85DF25E48439D73A5F789B94F54C125EB9D07BA9DF38C599D340

Function 0000000180005830 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 136COMMON

Download Yara Rule

Strings

ActionsShim, xrefs: 0000000180005AC7
cannot create reader/writer lock, xrefs: 0000000180005832

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: ActionsShim$cannot create reader/writer lock
API String ID: 0-3821395182
Opcode ID: 90af42576f8b9e88bc76497404a4c90f79e3ff7b36981b2cb9481b3ad311e525
Instruction ID: 5362194995dedf51be220ecf943bbbeff3c2103531289cc3d0a6ebdf7eb1c8fc
Opcode Fuzzy Hash: 90af42576f8b9e88bc76497404a4c90f79e3ff7b36981b2cb9481b3ad311e525
Instruction Fuzzy Hash: 23414B32210B8881E795DB26E48439E7365F789BD4F54C125EE9D07BA5DF39CA99C300

Function 000000018000EED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EF3A
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018000F012

Strings

bad locale name, xrefs: 000000018000F035

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 593203224-1405518554
Opcode ID: 0a75c369d1590a7b9cdad47024db5ca3613b4c240e337ec2adf62f0efd43d4b2
Instruction ID: 3bfe555c786686dd313cd11618e8808d576bb14b31471c45e6f1dc0ab111c233
Opcode Fuzzy Hash: 0a75c369d1590a7b9cdad47024db5ca3613b4c240e337ec2adf62f0efd43d4b2
Instruction Fuzzy Hash: 8F413D32702B88C9FB96DFB0D4947ED33A4EB48758F448425EE4927A5ACF34C62AD344

Function 0000000180023E30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180023EC5

Strings

uuid, xrefs: 0000000180023ED8
D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\UUID.cpp, xrefs: 0000000180023ED1

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: D:\Jenkins\workspace\N_Poco-VS2022\poco-1.12.4\Foundation\src\UUID.cpp$uuid
API String ID: 3668304517-2288208422
Opcode ID: 25911d32c636301b8ceb874fa757822df2c01a8879f203403be8eb1c072caf74
Instruction ID: 3d5646af06f48f4ead0dfc35d341a1075a49795fa3766d4bc0825e9f98b57a39
Opcode Fuzzy Hash: 25911d32c636301b8ceb874fa757822df2c01a8879f203403be8eb1c072caf74
Instruction Fuzzy Hash: 8111E5B1A10A8C41EE93D72594463ED5322BB9D7F4F51E311F9BD026E69F68C38D8300

Function 00000001800083F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008461

Strings

ios_base::failbit set, xrefs: 0000000180008410
vector too long, xrefs: 00000001800083F4

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ios_base::failbit set$vector too long
API String ID: 3668304517-3964744372
Opcode ID: 81fac164eb8069a64abdcd1d1755faf9489d3efc6c2a7fce3fddaad9cab7cb75
Instruction ID: 5d250b1aaa5fc9c5f3c4f56a8d0ffd0adc0d6c55e903586678183011968d96e5
Opcode Fuzzy Hash: 81fac164eb8069a64abdcd1d1755faf9489d3efc6c2a7fce3fddaad9cab7cb75
Instruction Fuzzy Hash: FFF0B471312A4885EF8ADF75D4583ED3291AB0CF94F548421EA8C46645DF28C6A88300

Function 0000000180108FA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00000001801052A2), ref: 0000000180108FF8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,00000001801052A2), ref: 0000000180109039

Strings

csm, xrefs: 0000000180109026

Memory Dump Source

Source File: 00000005.00000002.3566694341.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.3566630542.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180145000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3566880652.0000000180154000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567044026.00000001801FF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567069829.0000000180200000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567110173.0000000180201000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567151440.0000000180202000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567190203.0000000180203000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567220153.0000000180207000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000005.00000002.3567261790.0000000180209000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 8ec78f723e8811bbb8f7cc3519f6b9e5d1aa5e1655d1be73bc864709e2988a38
Instruction ID: f49007e085962bb718d790a48bb9d5fc839186ba87080fc6a7ab3081cfab14e1
Opcode Fuzzy Hash: 8ec78f723e8811bbb8f7cc3519f6b9e5d1aa5e1655d1be73bc864709e2988a38
Instruction Fuzzy Hash: A311FB32215B8482EBA2CB25E44439977E5FB8CBA4F598225EACD07769DF38C655CB00

Analysis Process: rundll32.exePID: 7576, Parent PID: 7328COMMON

Executed Functions

Function 00000251C56CC24A Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 00000251C56CC4B4

Memory Dump Source

Source File: 00000008.00000003.1815330223.00000251C5690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000251C5690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_251c5690000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
Instruction ID: 13c3180c763b1284b0e3b388b0d4893b9b949bbd0f4c76241e1b29e0b271a505
Opcode Fuzzy Hash: e1b5f217ab961a454b36722efd1ce63e8d0791c74eab14a614d4f9e3fc2a9a33
Instruction Fuzzy Hash: 88B1953161CE088FEB54EF1CD889BAAB7E1FB98311F41466EE459C7251DB34E845CB82

Function 00000251C56CCE0A Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL ref: 00000251C56CCE47

Memory Dump Source

Source File: 00000008.00000003.1815330223.00000251C5690000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000251C5690000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_251c5690000_rundll32.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: dda5bd23e4ac47bd42f6dd929fb15fd9a0e68714a6453c9134859c40f5c4eed3
Instruction ID: 79dee09011304809d3e763a52382fb4d6bf9b74cd0b0d3c14a430d117e8b08f5
Opcode Fuzzy Hash: dda5bd23e4ac47bd42f6dd929fb15fd9a0e68714a6453c9134859c40f5c4eed3
Instruction Fuzzy Hash: DF017D30A89D3A0BF7D8A76D6CC8B6276C1F7AA306F554056D80AC7246C836DCD1C381

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 10kmr9d7.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
10kmr9d7.dll