Edit tour

Windows Analysis Report
PhysXCooking64.dll.dll

Overview

General Information

Sample name:	PhysXCooking64.dll.dll renamed because original name is a hash value
Original sample name:	PhysXCooking64.dll.exe
Analysis ID:	1547885
MD5:	877c8b214d984656143d7576f832d935
SHA1:	26bedae9e05afbff75ede2efc7777a376e362b6a
SHA256:	28f5e949ecad3606c430cea5a34d0f3e7218f239bcfa758a834dceb649e78abc
Tags:	exeLUNARSPIDERuser-JAMESWT_MHT
Infos:

Detection

Bazar Loader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Bazar Loader

Contains functionality to inject threads in other processes

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found large amount of non-executed APIs

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7252 cmdline: loaddll64.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7304 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7328 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7312 cmdline: rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCloseCooking MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7388 cmdline: rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCookClothMesh MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7424 cmdline: rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCookConvexMesh MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7452 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCloseCooking MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7460 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookClothMesh MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7476 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookConvexMesh MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7492 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7500 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7520 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxReportCooking MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7540 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxReleasePMap MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7784 cmdline: C:\Windows\system32\WerFault.exe -u -p 7540 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7548 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7556 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxInitCooking MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7776 cmdline: C:\Windows\system32\WerFault.exe -u -p 7556 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7564 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",GetDeepDVCState MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7576 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7584 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCreatePMap MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7604 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookTriangleMesh MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7620 cmdline: rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookSoftBodyMesh MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security
00000010.00000002.3522296850.000002C0CE150000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security
00000010.00000003.1767044867.000002C0CFC17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: rundll32.exe PID: 7564	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security

Unpacked PEs

Source	Rule	Description	Author
16.2.rundll32.exe.2c0ce150000.3.raw.unpack	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security
16.2.rundll32.exe.2c0cf990000.5.raw.unpack	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security
16.2.rundll32.exe.2c0cf990000.5.unpack	JoeSecurity_Bazar_2	Yara detected Bazar Loader	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-03T10:13:59.598872+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.4	49792	TCP

Code function: 13_2_0000000180046A88 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

13_2_0000000180046A88

Source: PhysXCooking64.dll.dll

Static PE information: real checksum: 0x6c167 should be: 0xb2c0a

Source: PhysXCooking64.dll.dll

Static PE information: section name: text

Source: C:\Windows\System32\rundll32.exe

Code function: 16_3_000002C0CF9E00D8 push cs; retf

16_3_000002C0CF9E00FD

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50055
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 8041 -> 50070

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	API coverage: 0.7 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 0.7 %

Source: C:\Windows\System32\loaddll64.exe TID: 7256	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7568	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7568	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: Amcache.hve.24.dr	Binary or memory string: VMware
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.24.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.24.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.24.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000010.00000002.3522214794.000002C0CDEC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.24.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.24.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.24.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.24.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.24.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.24.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.24.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: rundll32.exe, 00000010.00000003.1767044867.000002C0CFC17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: Amcache.hve.24.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.24.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.24.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.24.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.24.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.24.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.24.dr	Binary or memory string: VMware Virtual RAM
Source: rundll32.exe, 00000010.00000003.1767044867.000002C0CFC17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: Amcache.hve.24.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.24.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_16-2470

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 13_2_000000018003E5C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_000000018003E5C0

Source: C:\Windows\System32\rundll32.exe

13_2_0000000180046A88

Source: C:\Windows\System32\rundll32.exe

Code function: 13_2_000000018004CB30 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

13_2_000000018004CB30

Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018003E5C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_000000018003E5C0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180042698 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_0000000180042698
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018003E5C0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_000000018003E5C0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180042698 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_0000000180042698

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 82.115.223.39 8041			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 80.78.24.30 8041			Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe

Code function: 16_2_0000000273F41380 Sleep,SleepEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

16_2_0000000273F41380

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7328			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7328			Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7328 1

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 13_2_000000018004634C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

13_2_000000018004634C

Source: C:\Windows\System32\rundll32.exe

Code function: 13_2_0000000180040824 HeapCreate,GetVersion,HeapSetInformation,

13_2_0000000180040824

Source: Amcache.hve.24.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.24.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bazar Loader

Source: Yara match	File source: 16.2.rundll32.exe.2c0ce150000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2c0cf990000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2c0cf990000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3522296850.000002C0CE150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Bazar Loader

Source: Yara match	File source: 16.2.rundll32.exe.2c0ce150000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2c0cf990000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.2c0cf990000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3522296850.000002C0CE150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	21 Virtualization/Sandbox Evasion	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	411 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PhysXCooking64.dll.dll	66%	ReversingLabs	Win64.Trojan.Maloder
PhysXCooking64.dll.dll	100%	Avira	TR/AVI.Agent.knniq

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
greshunka.com	82.115.223.39	true	true	unknown
tiguanin.com	80.78.24.30	true	true	unknown
bazarunet.com	80.78.24.30	true	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://greshunka.com:8041/admin.php=	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.php	rundll32.exe, 00000010.00000003.2171584349.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2171985521.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2160623774.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2183097480.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2194230464.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.phpB	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com/	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.phpm	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com/	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/IV)	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/5V	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.phppf	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.24.dr	false	URL Reputation: safe	unknown
https://bazarunet.com:8041/bazar.phpf	rundll32.exe, 00000010.00000002.3522214794.000002C0CDEC8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.php	rundll32.exe, 00000010.00000003.2390010044.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2400649688.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2515549993.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2431560715.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2492513786.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2504826097.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2545831482.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2420826608.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/%	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/bazar.php	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2128158286.000002C0CFB48000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/bazar.phpp	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/bazar.php	rundll32.exe, 00000010.00000002.3522214794.000002C0CDEC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/-	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/dmin.php	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/U	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://tiguanin.com:8041/admin.php.	rundll32.exe, 00000010.00000003.2183097480.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2194230464.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/admin.php	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/)V	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/EV%	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com/	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/e	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com:8041/admin.php	rundll32.exe, 00000010.00000003.2835381414.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2557004600.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2802742724.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.3083473122.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.3060518341.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2664944924.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2791767449.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.3093867812.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2741313698.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2567784185.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.3028538370.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2588014378.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bazarunet.com/=V	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://greshunka.com:8041/MV-	rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.115.223.39	greshunka.com	Russian Federation		209821	MIDNET-ASTK-TelecomRU	true
80.78.24.30	tiguanin.com	Cyprus		37560	CYBERDYNELR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547885
Start date and time:	2024-11-03 10:12:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PhysXCooking64.dll.dll renamed because original name is a hash value
Original Sample Name:	PhysXCooking64.dll.exe
Detection:	MAL
Classification:	mal88.troj.evad.winDLL@42/9@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 16 Number of non-executed functions: 136
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.20, 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PhysXCooking64.dll.dll

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
82.115.223.39	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	Document-19-51-48.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	dsa.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
	Document-19-27-03.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse
80.78.24.30	e664858e8b8ff1ac08f6dd812a68d65d05a704262fa13862538c3c45.vbs	Get hash	malicious	Unknown	Browse	fredlomberhfile.com:2351/lpfdokkq
	s5YgOFFmFK.exe	Get hash	malicious	IcedID	Browse	smockalifatori.com/
	CiMXn78mMb.exe	Get hash	malicious	IcedID	Browse	skayfingertawr.com/
	Scan_06-28_INV__70.exe	Get hash	malicious	IcedID	Browse	hloyagorepa.com/
	Scan_06-28_INV__70.exe	Get hash	malicious	IcedID	Browse	hloyagorepa.com/
	Scan_06-28_INV__10.exe	Get hash	malicious	IcedID	Browse	hloyagorepa.com/
	Scan_06-28_INV__10.exe	Get hash	malicious	IcedID	Browse	hloyagorepa.com/
	05387199.exe	Get hash	malicious	IcedID	Browse	shoterqana.com/
	08778399.exe	Get hash	malicious	IcedID	Browse	shoterqana.com/
	Contract_March_23_INV#305.exe	Get hash	malicious	IcedID	Browse	aoureskindzet.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bazarunet.com	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse	80.78.24.30
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	Document-19-51-48.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
	dsa.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
	Document-19-27-03.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	185.106.92.54
tiguanin.com	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse	80.78.24.30
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	80.78.24.30
	Document-19-51-48.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
	dsa.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
	Document-19-27-03.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.40
greshunka.com	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse	82.115.223.39
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	Document-18-33-08.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	Document-19-51-48.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	vierm_soft_x64.dll.dll	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	dsa.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	Document-19-27-03.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIDNET-ASTK-TelecomRU	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse	82.115.223.39
	Document-19-36-27.js	Get hash	malicious	Unknown	Browse	82.115.223.150
	meliwe_gown_x64.dll.dll	Get hash	malicious	Unknown	Browse	82.115.223.150
	Document-19-36-27.js	Get hash	malicious	Unknown	Browse	82.115.223.150
	Document-19-29-20.js	Get hash	malicious	Unknown	Browse	82.115.223.150
	meliwe_gown_x64.dll.dll	Get hash	malicious	Unknown	Browse	82.115.223.150
	BEST.msi	Get hash	malicious	Unknown	Browse	82.115.223.150
	Document-20-18-07.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
	das.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	82.115.223.39
CYBERDYNELR	FW3x3p4eZ5.msi	Get hash	malicious	Bazar Loader, BruteRatel	Browse	80.78.24.30
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	185.193.127.129

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Phy_7ca7a2b16edcec4f9d89ef5e5b35598cfaa1d9f8_b8a7de85_6b37bfd3-0a7a-485b-b7f0-9c8ae12cdd88\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7785215270383897
Encrypted:	false
SSDEEP:	192:2yFiey67xWSy0hXxiPEj5eCzuiFXZ24lO8f2jY:Pijmx9hXxiPEjVzuiFXY4lO8K
MD5:	639ADCD1C83EEAB4ED3A422979C8B8DA
SHA1:	21F62EB232E4407F88920D63E340F5D431CE6C0A
SHA-256:	CCD3EF02B387E94BE42723F97C930B83896E57E9B5C4E68C492EF1065B8E5245
SHA-512:	30F665511C1EEB03CBDCC5C1FC8D976E5984605B470C1AC5932D8659036224B002F03338939DD7D5C145FF196F2CFAA451AF9567667DD4005F65F32691FA37E1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.0.9.8.7.8.0.7.3.1.5.0.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.0.9.8.7.8.1.9.5.0.2.5.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.b.3.7.b.f.d.3.-.0.a.7.a.-.4.8.5.b.-.b.7.f.0.-.9.c.8.a.e.1.2.c.d.d.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.a.8.d.b.2.0.c.-.8.d.4.6.-.4.7.d.e.-.9.b.4.8.-.7.0.2.0.f.c.5.3.4.f.1.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.P.h.y.s.X.C.o.o.k.i.n.g.6.4...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.8.4.-.0.0.0.1.-.0.0.1.4.-.f.f.4.4.-.0.4.9.4.d.0.2.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Phy_c3a79390dd8838633e02848bed15afc3568f0e5_b8a7de85_fcac10d6-a9a7-48ed-b4a5-7f7b4faa505f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7782951515594955
Encrypted:	false
SSDEEP:	192:3ypFixy6zWS8061DSj5eCzuiFXZ24lO8f2jY:+i0ez61DSjVzuiFXY4lO8K
MD5:	60A21A5318A0EFF168F39E93B40E66AC
SHA1:	0DB8E87417B0FB2D13A12A237EE897E60CA87AED
SHA-256:	BDA87CE84A8EA4B1E36655E36E7C9323463FA909582B14301AC42D943A89BF2A
SHA-512:	4456C4896D9032870EC69EECAE0C5BF6875C1927E085786912EE05C364BE9E1EF3C59E78EACCCF830D865E362FE2230AB1A04AAF58EC4F568494F4D58A8F7E0F
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.0.9.8.7.8.0.7.1.5.7.5.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.0.9.8.7.8.1.9.6.5.6.9.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.a.c.1.0.d.6.-.a.9.a.7.-.4.8.e.d.-.b.4.a.5.-.7.f.7.b.4.f.a.a.5.0.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.3.4.b.a.9.5.-.1.e.4.e.-.4.f.6.b.-.8.7.7.8.-.c.3.b.9.1.0.2.c.9.c.9.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.P.h.y.s.X.C.o.o.k.i.n.g.6.4...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.4.-.0.0.0.1.-.0.0.1.4.-.d.4.0.c.-.f.f.9.3.d.0.2.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACF9.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Nov 3 09:13:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	57270
Entropy (8bit):	1.621088240638022
Encrypted:	false
SSDEEP:	192:AwwtYcfnFqHzTOMpn0g1QBswHN4NE6GTCRjh0rn6F4Mtko:ADycfnWzKQ0PVSNcV69
MD5:	6A7EC4DE807691794D5C508E67BB0038
SHA1:	532FD542C3FBF3B7364C4B28E1235CC3ACAF5202
SHA-256:	F0E4125AF95602451128827607AB16241DC0545686CA7F566427A42A07D664A4
SHA-512:	6E0B381380CFAC1C90E2A8C624B3FC589EE31FBDBEEABAFA516ABB3218DAD49C8A53B3D2DB84305AF5C79EB259CAAC9A296E63A9D349A5302049AC2BC5ECBA99
Malicious:	false
Preview:	MDMP..a..... ........>'g.........................................)..........T.......8...........T...............6...........T...........@...............................................................................eJ..............Lw......................T.......t....>'g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD28.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Nov 3 09:13:01 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	55574
Entropy (8bit):	1.6753560949607624
Encrypted:	false
SSDEEP:	192:AwPKYcfnFq1COMpy4wB5dAJ76QSlwKIlPfNknnnQ11Qavkm:AaNcfnYdP4wPCJErIlPfNknnnQsav
MD5:	015D1069A40FC0142EE6112EF1A1EB33
SHA1:	EE6D0095073DC1CAC6DE8CA50C7E5EFEC666320E
SHA-256:	8AE0DE64A3076CD3146AAE5405B03D6CAC88C30BC008CA623A969B8734306EC6
SHA-512:	8C90D0188B99BB019F28717AE96FF1A9BCA5EF7F7C5A247884FF56A044A78A7C2E1822ECE056EFEB8DD1F27C58D58521DAE82A7015AA72B11C69BEA651DA97F0
Malicious:	false
Preview:	MDMP..a..... ........>'g.........................................)..........T.......8...........T...........................T...........@...............................................................................eJ..............Lw......................T............>'g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF7B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8806
Entropy (8bit):	3.7024529850411954
Encrypted:	false
SSDEEP:	192:R6l7wVeJjnoqK36YDN1dsbgmf4LMrKmprD89bfGbfVq1m:R6lXJDoqK36Yp1KgmfyMG3fifj
MD5:	B8B3B1F88ACAC54994949CBCC4D0613D
SHA1:	356E3261E9C019991A91D7394465B08BCE22F886
SHA-256:	F391F06EC2353207DEB84540EB68F7A74931117FAA6D285B4B9A2C75CEF9B627
SHA-512:	2A5A175F53493EFD97DEB099DC4A13D5A2B6EAED0B09E4E1EBDB2C1B60CC1F5F20BD44F2E4697DDCA608C1BB5C85950088E09FBE531F427C00C3091FE70C4A00
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB018.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8806
Entropy (8bit):	3.702786390536748
Encrypted:	false
SSDEEP:	192:R6l7wVeJkqCK16YDs1dsbgmf4LMrQ6prQ89bfHLfJ1m:R6lXJxCK16YI1KgmfyMUSfrfy
MD5:	7E8B81133DFD3BEA9C37150652F40FCC
SHA1:	D4014988ECC8A31FE0EB3F1099F21D284C2A0375
SHA-256:	38D5F43A03564DDBE77668838648004F139EE0A4B5A92BD99370AC102726BCA1
SHA-512:	4BFD2365539D4578F0EC99E3E6B7088E231C32F43F8EF4B2B009F3E621D59A864DC0587B9DDDAC5645506709474D05E2D32D34FADB40216F912331DF108F2D00
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB095.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4796
Entropy (8bit):	4.506478677422847
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg771I9PEWpW8VYUYm8M4JC1ZC1xGUFMjzyq85m1M6xHptSTSzd:uIjfpI7Qd7VQJoOwvjz3M8HpoOzd
MD5:	09B42C9234734DABC4A60E8166D4BB98
SHA1:	2AFD7FC2BDA5738476FCD3D2A34AC64E53041365
SHA-256:	AD7A92B06DFBBAB0C815F26CD9C1CC99342E5E7C1B2A17A8CE178668E10E4C9F
SHA-512:	D22BD01E7A2B6B11783293B13135FFA1258D983EC9B6ED55C3F58D21405259611969F4AE970CCE52E544DB240389C8883584FEE2520AB02FA96EC6952FE97E03
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="571695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0B5.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4796
Entropy (8bit):	4.505688127374432
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg771I9PEWpW8VYhYm8M4JC1ZC1xGiF1yq85m1M6SptSTSBd:uIjfpI7Qd7VNJoOw63MNpoOBd
MD5:	838D9DBC2FB37E5A0CFD5E39C05A12C2
SHA1:	CC6C55C950D39959A1BAFAF1E4407C4DF237DC41
SHA-256:	7DA49A9207144373F608EEDB8396DAF889589597C2057DFFA5CA61CDC44E0DED
SHA-512:	3374734D8E4AD42972D8B5B0511A2261F240A7ECB49D5CA72970691251A3116DF4F8DCE774CB31A35D96F920B184B302491CE92946485B39B5AF333AF21D1F51
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="571695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4663864540877585
Encrypted:	false
SSDEEP:	6144:xIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:SXD94zWlLZMM6YFHa+9
MD5:	B2DDD9DE53CAB6F49DEEA330E6236A5E
SHA1:	1F9D2B970BD1A4A5BA7521F839F52407DD6A3CCB
SHA-256:	9BCCEE052BABA4E930038B14622AF95B39330CD1C280A55C2E098FC82987AF38
SHA-512:	D3AD08339ADB8CBC1FB59BD8149ABB05AB6C8F058A1F0F3A9A484DF19E0F177B1C69F5D3E5DE7044DAC13EA857501F92777A82497E9053E742E2AB9835EF7D88
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm^.w..-..............................................................................................................................................................................................................................................................................................................................................(.`.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	7.329646601975181
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	PhysXCooking64.dll.dll
File size:	682'496 bytes
MD5:	877c8b214d984656143d7576f832d935
SHA1:	26bedae9e05afbff75ede2efc7777a376e362b6a
SHA256:	28f5e949ecad3606c430cea5a34d0f3e7218f239bcfa758a834dceb649e78abc
SHA512:	f07ac6795f4d8de38ac7f92a5ae308d2bdc30e29cebdf93b7fdee958c04bb83b1a28c4e6ac4e6a770b6d207af2a886cc93028b26e8850327f55391118f2d621a
SSDEEP:	12288:c91cnMmvhqG3zx+zd/RMzDWrii7x4if+H3fFBI:c91cMmvhHzx+z5qW7qiMFe
TLSH:	5BE4BF02F67684E4F0AB903C996BF157EA71348807318ADF43D19A296F23BD05D7B366
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.p..............4.......4..................z....4..e....4.......4.......4......Rich............PE..d......`..........# .......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180040170
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x60ED99AC [Tue Jul 13 13:48:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	fc95d9602c39b01774b1f9a2b19b1e87

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F5DCD036927h
call 00007F5DCD03CAE0h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F5DCD0367CCh
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
mov ebx, ecx
dec eax
lea ecx, dword ptr [00011159h]
call dword ptr [0000DF13h]
dec eax
test eax, eax
je 00007F5DCD03693Bh
dec eax
lea edx, dword ptr [00011137h]
dec eax
mov ecx, eax
call dword ptr [0000DEF6h]
dec eax
test eax, eax
je 00007F5DCD036926h
mov ecx, ebx
call eax
dec eax
add esp, 20h
pop ebx
ret
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
mov ebx, ecx
call 00007F5DCD0368DCh
mov ecx, ebx
call dword ptr [0000DEDFh]
int3
int3
int3
mov ecx, 00000008h
jmp 00007F5DCD03CD23h
int3
int3
mov ecx, 00000008h
jmp 00007F5DCD03CC17h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
call 00007F5DCD0398B6h
dec eax
mov ecx, eax
dec eax
mov ebx, eax
call 00007F5DCD03705Fh
dec eax
mov ecx, ebx
call 00007F5DCD038D7Bh

Rich Headers

Programming Language:

[ C ] VS2010 SP1 build 40219
[ASM] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[C++] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b100	0x1bd	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a8d4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6a000	0x43a40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x64000	0x3d20	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x63200	0x2628
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0x6dc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4e350	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4c86e	0x4ca00	d7ab8f103438629baf74067853cc3d8d	False	0.52311569637031	data	6.4781719664552275	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4e000	0xd2bd	0xd400	79625cdc7bc106d71feb5d0087b62080	False	0.4110038325471698	data	5.331540967968008	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5c000	0x7ce0	0x2400	a0436247a7799afacd33f358b02702c7	False	0.2552083333333333	data	3.73811941115243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x64000	0x3d20	0x3e00	4040bbe8492742335a7a9b04eff60006	False	0.47026209677419356	data	5.670603879121688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
text	0x68000	0xead	0x1000	704fb2da1d8d8b02229fdcc77b3cde79	False	0.48876953125	data	5.534658572431269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE
data	0x69000	0xb30	0xc00	e67261d4a07a3568d2723c0eabc10fdc	False	0.7652994791666666	data	6.5387327996115445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x6a000	0x43a40	0x43c00	292043c5c2525c2a553ce7ca87edef87	False	0.9606564229704797	data	7.98451089709104	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc54	0xe00	961a156f322b796ad1c3614cbf30b797	False	0.26869419642857145	data	3.613001948133295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x6a0a0	0x3a0	data	English	United States	0.4191810344827586
RT_HTML	0x6a440	0x43600	data			0.9642639726345084

Imports

DLL

Import

KERNEL32.dll

InitializeCriticalSection, DeleteCriticalSection, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, CloseHandle, Sleep, QueryPerformanceCounter, CreateFileW, GetProcessHeap, SetEndOfFile, GetStringTypeW, LCMapStringW, WriteConsoleW, CreateFileA, FlushFileBuffers, SetStdHandle, RtlPcToFileHeader, HeapAlloc, GetLastError, HeapFree, HeapReAlloc, DecodePointer, EncodePointer, FlsSetValue, GetCommandLineA, GetProcAddress, GetModuleHandleW, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, HeapSetInformation, GetVersion, HeapCreate, HeapDestroy, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, TerminateProcess, GetCurrentProcess, HeapSize, RtlUnwindEx, FlsGetValue, FlsFree, SetLastError, FlsAlloc, InitializeCriticalSectionAndSpinCount, SetHandleCount, GetFileType, GetStartupInfoW, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, MultiByteToWideChar, ReadFile, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LoadLibraryW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RaiseException

WSOCK32.dll

send, WSAGetLastError, recv, htons, gethostbyname, ioctlsocket, gethostbyaddr, socket, connect, closesocket, inet_ntoa, WSAStartup

Exports

Name	Ordinal	Address
NxCloseCooking	1	0x18002f2b0
NxCookClothMesh	2	0x18002f9e0
NxCookConvexMesh	3	0x18002f4c0
NxCookSoftBodyMesh	4	0x18002fb40
NxCookTriangleMesh	5	0x18002f800
NxCreatePMap	6	0x18003d0a0
DetDeepDVCState	7	0x18002f400
GetDeepDVCState	8	0x18002f0d0
NxInitCooking	9	0x18002f1a0
DetDeepDVCState	10	0x18002f0e0
NxReleasePMap	11	0x18003d1a0
NxReportCooking	12	0x18002dd60
DetDeepDVCState	13	0x18002f340
DetDeepDVCState	14	0x18002f080

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-03T10:13:59.598872+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.4	49792	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 10:13:06.177438021 CET	49734	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:06.182456970 CET	8041	49734	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:06.182538986 CET	49734	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:06.194237947 CET	49734	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:06.199224949 CET	8041	49734	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:13.796787024 CET	8041	49734	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:13.796878099 CET	49734	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:13.824791908 CET	49734	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:13.829737902 CET	8041	49734	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:13.865169048 CET	49745	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:13.870212078 CET	8041	49745	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:13.870305061 CET	49745	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:13.872834921 CET	49745	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:13.877806902 CET	8041	49745	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:21.492747068 CET	8041	49745	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:21.494801998 CET	49745	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:21.494802952 CET	49745	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:21.496813059 CET	49750	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:21.499759912 CET	8041	49745	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:21.501589060 CET	8041	49750	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:21.501655102 CET	49750	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:21.501729965 CET	49750	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:21.507006884 CET	8041	49750	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:21.507101059 CET	49750	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:22.609426975 CET	49751	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:22.614440918 CET	8041	49751	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:22.614552975 CET	49751	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:22.618113995 CET	49751	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:22.622992992 CET	8041	49751	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:30.228250027 CET	8041	49751	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:30.228456974 CET	49751	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:30.230146885 CET	49751	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:30.232290030 CET	49752	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:30.235121965 CET	8041	49751	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:30.237524033 CET	8041	49752	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:30.237601042 CET	49752	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:30.237864971 CET	49752	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:30.243196011 CET	8041	49752	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:37.843199015 CET	8041	49752	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:37.843296051 CET	49752	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:37.843440056 CET	49752	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:37.847145081 CET	49753	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:37.848191023 CET	8041	49752	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:37.852643967 CET	8041	49753	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:37.852727890 CET	49753	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:37.852811098 CET	49753	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:37.858063936 CET	8041	49753	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:37.858124018 CET	49753	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:40.017601967 CET	49754	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:40.022524118 CET	8041	49754	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:40.022604942 CET	49754	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:40.022906065 CET	49754	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:40.028564930 CET	8041	49754	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:41.084125042 CET	8041	49754	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:41.084259033 CET	49754	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:41.090087891 CET	49754	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:41.095284939 CET	8041	49754	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:41.095340014 CET	49754	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:41.096179962 CET	49755	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:41.101080894 CET	8041	49755	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:41.101157904 CET	49755	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:41.101490974 CET	49755	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:41.106391907 CET	8041	49755	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:42.185731888 CET	8041	49755	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:42.185805082 CET	49755	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.186161041 CET	49755	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.190494061 CET	49756	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.191384077 CET	8041	49755	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:42.191431999 CET	49755	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.195326090 CET	8041	49756	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:42.195393085 CET	49756	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.195518017 CET	49756	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.200643063 CET	8041	49756	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:42.200691938 CET	49756	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.237678051 CET	49757	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.242542982 CET	8041	49757	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:42.242614985 CET	49757	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.242840052 CET	49757	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:42.247629881 CET	8041	49757	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:43.337116957 CET	8041	49757	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:43.337315083 CET	49757	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:43.337349892 CET	49757	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:43.342153072 CET	8041	49757	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:43.347182989 CET	49758	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:43.352088928 CET	8041	49758	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:43.352174997 CET	49758	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:43.352437973 CET	49758	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:43.357256889 CET	8041	49758	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:44.415111065 CET	8041	49758	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:44.415287971 CET	49758	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:44.415465117 CET	49758	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:44.419318914 CET	49759	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:44.420944929 CET	8041	49758	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:44.420994997 CET	49758	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:44.424235106 CET	8041	49759	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:44.424298048 CET	49759	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:44.424423933 CET	49759	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:44.429845095 CET	8041	49759	80.78.24.30	192.168.2.4
Nov 3, 2024 10:13:44.429970980 CET	49759	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:13:44.462589979 CET	49760	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:44.467505932 CET	8041	49760	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:44.467581987 CET	49760	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:44.467978001 CET	49760	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:44.472917080 CET	8041	49760	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:52.074984074 CET	8041	49760	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:52.075088024 CET	49760	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:52.075196028 CET	49760	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:52.079977989 CET	8041	49760	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:52.080704927 CET	49767	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:52.085489035 CET	8041	49767	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:52.085562944 CET	49767	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:52.085807085 CET	49767	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:52.090707064 CET	8041	49767	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:59.691582918 CET	8041	49767	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:59.691729069 CET	49767	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:59.716253996 CET	49767	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:59.720233917 CET	49803	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:59.721132040 CET	8041	49767	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:59.725090981 CET	8041	49803	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:59.725169897 CET	49803	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:59.731208086 CET	49803	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:13:59.736205101 CET	8041	49803	82.115.223.39	192.168.2.4
Nov 3, 2024 10:13:59.736258030 CET	49803	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:02.965183020 CET	49818	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:02.970150948 CET	8041	49818	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:02.970237970 CET	49818	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:02.979568005 CET	49818	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:02.985485077 CET	8041	49818	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:04.028563976 CET	8041	49818	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:04.028654099 CET	49818	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:04.029043913 CET	49818	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:04.032181978 CET	49824	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:04.034348011 CET	8041	49818	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:04.034405947 CET	49818	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:04.037162066 CET	8041	49824	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:04.037230968 CET	49824	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:04.037458897 CET	49824	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:04.042459965 CET	8041	49824	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:05.092539072 CET	8041	49824	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:05.092614889 CET	49824	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:05.092696905 CET	49824	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:05.096436024 CET	49830	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:05.098416090 CET	8041	49824	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:05.101329088 CET	8041	49830	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:05.101394892 CET	49830	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:05.101567984 CET	49830	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:05.107883930 CET	8041	49830	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:05.107934952 CET	49830	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:07.122895002 CET	49839	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:07.129695892 CET	8041	49839	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:07.129802942 CET	49839	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:07.130137920 CET	49839	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:07.136208057 CET	8041	49839	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:08.183645964 CET	8041	49839	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:08.183707952 CET	49839	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:08.183945894 CET	49839	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:08.189032078 CET	8041	49839	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:08.189070940 CET	49845	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:08.189083099 CET	49839	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:08.193799019 CET	8041	49845	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:08.196820021 CET	49845	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:08.197033882 CET	49845	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:08.201781034 CET	8041	49845	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:09.245697975 CET	8041	49845	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:09.245755911 CET	49845	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:09.245847940 CET	49845	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:09.249546051 CET	49850	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:09.250610113 CET	8041	49845	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:09.254643917 CET	8041	49850	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:09.254707098 CET	49850	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:09.254822969 CET	49850	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:09.260432959 CET	8041	49850	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:09.260844946 CET	8041	49850	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:09.260895014 CET	49850	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:14.377691984 CET	49872	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:14.382519007 CET	8041	49872	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:14.382592916 CET	49872	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:14.386059999 CET	49872	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:14.390873909 CET	8041	49872	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:15.510170937 CET	8041	49872	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:15.510238886 CET	49872	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:15.510334015 CET	49872	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:15.513969898 CET	49878	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:15.515523911 CET	8041	49872	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:15.518835068 CET	8041	49878	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:15.518908978 CET	49878	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:15.519187927 CET	49878	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:15.523988008 CET	8041	49878	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:16.578778028 CET	8041	49878	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:16.582382917 CET	49878	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:16.582689047 CET	49878	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:16.586318970 CET	49884	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:16.588093042 CET	8041	49878	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:16.589854002 CET	49878	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:16.591236115 CET	8041	49884	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:16.591331005 CET	49884	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:16.591444016 CET	49884	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:16.596913099 CET	8041	49884	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:16.596961021 CET	49884	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:19.659164906 CET	49899	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:19.664264917 CET	8041	49899	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:19.664339066 CET	49899	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:19.664586067 CET	49899	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:19.669924021 CET	8041	49899	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:20.728019953 CET	8041	49899	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:20.728224993 CET	49899	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:20.728246927 CET	49899	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:20.733129978 CET	8041	49899	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:20.733678102 CET	49905	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:20.738658905 CET	8041	49905	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:20.738759995 CET	49905	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:20.739063025 CET	49905	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:20.743832111 CET	8041	49905	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:21.805670977 CET	8041	49905	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:21.805804968 CET	49905	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:21.806184053 CET	49905	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:21.810348988 CET	49911	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:21.811378956 CET	8041	49905	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:21.811436892 CET	49905	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:21.815258026 CET	8041	49911	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:21.815345049 CET	49911	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:21.815485001 CET	49911	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:21.820743084 CET	8041	49911	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:21.820799112 CET	49911	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:23.840346098 CET	49922	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:23.849472046 CET	8041	49922	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:23.849539042 CET	49922	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:23.849893093 CET	49922	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:23.867897034 CET	8041	49922	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:31.476875067 CET	8041	49922	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:31.477006912 CET	49922	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:31.510984898 CET	49922	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:31.517714024 CET	8041	49922	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:31.533905029 CET	49958	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:31.538849115 CET	8041	49958	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:31.538953066 CET	49958	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:31.540831089 CET	49958	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:31.545706987 CET	8041	49958	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:39.157473087 CET	8041	49958	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:39.159143925 CET	49958	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:39.159841061 CET	49958	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:39.163196087 CET	49993	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:39.168908119 CET	8041	49958	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:39.173115969 CET	8041	49993	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:39.173198938 CET	49993	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:39.173285007 CET	49993	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:39.178527117 CET	8041	49993	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:39.178586006 CET	49993	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:44.216542006 CET	50016	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:44.221476078 CET	8041	50016	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:44.221564054 CET	50016	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:44.221793890 CET	50016	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:44.226897955 CET	8041	50016	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:45.301837921 CET	8041	50016	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:45.301911116 CET	50016	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:45.302155972 CET	50016	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:45.306071997 CET	50022	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:45.307365894 CET	8041	50016	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:45.307425022 CET	50016	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:45.310996056 CET	8041	50022	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:45.311057091 CET	50022	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:45.311256886 CET	50022	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:45.316018105 CET	8041	50022	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:46.366137981 CET	8041	50022	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:46.366193056 CET	50022	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.366288900 CET	50022	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.369828939 CET	50026	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.371063948 CET	8041	50022	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:46.374659061 CET	8041	50026	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:46.374727011 CET	50026	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.375026941 CET	50026	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.380274057 CET	8041	50026	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:46.380317926 CET	50026	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.408535004 CET	50027	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.413311005 CET	8041	50027	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:46.413381100 CET	50027	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.413619041 CET	50027	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:46.418375969 CET	8041	50027	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:47.482707024 CET	8041	50027	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:47.482919931 CET	50027	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:47.507167101 CET	50027	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:47.511004925 CET	50033	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:47.512417078 CET	8041	50027	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:47.512468100 CET	50027	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:47.515929937 CET	8041	50033	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:47.516009092 CET	50033	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:47.517013073 CET	50033	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:47.521778107 CET	8041	50033	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:48.564397097 CET	8041	50033	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:48.564460993 CET	50033	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:48.565282106 CET	50033	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:48.570008993 CET	50039	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:48.571151018 CET	8041	50033	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:48.571206093 CET	50033	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:48.574978113 CET	8041	50039	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:48.575059891 CET	50039	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:48.575268984 CET	50039	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:48.582062960 CET	8041	50039	80.78.24.30	192.168.2.4
Nov 3, 2024 10:14:48.582110882 CET	50039	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:14:50.627362013 CET	50049	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:50.632474899 CET	8041	50049	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:50.632575989 CET	50049	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:50.632925987 CET	50049	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:50.637931108 CET	8041	50049	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:58.244868994 CET	8041	50049	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:58.245135069 CET	50049	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:58.246695995 CET	50049	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:58.249159098 CET	50052	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:58.251744986 CET	8041	50049	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:58.253974915 CET	8041	50052	82.115.223.39	192.168.2.4
Nov 3, 2024 10:14:58.254060030 CET	50052	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:58.254301071 CET	50052	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:14:58.259392977 CET	8041	50052	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:05.861362934 CET	8041	50052	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:05.861632109 CET	50052	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:05.861632109 CET	50052	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:05.865113020 CET	50053	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:05.866666079 CET	8041	50052	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:05.870064974 CET	8041	50053	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:05.870132923 CET	50053	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:05.870234966 CET	50053	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:05.875449896 CET	8041	50053	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:05.875502110 CET	50053	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:07.891912937 CET	50054	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:07.896807909 CET	8041	50054	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:07.897001028 CET	50054	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:07.897329092 CET	50054	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:07.902090073 CET	8041	50054	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:08.977179050 CET	8041	50054	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:08.977379084 CET	50054	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:08.977590084 CET	50054	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:08.981498957 CET	50055	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:08.982414961 CET	8041	50054	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:08.986385107 CET	8041	50055	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:08.986450911 CET	50055	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:08.986717939 CET	50055	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:08.991520882 CET	8041	50055	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:10.046612024 CET	8041	50055	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:10.046667099 CET	50055	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:10.047238111 CET	50055	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:10.050949097 CET	50056	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:10.052381039 CET	8041	50055	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:10.052437067 CET	50055	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:10.055752993 CET	8041	50056	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:10.055820942 CET	50056	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:10.055955887 CET	50056	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:10.061007023 CET	8041	50056	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:10.061049938 CET	50056	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:11.089602947 CET	50057	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:11.094554901 CET	8041	50057	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:11.096930981 CET	50057	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:11.097239971 CET	50057	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:11.102024078 CET	8041	50057	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:12.153237104 CET	8041	50057	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:12.153316975 CET	50057	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:12.255765915 CET	50057	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:12.261080980 CET	8041	50057	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:12.261157990 CET	50057	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:12.280498981 CET	50058	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:12.285429955 CET	8041	50058	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:12.285527945 CET	50058	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:12.285826921 CET	50058	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:12.291033983 CET	8041	50058	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:13.374806881 CET	8041	50058	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:13.374923944 CET	50058	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:13.375104904 CET	50058	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:13.379874945 CET	8041	50058	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:13.381939888 CET	50059	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:13.386744022 CET	8041	50059	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:13.386867046 CET	50059	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:13.388612986 CET	50059	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:13.393475056 CET	8041	50059	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:13.393551111 CET	50059	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:14.455168009 CET	50060	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:14.461551905 CET	8041	50060	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:14.461668968 CET	50060	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:14.464258909 CET	50060	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:14.469219923 CET	8041	50060	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:22.068722963 CET	8041	50060	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:22.068898916 CET	50060	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:22.068950891 CET	50060	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:22.073759079 CET	8041	50060	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:22.077786922 CET	50061	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:22.082567930 CET	8041	50061	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:22.082660913 CET	50061	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:22.082941055 CET	50061	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:22.087704897 CET	8041	50061	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:29.691703081 CET	8041	50061	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:29.691781044 CET	50061	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:29.692218065 CET	50061	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:29.697037935 CET	8041	50061	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:29.707925081 CET	50062	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:29.713036060 CET	8041	50062	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:29.713115931 CET	50062	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:29.715198994 CET	50062	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:29.720539093 CET	8041	50062	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:29.720581055 CET	50062	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:29.854578972 CET	50063	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:29.859635115 CET	8041	50063	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:29.859714985 CET	50063	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:29.859987974 CET	50063	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:29.864830971 CET	8041	50063	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:30.917491913 CET	8041	50063	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:30.917579889 CET	50063	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:30.917896986 CET	50063	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:30.923012018 CET	8041	50063	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:30.923069954 CET	50063	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:30.925050974 CET	50064	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:30.929960012 CET	8041	50064	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:30.930092096 CET	50064	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:30.930646896 CET	50064	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:30.935452938 CET	8041	50064	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:31.994606972 CET	8041	50064	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:31.994698048 CET	50064	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:31.995014906 CET	50064	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:32.000528097 CET	8041	50064	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:32.000579119 CET	50064	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:32.001466990 CET	50065	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:32.006346941 CET	8041	50065	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:32.006438017 CET	50065	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:32.008614063 CET	50065	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:32.013679028 CET	8041	50065	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:32.013727903 CET	50065	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:34.047194958 CET	50066	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:34.052191973 CET	8041	50066	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:34.052308083 CET	50066	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:34.052835941 CET	50066	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:34.057621956 CET	8041	50066	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:41.846878052 CET	8041	50066	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:41.846963882 CET	50066	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:41.847063065 CET	50066	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:41.850825071 CET	50067	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:41.851836920 CET	8041	50066	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:41.855788946 CET	8041	50067	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:41.855865002 CET	50067	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:41.856117010 CET	50067	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:41.860907078 CET	8041	50067	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:49.477014065 CET	8041	50067	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:49.477102995 CET	50067	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:49.477194071 CET	50067	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:49.481211901 CET	50068	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:49.482009888 CET	8041	50067	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:49.486102104 CET	8041	50068	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:49.486175060 CET	50068	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:49.486269951 CET	50068	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:49.491338968 CET	8041	50068	82.115.223.39	192.168.2.4
Nov 3, 2024 10:15:49.491396904 CET	50068	8041	192.168.2.4	82.115.223.39
Nov 3, 2024 10:15:53.512582064 CET	50069	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:53.517616987 CET	8041	50069	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:53.517688990 CET	50069	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:53.518038988 CET	50069	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:53.522891998 CET	8041	50069	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:54.572626114 CET	8041	50069	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:54.573110104 CET	50069	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:54.573324919 CET	50069	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:54.578763008 CET	8041	50069	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:54.578824997 CET	50069	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:54.582356930 CET	50070	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:54.587456942 CET	8041	50070	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:54.589025974 CET	50070	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:54.589498043 CET	50070	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:54.596257925 CET	8041	50070	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:55.642210960 CET	8041	50070	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:55.642287016 CET	50070	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:55.642621994 CET	50070	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:55.645991087 CET	50071	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:55.648489952 CET	8041	50070	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:55.648540974 CET	50070	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:55.650783062 CET	8041	50071	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:55.650842905 CET	50071	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:55.650938988 CET	50071	8041	192.168.2.4	80.78.24.30
Nov 3, 2024 10:15:55.656101942 CET	8041	50071	80.78.24.30	192.168.2.4
Nov 3, 2024 10:15:55.656171083 CET	50071	8041	192.168.2.4	80.78.24.30

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2024 10:13:05.691745996 CET	59242	53	192.168.2.4	1.1.1.1
Nov 3, 2024 10:13:06.167999983 CET	53	59242	1.1.1.1	192.168.2.4
Nov 3, 2024 10:13:39.884980917 CET	50218	53	192.168.2.4	1.1.1.1
Nov 3, 2024 10:13:40.016722918 CET	53	50218	1.1.1.1	192.168.2.4
Nov 3, 2024 10:14:19.623254061 CET	49686	53	192.168.2.4	1.1.1.1
Nov 3, 2024 10:14:19.658288002 CET	53	49686	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2024 10:13:05.691745996 CET	192.168.2.4	1.1.1.1	0xaa36	Standard query (0)	greshunka.com	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:13:39.884980917 CET	192.168.2.4	1.1.1.1	0x474c	Standard query (0)	tiguanin.com	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:14:19.623254061 CET	192.168.2.4	1.1.1.1	0x8cb9	Standard query (0)	bazarunet.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 3, 2024 10:13:06.167999983 CET	1.1.1.1	192.168.2.4	0xaa36	No error (0)	greshunka.com	82.115.223.39	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:13:40.016722918 CET	1.1.1.1	192.168.2.4	0x474c	No error (0)	tiguanin.com	80.78.24.30	A (IP address)	IN (0x0001)	false
Nov 3, 2024 10:14:19.658288002 CET	1.1.1.1	192.168.2.4	0x8cb9	No error (0)	bazarunet.com	80.78.24.30	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49754	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:13:41.084125042 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49755	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:13:42.185731888 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49758	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:13:44.415111065 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49818	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:14:04.028563976 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49839	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:14:08.183645964 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49878	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:14:16.578778028 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49905	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:14:21.805670977 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	50016	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:14:45.301837921 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	50027	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:14:47.482707024 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	50033	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:14:48.564397097 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	50055	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:15:10.046612024 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	50057	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:15:12.153237104 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50063	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:15:30.917491913 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	50064	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:15:31.994606972 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50069	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:15:54.572626114 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50070	80.78.24.30	8041	7564	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
Nov 3, 2024 10:15:55.642210960 CET	103	IN	HTTP/1.1 400 Bad Request Content-Type: text/plain; charset=utf-8 Connection: close Data Raw: 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 Data Ascii: 400 Bad Request

Target ID:	0
Start time:	04:12:50
Start date:	03/11/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll"
Imagebase:	0x7ff66fd60000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:12:50
Start date:	03/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:12:50
Start date:	03/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1
Imagebase:	0x7ff7a91d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:12:50
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCloseCooking
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:12:50
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:12:53
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCookClothMesh
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:12:56
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCookConvexMesh
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCloseCooking
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookClothMesh
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookConvexMesh
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: rundll32.exePID: 7520, Parent PID: 7252

General

Target ID:	12
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxReportCooking
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxReleasePMap
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: rundll32.exePID: 7556, Parent PID: 7252

General

Target ID:	15
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxInitCooking
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",GetDeepDVCState
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Bazar_2, Description: Yara detected Bazar Loader, Source: 00000010.00000002.3522296850.000002C0CE150000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000010.00000003.1767044867.000002C0CFC17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: rundll32.exePID: 7584, Parent PID: 7252

General

Target ID:	18
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCreatePMap
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookTriangleMesh
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	04:12:59
Start date:	03/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookSoftBodyMesh
Imagebase:	0x7ff6b1580000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	04:13:00
Start date:	03/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7556 -s 332
Imagebase:	0x7ff760930000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	04:13:00
Start date:	03/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7540 -s 332
Imagebase:	0x7ff760930000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.7%
Total number of Nodes:	87
Total number of Limit Nodes:	1

Executed Functions

Function 0000000180040824 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 000000018004083A
GetVersion.KERNEL32 ref: 000000018004084C
HeapSetInformation.KERNEL32 ref: 000000018004086A

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: e32ab0bd0fee94bccc68f32d9a077722b0d5913c979a1ba73cc683a210d046bc
Instruction ID: 988e22e6e5946a36f70c9e45e8ed652961c4ed90b6ce8b9843ec7a251a3b24ee
Opcode Fuzzy Hash: e32ab0bd0fee94bccc68f32d9a077722b0d5913c979a1ba73cc683a210d046bc
Instruction Fuzzy Hash: 70E09274611F8882F7C69710AC897D52261B79C3C8FA18418F94A42B64DF3CC2CD8708

Function 000000018003FF00 Relevance: 10.6, APIs: 7, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180040824: HeapCreate.KERNELBASE ref: 000000018004083A
Part of subcall function 0000000180040824: GetVersion.KERNEL32 ref: 000000018004084C
Part of subcall function 0000000180040824: HeapSetInformation.KERNEL32 ref: 000000018004086A

_RTC_Initialize.LIBCMT ref: 000000018003FF32
GetCommandLineA.KERNEL32 ref: 000000018003FF37

Part of subcall function 0000000180045FFC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 0000000180046015
Part of subcall function 0000000180045FFC: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 000000018004606C
Part of subcall function 0000000180045FFC: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460A7
Part of subcall function 0000000180045FFC: free.LIBCMT ref: 00000001800460B4
Part of subcall function 0000000180045FFC: FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460BF

Part of subcall function 00000001800442B4: GetStartupInfoW.KERNEL32 ref: 00000001800442D5

__setargv.LIBCMT ref: 000000018003FF60
_cinit.LIBCMT ref: 000000018003FF74

Part of subcall function 00000001800431C8: FlsFree.KERNEL32(?,?,?,?,000000018003FFDE), ref: 00000001800431D7
Part of subcall function 00000001800431C8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464B7
Part of subcall function 00000001800431C8: free.LIBCMT ref: 00000001800464C0
Part of subcall function 00000001800431C8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464E7

Part of subcall function 0000000180044588: free.LIBCMT ref: 00000001800445D9

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

FlsSetValue.KERNEL32 ref: 000000018004000E
GetCurrentThreadId.KERNEL32 ref: 0000000180040022
free.LIBCMT ref: 0000000180040031

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentInfoInformationInitializeLineSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 2481119767-0
Opcode ID: 61b5e00b11298625462c404e981e4dbee0cdad509bc41096663f8cfabbcd0743
Instruction ID: aa315cb78357cfe07c34d30648f785c9cd846825b8d2e9133f4b691ac97a99c6
Opcode Fuzzy Hash: 61b5e00b11298625462c404e981e4dbee0cdad509bc41096663f8cfabbcd0743
Instruction Fuzzy Hash: C3314C30200A0D89FAF7777059827FA12959F5D3D8F37D534B919852D3EE29874C836A

Non-executed Functions

Function 0000000180044774 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 465
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 00000001800447CA
_errno.LIBCMT ref: 00000001800447D1
_invalid_parameter_noinfo.LIBCMT ref: 00000001800447DC

Strings

U, xrefs: 0000000180044D58

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 2d5ce46ed2b1d32d86571561728c0a6fb84dd56a645abb6e696f7c4412cbdee7
Instruction ID: a924f4dc1a727bc392aaaba263266b47709fba0b4cecbfed23009677402f7412
Opcode Fuzzy Hash: 2d5ce46ed2b1d32d86571561728c0a6fb84dd56a645abb6e696f7c4412cbdee7
Instruction Fuzzy Hash: 3312F633204E4986EBA28F25D4C43EA67A1F38CBC8F568115FA494BA95DF7DC64DC708

Function 0000000180049280 Relevance: 39.6, APIs: 26, Instructions: 574fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00000001800492DD
__doserrno.LIBCMT ref: 0000000180049323
_errno.LIBCMT ref: 000000018004932D
_invalid_parameter_noinfo.LIBCMT ref: 0000000180049339
__doserrno.LIBCMT ref: 0000000180049487
_errno.LIBCMT ref: 0000000180049491
_errno.LIBCMT ref: 000000018004949C
CreateFileA.KERNEL32 ref: 00000001800494D2
CreateFileA.KERNEL32 ref: 0000000180049527
GetLastError.KERNEL32 ref: 0000000180049558
_errno.LIBCMT ref: 0000000180049565
GetFileType.KERNEL32 ref: 0000000180049574
GetLastError.KERNEL32 ref: 000000018004959F
CloseHandle.KERNEL32 ref: 00000001800495B2
_errno.LIBCMT ref: 00000001800495BC
_lseek_nolock.LIBCMT ref: 0000000180049650
__doserrno.LIBCMT ref: 000000018004965D
_lseek_nolock.LIBCMT ref: 00000001800496AC
_errno.LIBCMT ref: 0000000180049824
_lseek_nolock.LIBCMT ref: 0000000180049846
CloseHandle.KERNEL32 ref: 0000000180049983
CreateFileA.KERNEL32 ref: 00000001800499B1
GetLastError.KERNEL32 ref: 00000001800499BD
_errno.LIBCMT ref: 0000000180049A48
_invalid_parameter_noinfo.LIBCMT ref: 0000000180049A54

Part of subcall function 0000000180043878: CloseHandle.KERNEL32(?,?,00000000,0000000180049671), ref: 00000001800438D7
Part of subcall function 0000000180043878: GetLastError.KERNEL32(?,?,00000000,0000000180049671), ref: 00000001800438E1

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$ErrorFileLast$CloseCreateHandle__doserrno_lseek_nolock$_invalid_parameter_noinfo$Type_get_daylight
String ID:
API String ID: 6860575-0
Opcode ID: cdf4a62fadb900c8fb597438bd4298d4d6d6881069ad471e16903e41b3fc6d7c
Instruction ID: 757729e4fa89dfb54d60e17dd18de7796d29db1e7fda55289fd633ba8cc53d94
Opcode Fuzzy Hash: cdf4a62fadb900c8fb597438bd4298d4d6d6881069ad471e16903e41b3fc6d7c
Instruction Fuzzy Hash: 46324A32711E5845FBA6CBB8D4C07EC26A0A3497DCF16C229FA16A77D5CE38CA49C704

Function 0000000180046A88 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046ACD
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046AE9
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046AFB
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B12
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B1B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B32
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B3B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B52
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B5B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B7A
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B83
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046BB6
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046BC6
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C1C
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C3D
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C57

Strings

USER32.DLL, xrefs: 0000000180046AC6
GetUserObjectInformationW, xrefs: 0000000180046B41
GetLastActivePopup, xrefs: 0000000180046B21
GetActiveWindow, xrefs: 0000000180046B01
GetProcessWindowStation, xrefs: 0000000180046B70
MessageBoxW, xrefs: 0000000180046ADF

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 1824d7e647174aac9ba8a228052728ff37a26939126cb63fc2dd71cb4fdc05b6
Instruction ID: df7a2586361332801e439d358c24d371d3d75d19ea64f50f1298fa16b69f6015
Opcode Fuzzy Hash: 1824d7e647174aac9ba8a228052728ff37a26939126cb63fc2dd71cb4fdc05b6
Instruction Fuzzy Hash: A6514A30602F5980FED7DB51BC943E523A1BB8EBC8F068424BC5E433A0EE38968D8315

Function 0000000180041BE4 Relevance: 34.0, APIs: 17, Strings: 2, Instructions: 723COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180040AE0: _getptd.LIBCMT ref: 0000000180040AF2

_errno.LIBCMT ref: 0000000180041C4F
_errno.LIBCMT ref: 0000000180041C60
_invalid_parameter_noinfo.LIBCMT ref: 0000000180041C6B
_fileno.LIBCMT ref: 0000000180041CA4
_errno.LIBCMT ref: 0000000180041D17
_invalid_parameter_noinfo.LIBCMT ref: 0000000180041D22
write_multi_char.LIBCMT ref: 00000001800422FB
write_multi_char.LIBCMT ref: 0000000180042336
write_multi_char.LIBCMT ref: 00000001800423E9
free.LIBCMT ref: 0000000180042401
write_char.LIBCMT ref: 0000000180042542
write_char.LIBCMT ref: 000000018004256D

Strings

@, xrefs: 0000000180041C90
, xrefs: 00000001800422CB

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_char$_fileno_getptdfree
String ID: $@
API String ID: 920461082-1077428164
Opcode ID: 9ce62dfc7d1726e45cd4ea0018cda0193fd16e9140b06ccd3c386b2f0c347445
Instruction ID: a73cbf3e3e5a568c21571af9e4bb4affdca5ed3204bfc9730e079ae41a4dd57d
Opcode Fuzzy Hash: 9ce62dfc7d1726e45cd4ea0018cda0193fd16e9140b06ccd3c386b2f0c347445
Instruction Fuzzy Hash: 9B52F172708E8885FBA78B5495803EE6BA1F7897CCFA68015FA45476D5CF38CA49C708

Function 000000018004CB30 Relevance: 18.1, APIs: 12, Instructions: 115
memoryfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180048148: _errno.LIBCMT ref: 000000018004816A

_errno.LIBCMT ref: 000000018004CBB8

Part of subcall function 0000000180048148: SetFilePointer.KERNEL32(00000000,00000001,00000001,0000000180044F61,?,00000000,00000000,0000000180041A89,?,?,00000000,0000000180041AE5,?,?,00000200,0000000180042572), ref: 000000018004818A
Part of subcall function 0000000180048148: GetLastError.KERNEL32(?,00000000,00000000,0000000180041A89,?,?,00000000,0000000180041AE5,?,?,00000200,0000000180042572), ref: 0000000180048199

GetProcessHeap.KERNEL32(00000000,?,00000109,00000001800496A0), ref: 000000018004CB8A
HeapAlloc.KERNEL32 ref: 000000018004CB9F
_errno.LIBCMT ref: 000000018004CBAD
__doserrno.LIBCMT ref: 000000018004CC12
_errno.LIBCMT ref: 000000018004CC1C
GetProcessHeap.KERNEL32 ref: 000000018004CC35
HeapFree.KERNEL32 ref: 000000018004CC43
SetEndOfFile.KERNEL32(00000000,?,00000109,00000001800496A0), ref: 000000018004CC6E
_errno.LIBCMT ref: 000000018004CC85
__doserrno.LIBCMT ref: 000000018004CC90
GetLastError.KERNEL32 ref: 000000018004CC98

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
String ID:
API String ID: 3112900366-0
Opcode ID: 5c1484790b7029330c56b00ce7b4326b62192608e4fc1df10d09937e4c225644
Instruction ID: fe7456c0442f1bcdb1b8f511e1c750bbd640e26c1f04292c679d1de3200e95df
Opcode Fuzzy Hash: 5c1484790b7029330c56b00ce7b4326b62192608e4fc1df10d09937e4c225644
Instruction Fuzzy Hash: 6741E131300E5841EAD6AB3598857DC2291A74DBF8F56C711F939077D2DF38CA49878A

Function 0000000180040580 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_error_mode.LIBCMT ref: 00000001800405C5
_set_error_mode.LIBCMT ref: 00000001800405D6
GetModuleFileNameW.KERNEL32 ref: 0000000180040638

Part of subcall function 00000001800427E4: GetCurrentProcess.KERNEL32(?,?,?,?,0000000180042886), ref: 00000001800427FC

GetStdHandle.KERNEL32 ref: 000000018004074D
WriteFile.KERNEL32 ref: 00000001800407AA

Strings

<program name unknown>, xrefs: 0000000180040647
Runtime Error!Program: , xrefs: 0000000180040605
Microsoft Visual C++ Runtime Library, xrefs: 00000001800406F1
..., xrefs: 000000018004068A

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: ba61b9740d2fabcbb053f7a8c1a04480db4f8b8fe58e62101f9bba5b1f63e096
Instruction ID: afc2a24109b5524a715c6b2c3ba94efa30044fcd1fda98386a67971cc6d85b1b
Opcode Fuzzy Hash: ba61b9740d2fabcbb053f7a8c1a04480db4f8b8fe58e62101f9bba5b1f63e096
Instruction Fuzzy Hash: 1851F131B04A8845F7E6DB25A8917DA22A1A78D7C8F668112FE5A03B95DF38C30DC709

Function 0000000180041044 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180040AE0: _getptd.LIBCMT ref: 0000000180040AF2

_errno.LIBCMT ref: 0000000180041094
_invalid_parameter_noinfo.LIBCMT ref: 000000018004109E
_errno.LIBCMT ref: 00000001800410C0
_invalid_parameter_noinfo.LIBCMT ref: 00000001800410CC
_errno.LIBCMT ref: 00000001800410F4
_cftoe_l.LIBCMT ref: 0000000180041138

Strings

gfffffff, xrefs: 00000001800413C3

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 24a95ef78a624545ba7c9d7dc106d39f48c7645bdea6b767835b0edbd9f1c844
Instruction ID: cd9f51b8cdbe88b98d15d95ecd3b9eaa2330d4955cd9fdd12c4ed391452db137
Opcode Fuzzy Hash: 24a95ef78a624545ba7c9d7dc106d39f48c7645bdea6b767835b0edbd9f1c844
Instruction Fuzzy Hash: 3EB17773704BC88AEB92CB25C6803DD6BA5F3197D9F05C621EF59877D5EA388629C304

Function 000000018003E5C0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001800428BB
RtlLookupFunctionEntry.KERNEL32 ref: 00000001800428DA
RtlVirtualUnwind.KERNEL32 ref: 0000000180042926
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 0000000180042998
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429B0
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429BD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429D6
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429E4

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: c3598976ca1632c357be4ba8301645e2a35c7deb92361203275c35b9385dcc3e
Instruction ID: 868fa4e71887f5911bd689abb344e6afb6984900060eeb71dea75f24283ff6da
Opcode Fuzzy Hash: c3598976ca1632c357be4ba8301645e2a35c7deb92361203275c35b9385dcc3e
Instruction Fuzzy Hash: 6C31F335208F8885EB929B10F8843DA73A1F78D3D8F518126FA9D42BA5DF7CC298C705

Function 0000000180036160 Relevance: 11.2, APIs: 3, Strings: 3, Instructions: 701COMMON

Download Yara Rule

APIs

cosf.LIBCMT ref: 0000000180036223
cosf.LIBCMT ref: 0000000180036362

Strings

VUUU, xrefs: 0000000180036379
Cant normalize ZERO vector, xrefs: 0000000180036518
VUUU, xrefs: 0000000180036393

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: cosf
String ID: Cant normalize ZERO vector$VUUU$VUUU
API String ID: 3953124788-2926792483
Opcode ID: b92377ace262dadcb44eaa4825634ab27a3adf4bf1b68f1153cd6b28c1d1e0c2
Instruction ID: 8ebbcb85a410bf6a645dd75cc33d335b818cb10fe72586fe260dc28c1af0858f
Opcode Fuzzy Hash: b92377ace262dadcb44eaa4825634ab27a3adf4bf1b68f1153cd6b28c1d1e0c2
Instruction Fuzzy Hash: 8872D432A14A8886D752CF3AD4813AAB7A0FB9D785F19C706EB4963774DF35D189CB00

Function 000000018004AC9C Relevance: 9.1, Strings: 7, Instructions: 337COMMON

Download Yara Rule

Strings

J^1#, xrefs: 000000018004ACC4
do@#, xrefs: 000000018004ACD4
NwEz, xrefs: 000000018004ACEC
Ftt, xrefs: 000000018004ACF4
#8BQ, xrefs: 000000018004AEB5
6cgv, xrefs: 000000018004ACDC
xBO?, xrefs: 000000018004ACCC

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: #8BQ$6cgv$Ftt$J^1#$NwEz$do@#$xBO?
API String ID: 0-2817147213
Opcode ID: 5b77fe72eaddb53b703fe21e6f9f9f3e6d288ab5ce12969816a75deff9559122
Instruction ID: cda52e59a6181bcc1e9931452a8ff373926afa540e7e1d9509708c0067d5f037
Opcode Fuzzy Hash: 5b77fe72eaddb53b703fe21e6f9f9f3e6d288ab5ce12969816a75deff9559122
Instruction Fuzzy Hash: 70D12772705B9886EB6ACF21D0847ED7BA1F709BC8F468025EE0A17B54DF38D649C708

Function 0000000180042698 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000180042705
RtlLookupFunctionEntry.KERNEL32 ref: 000000018004271D
RtlVirtualUnwind.KERNEL32 ref: 0000000180042757
IsDebuggerPresent.KERNEL32 ref: 000000018004278D
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180042797
UnhandledExceptionFilter.KERNEL32 ref: 00000001800427A2

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 687f001dfb37a47157b6f2a046625e947f4851768aa9483d248bdf8ccabb4226
Instruction ID: ce6028df09523790c5ce4c1857c5788db5e4af3653a889637483fba63be9d821
Opcode Fuzzy Hash: 687f001dfb37a47157b6f2a046625e947f4851768aa9483d248bdf8ccabb4226
Instruction Fuzzy Hash: C8319132204F8486EBA1CF25E8807DE77A0F788798F51411AFA9D43B99DF38C649CB00

Function 000000018003E804 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018003E95B
_set_statfp.LIBCMT ref: 000000018003E990
_set_statfp.LIBCMT ref: 000000018003EAE5

Strings

atan2f, xrefs: 000000018003E8EC
!, xrefs: 000000018003E8FC

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _set_statfp
String ID: !$atan2f
API String ID: 1156100317-746904718
Opcode ID: 922dedef4b508459671a67f39f388c8a37360033d7157b9d186a1199daea5b28
Instruction ID: d5c9dca1ae84759df08d4f946077274373d06d771ca18e833c4e4ac63076a48d
Opcode Fuzzy Hash: 922dedef4b508459671a67f39f388c8a37360033d7157b9d186a1199daea5b28
Instruction Fuzzy Hash: 43C1D231624ECC88E6B78B3254103E7E3547F5F7D4F16D312B92A36AD4EF29868A8700

Function 000000018004634C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180046383
GetCurrentProcessId.KERNEL32 ref: 000000018004638E
GetCurrentThreadId.KERNEL32 ref: 000000018004639A
GetTickCount.KERNEL32 ref: 00000001800463A6
QueryPerformanceCounter.KERNEL32 ref: 00000001800463B7

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 92565ea8d5c85b212df12a7ebaa521c2a5878a6861afd3c9b07c384d7c5c1395
Instruction ID: 4acdcd43e76b003da33731daa7b3035c29bec53c6226794cfad176108422307a
Opcode Fuzzy Hash: 92565ea8d5c85b212df12a7ebaa521c2a5878a6861afd3c9b07c384d7c5c1395
Instruction Fuzzy Hash: 3101A131214E4886E792CF21E8847857360F74DBD8F05A520FE6A177A0DF38CAC88305

Function 000000018004C084 Relevance: 5.8, Strings: 4, Instructions: 796COMMONLIBRARYCODE

Download Yara Rule

Strings

1#IND, xrefs: 000000018004C1B3
1#INF, xrefs: 000000018004C1EA
1#QNAN, xrefs: 000000018004C221
1#SNAN, xrefs: 000000018004C16E

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 0-2761157908
Opcode ID: 15df8c0887e0000742dc0fce623b2a10b3cc1c0418acf83a7d3470be4994e7f8
Instruction ID: b11c022b24f10193ce3ce715ff24ddb663a1b91023c54f09b49952ae2bbc4a46
Opcode Fuzzy Hash: 15df8c0887e0000742dc0fce623b2a10b3cc1c0418acf83a7d3470be4994e7f8
Instruction Fuzzy Hash: C562D276B14A588AF7A6CF75C050FED37B1B75838CF42D019EE0167A84EA348A19C74A

Function 000000018004B820 Relevance: 3.6, APIs: 2, Instructions: 613COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018004B883
_invalid_parameter_noinfo.LIBCMT ref: 000000018004B88E

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: a3c4391194da57d1acbd5fb50f20acf309594c971f8b73a6be8099d63eea8d17
Instruction ID: 713e426ca326a16ee2fdce1f5640ab90c17c839528a9bd35edfd2c2478f43a67
Opcode Fuzzy Hash: a3c4391194da57d1acbd5fb50f20acf309594c971f8b73a6be8099d63eea8d17
Instruction Fuzzy Hash: CF32C372B04A488AF7A68F65C0D07EC37A6B7183CCF56801AEF45976C5DE358A4EC709

Function 000000018000BDA0 Relevance: 3.2, Strings: 2, Instructions: 706COMMON

Download Yara Rule

Strings

@, xrefs: 000000018000BFA4
@, xrefs: 000000018000BFB3

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 85c97c0bcd6a7545fcef9045b8cc4f5e6091eb89f87564d17f037fd72c8897f0
Instruction ID: f70c8b40b880a7ab01affacd54e4018a46f696cdd9b649769b2a316347d57481
Opcode Fuzzy Hash: 85c97c0bcd6a7545fcef9045b8cc4f5e6091eb89f87564d17f037fd72c8897f0
Instruction Fuzzy Hash: 0E6285B6300A9886EB95CF26E488B9E77A4F748BC8F15C026EE4D57B64DF34C659C700

Function 000000018000B460 Relevance: 3.0, Strings: 2, Instructions: 519COMMON

Download Yara Rule

Strings

..\..\Core\Common\src\cloth\ClothMesh.cpp, xrefs: 000000018000BA47
Soft body mesh tetrahedron %d has illegal winding order., xrefs: 000000018000BA40

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: ..\..\Core\Common\src\cloth\ClothMesh.cpp$Soft body mesh tetrahedron %d has illegal winding order.
API String ID: 0-2497088621
Opcode ID: 1d50ed93a4618e66e24dcec245453436e13a514052afe5ea02e4ca5acb916706
Instruction ID: a3d31b81d13a8ace292743cbd62ef8cbd031ba2a79883c43894d028611e5d813
Opcode Fuzzy Hash: 1d50ed93a4618e66e24dcec245453436e13a514052afe5ea02e4ca5acb916706
Instruction Fuzzy Hash: E842DF72A14A888AD742CF2AD08479D73A4FB9DB84F25C712EB4963794DF36D588CB00

Function 0000000180012C00 Relevance: .8, Instructions: 806COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbee738133f138012f8b5ef05bc2e31700efd1da7298d87b3813d35018dadd77
Instruction ID: c6f1ca7cfed251379cfc02395260be4996054513fff38885842a45b59efab70e
Opcode Fuzzy Hash: fbee738133f138012f8b5ef05bc2e31700efd1da7298d87b3813d35018dadd77
Instruction Fuzzy Hash: 1672B5B7205AD49BCB96CF3690953EC7BA1F31DB88F488216EF8903B45DA34D268C751

Function 000000018002C4F0 Relevance: .6, Instructions: 634COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcc582a9050cf982f0d807d56d005ee6358e83d786e71fbaccbf9bfcd0f5797
Instruction ID: ebf9e38626cd392762ad5c2e97b3f51e2c0a9d947e66d2cde2cf2708d2041996
Opcode Fuzzy Hash: ffcc582a9050cf982f0d807d56d005ee6358e83d786e71fbaccbf9bfcd0f5797
Instruction Fuzzy Hash: 79527876605B8886DB92DF2AE04079DBBA1F789FD4F148116EF8A07B58DF38C585CB40

Function 000000018003BEB0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb4c518925a41008fc2166ad5c9599bef2916ff3bd583f28f838cf1dee5d34f
Instruction ID: aa775bea4725cb1641bae394a9020f8cd4f7d9f92af53996f8b7f390fd76fce0
Opcode Fuzzy Hash: 6eb4c518925a41008fc2166ad5c9599bef2916ff3bd583f28f838cf1dee5d34f
Instruction Fuzzy Hash: A4523C76604A84CAD766CF2AD4807DE77B5F78CB88F158216EB8983B68DF35C645CB00

Function 0000000180017880 Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e7507d674b60108a5ed3db11562a0694abd5f334d3008d851f2509531dd33c
Instruction ID: 74ba95146f3c6d4679feb7debc9c182cb364a069b4fe51ca6d8ab09e0996cc60
Opcode Fuzzy Hash: 80e7507d674b60108a5ed3db11562a0694abd5f334d3008d851f2509531dd33c
Instruction Fuzzy Hash: A932AE33610A488FD756CF7AD04079D7BB2FB89B98F149704EA0927A99EB34D598DF00

Function 0000000180029010 Relevance: .5, Instructions: 453COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86c5276f871af8caa5f57583e7fd56ea31ebf255445abbf96b92eb17ef30777
Instruction ID: f11bf07547a1c462bdeaa0c6079fa73f50b1e03a4d6c2a5054af169923359f37
Opcode Fuzzy Hash: f86c5276f871af8caa5f57583e7fd56ea31ebf255445abbf96b92eb17ef30777
Instruction Fuzzy Hash: 9422B073A15A888AC752DF77D08069D7BA0FB9D780F5AC712EE48237A1DB35E549CB00

Function 0000000180007E50 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33ed337b245025f98dbe79e223858b09af833faf82940d1042a9ff0eacf7cf6
Instruction ID: 18aac2264636b9fa25db152558233bd7852fdd9051005b52d3d8a3e949557afe
Opcode Fuzzy Hash: f33ed337b245025f98dbe79e223858b09af833faf82940d1042a9ff0eacf7cf6
Instruction Fuzzy Hash: DBF1AE32210AA881DB94DBA6D4597FFB399EB99BC0F01C016EE8E537D1CE38D248D350

Function 0000000180038EF0 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31af57c14ef2b965298ff3f426071afa22a92dbd6a03d660c58aaa3717c62eeb
Instruction ID: b245657265380e4d80289c27db30fa78f0cbd9f72ef22055fe0fd094c9259256
Opcode Fuzzy Hash: 31af57c14ef2b965298ff3f426071afa22a92dbd6a03d660c58aaa3717c62eeb
Instruction Fuzzy Hash: 7EF19E76711A48CAEB92DFA5D0447DE37A1F789FD4F468126EE0A07784DE34CA49C740

Function 000000018001D4D0 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f40d0ab21d99fccb9fca75bb9d91f321fd5ca23cb4bac666fbe0ae193a08d680
Instruction ID: 203a0c91e28472cdd3cf4a1ebdc3c189530cbf03260d6ef9639e68d47f3d3c12
Opcode Fuzzy Hash: f40d0ab21d99fccb9fca75bb9d91f321fd5ca23cb4bac666fbe0ae193a08d680
Instruction Fuzzy Hash: 0002B132B14B8C8BE352CF7A90417AD73A2EB9D798F198706EE44777A8DB30A555C700

Function 000000018002BF20 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ae1094a7218bc64d889032dd45897d5fa4065f8b21b367b7bfc5da67180d22
Instruction ID: 9033d227dc0a814af50fee3b50408a5ad3919072a0ba6c33c4cc67aee827d8e3
Opcode Fuzzy Hash: 67ae1094a7218bc64d889032dd45897d5fa4065f8b21b367b7bfc5da67180d22
Instruction Fuzzy Hash: 1B028B77600A8886DB92DF2AD080B9DB7A0F789FD4F19D212EE4A17764DF35C989C740

Function 000000018002A290 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341434670c4e157628bf77708c0d963604194d1386a15dfb54d54d2277b4e294
Instruction ID: d1de30ef56593cdad6fba35603321ce49a64bdbd2aabed9996cf504b2b6c6a06
Opcode Fuzzy Hash: 341434670c4e157628bf77708c0d963604194d1386a15dfb54d54d2277b4e294
Instruction Fuzzy Hash: 7E026A72605A888AEB56DF2BD08039D7770FB8DB84F558202EE4A237A5DF34D59AC700

Function 000000018000A600 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f123c3bdd6dc4bec3c1bb22c891037d48940db56669e55aa6772d4f87ecbb744
Instruction ID: 89efe48841236b40baaf716c1794e15984c2a8df918ba7c91b5974f176eaa130
Opcode Fuzzy Hash: f123c3bdd6dc4bec3c1bb22c891037d48940db56669e55aa6772d4f87ecbb744
Instruction Fuzzy Hash: A1D199B2B10B8887EA49CB6AD1447D8B3A1F79DBC4F049612EF4D1B794EF35E1568700

Function 000000018003A050 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6873bf1e5c25d4720d09ac23e33e5db5bea021f72466a92713b0ab2d34dd4cfc
Instruction ID: eadffc442b805bed14180cb723d8c7126062f3794b58b805b68d660bafed5dfd
Opcode Fuzzy Hash: 6873bf1e5c25d4720d09ac23e33e5db5bea021f72466a92713b0ab2d34dd4cfc
Instruction Fuzzy Hash: 1BA1A176215A8886EB92DF25D4047DE37A1F78AFC4F448036FE0A0B799DE39C649C710

Function 0000000180017540 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d67c38e72f86aff77d9716bc29b1c9c8598c5684548c08387034fc315ced36a
Instruction ID: 5fa45148af4a89ee130712a850f70836a840fe8340997d07769affefdddec7f9
Opcode Fuzzy Hash: 4d67c38e72f86aff77d9716bc29b1c9c8598c5684548c08387034fc315ced36a
Instruction Fuzzy Hash: 5C815432E24F8C89E363CB7794827E97361BFAE388F19D702BE44315A5DB345595AA00

Function 000000018004D178 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84a00940841a07d6a4f4d34eb23f93d9f0dcc6fe73abedee6fef420e945d121
Instruction ID: d7382ce042898ec5f61c79f00eda4c3b62ee3afc4a13f3f8e0266efc75b7ad79
Opcode Fuzzy Hash: a84a00940841a07d6a4f4d34eb23f93d9f0dcc6fe73abedee6fef420e945d121
Instruction Fuzzy Hash: 3F51D5B37206BC8BE799CF18E154F5936A9F368384F42D019FA4283F44EA76D954CB04

Function 0000000180043548 Relevance: .2, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1621c0e17353819446ef7b6a725b7419b576c8c873dac34281814b8c3079f79e
Instruction ID: d9df9a26f6d54beacce19ced527af61e258992433bf75d622076c3d8202b239e
Opcode Fuzzy Hash: 1621c0e17353819446ef7b6a725b7419b576c8c873dac34281814b8c3079f79e
Instruction Fuzzy Hash: B05136F3724A4842DF15CF15E48A7A9A692E7987C8F01E235EE5E17B88DA3CD648C344

Function 0000000180018550 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9972286ccc0c398e66616e7ee2097638ec5dfe683b87240fba03bf5371292c
Instruction ID: ce5edfddca3263b888669e862347e95ca466a6a16ca3ec66af239e35ff603e8d
Opcode Fuzzy Hash: 3c9972286ccc0c398e66616e7ee2097638ec5dfe683b87240fba03bf5371292c
Instruction Fuzzy Hash: 6551D876504E0986DBE1CE1DE480B9E7B92F7987E8F509301EB6513BE4CB35CA5ADB00

Function 000000018004A638 Relevance: 107.7, APIs: 86, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 000000018004A64D

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

free.LIBCMT ref: 000000018004A656
free.LIBCMT ref: 000000018004A65F
free.LIBCMT ref: 000000018004A668
free.LIBCMT ref: 000000018004A671
free.LIBCMT ref: 000000018004A67A
free.LIBCMT ref: 000000018004A682
free.LIBCMT ref: 000000018004A68B
free.LIBCMT ref: 000000018004A694
free.LIBCMT ref: 000000018004A69D
free.LIBCMT ref: 000000018004A6A6
free.LIBCMT ref: 000000018004A6AF
free.LIBCMT ref: 000000018004A6B8
free.LIBCMT ref: 000000018004A6C1
free.LIBCMT ref: 000000018004A6CA
free.LIBCMT ref: 000000018004A6D3
free.LIBCMT ref: 000000018004A6DF
free.LIBCMT ref: 000000018004A6EB
free.LIBCMT ref: 000000018004A6F7
free.LIBCMT ref: 000000018004A703
free.LIBCMT ref: 000000018004A70F
free.LIBCMT ref: 000000018004A71B
free.LIBCMT ref: 000000018004A727
free.LIBCMT ref: 000000018004A733
free.LIBCMT ref: 000000018004A73F
free.LIBCMT ref: 000000018004A74B
free.LIBCMT ref: 000000018004A757
free.LIBCMT ref: 000000018004A763
free.LIBCMT ref: 000000018004A76F
free.LIBCMT ref: 000000018004A77B
free.LIBCMT ref: 000000018004A787
free.LIBCMT ref: 000000018004A793
free.LIBCMT ref: 000000018004A79F
free.LIBCMT ref: 000000018004A7AB
free.LIBCMT ref: 000000018004A7B7
free.LIBCMT ref: 000000018004A7C3
free.LIBCMT ref: 000000018004A7CF
free.LIBCMT ref: 000000018004A7DB
free.LIBCMT ref: 000000018004A7E7
free.LIBCMT ref: 000000018004A7F3
free.LIBCMT ref: 000000018004A7FF
free.LIBCMT ref: 000000018004A80B
free.LIBCMT ref: 000000018004A817
free.LIBCMT ref: 000000018004A823
free.LIBCMT ref: 000000018004A82F
free.LIBCMT ref: 000000018004A83B
free.LIBCMT ref: 000000018004A847
free.LIBCMT ref: 000000018004A853
free.LIBCMT ref: 000000018004A85F
free.LIBCMT ref: 000000018004A86B
free.LIBCMT ref: 000000018004A877
free.LIBCMT ref: 000000018004A883
free.LIBCMT ref: 000000018004A88F
free.LIBCMT ref: 000000018004A89B
free.LIBCMT ref: 000000018004A8A7
free.LIBCMT ref: 000000018004A8B3
free.LIBCMT ref: 000000018004A8BF
free.LIBCMT ref: 000000018004A8CB
free.LIBCMT ref: 000000018004A8D7
free.LIBCMT ref: 000000018004A8E3
free.LIBCMT ref: 000000018004A8EF
free.LIBCMT ref: 000000018004A8FB
free.LIBCMT ref: 000000018004A907
free.LIBCMT ref: 000000018004A913
free.LIBCMT ref: 000000018004A91F
free.LIBCMT ref: 000000018004A92B
free.LIBCMT ref: 000000018004A937
free.LIBCMT ref: 000000018004A943
free.LIBCMT ref: 000000018004A94F
free.LIBCMT ref: 000000018004A95B
free.LIBCMT ref: 000000018004A967
free.LIBCMT ref: 000000018004A973
free.LIBCMT ref: 000000018004A97F
free.LIBCMT ref: 000000018004A98B
free.LIBCMT ref: 000000018004A997
free.LIBCMT ref: 000000018004A9A3
free.LIBCMT ref: 000000018004A9AF
free.LIBCMT ref: 000000018004A9BB
free.LIBCMT ref: 000000018004A9C7
free.LIBCMT ref: 000000018004A9D3
free.LIBCMT ref: 000000018004A9DF
free.LIBCMT ref: 000000018004A9EB
free.LIBCMT ref: 000000018004A9F7
free.LIBCMT ref: 000000018004AA03
free.LIBCMT ref: 000000018004AA0F
free.LIBCMT ref: 000000018004AA1B

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: 258e030ea8eef92e677a1f4030c5f0b19a91ecd9a257867854d2aa094b2d70cf
Instruction ID: 4d872ec27d9ca8d6f8751ad299c95db9e4a79eb5509a17a55bae787e74e0c8bc
Opcode Fuzzy Hash: 258e030ea8eef92e677a1f4030c5f0b19a91ecd9a257867854d2aa094b2d70cf
Instruction Fuzzy Hash: 54A1553121158885E6C3BB71F8957DF1325ABCAF84F059E32BB4D4B5E7CE10DA498390

Function 0000000180045108 Relevance: 32.0, APIs: 21, Instructions: 482COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180045139
_errno.LIBCMT ref: 0000000180045142
__doserrno.LIBCMT ref: 000000018004519C
_errno.LIBCMT ref: 00000001800451A3
_invalid_parameter_noinfo.LIBCMT ref: 0000000180045812

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 27ee3e071bdb6c1f7188517e3c46bf29d4632009371291bd4a31ced4f22275c5
Instruction ID: beaf73869c5ab8301a8de9efe598f3bfa40f1db9310f99e121f6dd647ad85f45
Opcode Fuzzy Hash: 27ee3e071bdb6c1f7188517e3c46bf29d4632009371291bd4a31ced4f22275c5
Instruction Fuzzy Hash: 8322F572205E8886F7A38F64D4C03EC2B91A749BDEF56C115EA96077D3DE78C649C309

Function 00000001800478B4 Relevance: 19.6, APIs: 13, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__free_lconv_mon.LIBCMT ref: 000000018004790C

Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAB2
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAC4
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAD6
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAE8
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAFA
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB0C
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB1E
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB30
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB42
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB54
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB69
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB7E
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB93

free.LIBCMT ref: 0000000180047900

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

free.LIBCMT ref: 0000000180047922
__free_lconv_num.LIBCMT ref: 000000018004792E
free.LIBCMT ref: 000000018004793A
free.LIBCMT ref: 0000000180047946
free.LIBCMT ref: 000000018004796A
free.LIBCMT ref: 000000018004797E
free.LIBCMT ref: 000000018004798D
free.LIBCMT ref: 0000000180047999
free.LIBCMT ref: 00000001800479C6
free.LIBCMT ref: 00000001800479EE
free.LIBCMT ref: 0000000180047A08

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 2573795696-0
Opcode ID: 5a0bd3a4139776b5973723257e7de0a69dd99bb23b7eab651e3109ceedcb2a20
Instruction ID: 64e24b2416a1ca949d6f303a85acd9c423b1c112d23fea3cbc33af8ea2b513f7
Opcode Fuzzy Hash: 5a0bd3a4139776b5973723257e7de0a69dd99bb23b7eab651e3109ceedcb2a20
Instruction Fuzzy Hash: 6041113230298884FFD79F61D4903EE2354E78DBD8F059931BA4D4A2D6CF28CA99C355

Function 000000018004A0F4 Relevance: 15.2, APIs: 10, Instructions: 206
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32 ref: 000000018004A18E
malloc.LIBCMT ref: 000000018004A1F7
MultiByteToWideChar.KERNEL32 ref: 000000018004A22B
LCMapStringW.KERNEL32 ref: 000000018004A252
LCMapStringW.KERNEL32 ref: 000000018004A29A
malloc.LIBCMT ref: 000000018004A2F7

Part of subcall function 000000018003E168: _FF_MSGBANNER.LIBCMT ref: 000000018003E198
Part of subcall function 000000018003E168: HeapAlloc.KERNEL32(?,?,00000000,0000000180042A24,?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 000000018003E1BD
Part of subcall function 000000018003E168: _callnewh.LIBCMT ref: 000000018003E1D6
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1E1
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1EC

LCMapStringW.KERNEL32 ref: 000000018004A32C
WideCharToMultiByte.KERNEL32 ref: 000000018004A36C
free.LIBCMT ref: 000000018004A380
free.LIBCMT ref: 000000018004A391

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 8f87ab9d2ae227485477a57223987bd8726c4cafbcef0a4fabf5341cba31a906
Instruction ID: 746fdc849fb7efc80f96b9087f0f4f5be30642e255885f1a6576107973598593
Opcode Fuzzy Hash: 8f87ab9d2ae227485477a57223987bd8726c4cafbcef0a4fabf5341cba31a906
Instruction Fuzzy Hash: 0381B732208B8886FBA69F2594803DA77D5F74E7E8F158615FA1943BD4EF78C7488308

Function 0000000180048408 Relevance: 15.1, APIs: 10, Instructions: 123
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000000018004844F
_invalid_parameter_noinfo.LIBCMT ref: 000000018004845B
_errno.LIBCMT ref: 00000001800484A5
_errno.LIBCMT ref: 00000001800484B0
_errno.LIBCMT ref: 00000001800484E2
_invalid_parameter_noinfo.LIBCMT ref: 00000001800484EC
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,00000001800485DB), ref: 000000018004855E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,00000001800485DB), ref: 000000018004857B
_errno.LIBCMT ref: 00000001800485A1
_invalid_parameter_noinfo.LIBCMT ref: 00000001800485AD

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: d8226484d9b045e3bf121a32930208bfe2de1e8e9735e94a0eea8d55c1e7fd26
Instruction ID: 9c22cb322589bbaecf03df9c4e1f5db85217bda39a9a5de2319d300efcf44f58
Opcode Fuzzy Hash: d8226484d9b045e3bf121a32930208bfe2de1e8e9735e94a0eea8d55c1e7fd26
Instruction Fuzzy Hash: 2251EA32601E4949FBE79F60C4C03EC26A0BF897ECF56C524FA4916AC5DF3886499748

Function 00000001800442B4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00000001800442D5

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

GetFileType.KERNEL32 ref: 0000000180044440
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018004447E

Strings

@, xrefs: 0000000180044539

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: 731d2ca942fb7059f98ccea79a0825b347f719a010229efa7715c3398953b345
Instruction ID: 7b13a2a208b59659a7ff2164eb285c9a59e6247728ec510e04abe0ab60cf6499
Opcode Fuzzy Hash: 731d2ca942fb7059f98ccea79a0825b347f719a010229efa7715c3398953b345
Instruction Fuzzy Hash: CE81B472200F8986EB968F14D88439937A1F748BB8F59C324EA7A477D1DF78C659C309

Function 000000018004582C Relevance: 13.6, APIs: 9, Instructions: 81
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 0000000180045855
_errno.LIBCMT ref: 000000018004585E
__doserrno.LIBCMT ref: 00000001800458BC
_errno.LIBCMT ref: 00000001800458C3
_invalid_parameter_noinfo.LIBCMT ref: 0000000180045927

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: c62bc627254f1f1a9acb5995aa69af8956a7e938587757901c016c5564e10ee5
Instruction ID: 7682daf60427842ebd199fa13711cc73cf9a5fbc78c26fb93eb3438255fbe3e8
Opcode Fuzzy Hash: c62bc627254f1f1a9acb5995aa69af8956a7e938587757901c016c5564e10ee5
Instruction Fuzzy Hash: 7D310472310E8C86F7936F6598C13ED2650A7487E8F57C119FAA4177D3CE788A48C708

Function 0000000180043E2C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000000180043E7D
_invalid_parameter_noinfo.LIBCMT ref: 0000000180043E88
_wsopen_s.LIBCMT ref: 0000000180044099

Strings

UNICODE, xrefs: 000000018004404B
ccs, xrefs: 0000000180043FC9
UTF-8, xrefs: 0000000180044005
UTF-16LE, xrefs: 0000000180044028

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_wsopen_s
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 2053332431-3573488595
Opcode ID: b0c4c6ed9e8498d35fe9303ea9063a51c90cfbb9c06f99b476d42cc90f5ed235
Instruction ID: 3e9b913e688f760b830cb86a69413b8bce1326bacd42ec6ba54fe81f9aa2ab57
Opcode Fuzzy Hash: b0c4c6ed9e8498d35fe9303ea9063a51c90cfbb9c06f99b476d42cc90f5ed235
Instruction Fuzzy Hash: DD711472E04A0C55FBF75A12A9867EA16E0675D7CCE17E024FE0A029C5DF38CB4C8389

Function 0000000180044FB4 Relevance: 12.1, APIs: 8, Instructions: 95COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180044FCB
_invalid_parameter_noinfo.LIBCMT ref: 0000000180044FD6

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: ca76609593e7968924802dd47909a67a3de79fc0893ea02630d952cda44f7c31
Instruction ID: b8706fcba3373454a4b01edf78d16520a1e85cc0d5fe777b1d3ba09b79c1032e
Opcode Fuzzy Hash: ca76609593e7968924802dd47909a67a3de79fc0893ea02630d952cda44f7c31
Instruction Fuzzy Hash: 0C41D936604E4852EBE64B2581C13EC37A0F7097DDF258605FBA5836C2CF74CAA9C784

Function 0000000180044694 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800446B7
_errno.LIBCMT ref: 00000001800446BF
_lseek_nolock.LIBCMT ref: 000000018004471C

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno_lseek_nolock
String ID:
API String ID: 3948042459-0
Opcode ID: 5491721df6ad7ab657e95dd21b0d4c728b4e8247b75b654f02dc873897995978
Instruction ID: bdeca9385717e63bca4346382234fa7d175972a54972681b325d5814d0ceb23a
Opcode Fuzzy Hash: 5491721df6ad7ab657e95dd21b0d4c728b4e8247b75b654f02dc873897995978
Instruction Fuzzy Hash: 43213133200E8842F787AF2599C03EC2511A7887E9F1BC104FA140B2D3CF788A4AC718

Function 0000000180046524 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000018004654B

Part of subcall function 00000001800407E0: _set_error_mode.LIBCMT ref: 00000001800407E9
Part of subcall function 00000001800407E0: _set_error_mode.LIBCMT ref: 00000001800407F8

Part of subcall function 0000000180040580: _set_error_mode.LIBCMT ref: 00000001800405C5
Part of subcall function 0000000180040580: _set_error_mode.LIBCMT ref: 00000001800405D6
Part of subcall function 0000000180040580: GetModuleFileNameW.KERNEL32 ref: 0000000180040638

Part of subcall function 00000001800401EC: ExitProcess.KERNEL32 ref: 00000001800401FB

Part of subcall function 00000001800429F4: malloc.LIBCMT ref: 0000000180042A1F
Part of subcall function 00000001800429F4: Sleep.KERNEL32(?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 0000000180042A32

_errno.LIBCMT ref: 000000018004658D
_lock.LIBCMT ref: 00000001800465A1
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,000000018004662F), ref: 00000001800465B7
free.LIBCMT ref: 00000001800465C4
_errno.LIBCMT ref: 00000001800465C9
LeaveCriticalSection.KERNEL32(?,?,?,000000018004662F), ref: 00000001800465EC

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: f6cddf33ec298a8bb8cbf7baaf3bba66f453517a4b756cab4bc748b5810b4bcf
Instruction ID: edbf6d34453fbc39e254c7b3028adf59088a67094ee2582bf57cf3f75258cf43
Opcode Fuzzy Hash: f6cddf33ec298a8bb8cbf7baaf3bba66f453517a4b756cab4bc748b5810b4bcf
Instruction Fuzzy Hash: 9421A471A01E8C81F6E7AB10E5843EE2264E74C7C8F16D425B646576E6DF38CA4CC74A

Function 0000000180040380 Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800403A9

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 00000001800403DC
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 00000001800403FA
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 000000018004043A
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 0000000180040454
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 0000000180040464
ExitProcess.KERNEL32 ref: 00000001800404F0

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: 90629936087b4b343afb6f5e2ea20390e49e002a64f4209c8e454aa55673ad60
Instruction ID: 28dce3b8938bf884f7e9275428b3a2511fbaf5e224c98a8887a53a350d5d9406
Opcode Fuzzy Hash: 90629936087b4b343afb6f5e2ea20390e49e002a64f4209c8e454aa55673ad60
Instruction Fuzzy Hash: 5041BD71212F8885E6C28F11EC8439962A5F78CBCCF25C424FA5E537A5EF78C68D8709

Function 00000001800481E0 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180048203
_errno.LIBCMT ref: 000000018004820B

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 9c7078870c8113ac2fa39057a7caf9cf7a186e07d7669db40971e880b171e245
Instruction ID: 88e291cd6d8539d56209442e2423bdf494ec1d3842b4b11067e362a5da303880
Opcode Fuzzy Hash: 9c7078870c8113ac2fa39057a7caf9cf7a186e07d7669db40971e880b171e245
Instruction Fuzzy Hash: 4321D032310D4C41FA976F15DA813ED2611AB48BF8F1B8B05FE340B2D3CEB88A45A358

Function 0000000180044ED4 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180044EF7
_errno.LIBCMT ref: 0000000180044EFF

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: e06bde92bf7a4f08831d8cf039223712935559a8b634ef27faa4aece7a856289
Instruction ID: 3623e0460e9e27de6361ba960c2d9fdc26985ee9637d6ca9ed7da609fcd3abb5
Opcode Fuzzy Hash: e06bde92bf7a4f08831d8cf039223712935559a8b634ef27faa4aece7a856289
Instruction Fuzzy Hash: 64212333210E4C46F697AF25D9C13ED2611AB88BE9F1BC114FA140B2D3CF788A49C758

Function 00000001800490FC Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180049115
FlushFileBuffers.KERNEL32(?,?,?,0000000180043B12), ref: 0000000180049178
GetLastError.KERNEL32(?,?,?,0000000180043B12), ref: 0000000180049182
__doserrno.LIBCMT ref: 0000000180049192
_errno.LIBCMT ref: 0000000180049199

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: efec3c3d13410bf04e0dd30c0ef053db8f256237de7b4ac0eddf3cca2fd18b4a
Instruction ID: aae8da55411f6dd9c1530ed359ea5e4f4d8b6876908d31b57a3ddde22457d520
Opcode Fuzzy Hash: efec3c3d13410bf04e0dd30c0ef053db8f256237de7b4ac0eddf3cca2fd18b4a
Instruction Fuzzy Hash: 3D21F931701E8D41F6936FA598C83ED2651A7887D8F1BC528B615173E2CE788A8CD358

Function 000000018004757C Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018004759B

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

Part of subcall function 00000001800471B8: _getptd.LIBCMT ref: 00000001800471C2
Part of subcall function 00000001800471B8: _amsg_exit.LIBCMT ref: 000000018004725F

Part of subcall function 0000000180047274: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00000001800475B6,?,?,?,?,?,0000000180047773), ref: 000000018004729E

Part of subcall function 00000001800429F4: malloc.LIBCMT ref: 0000000180042A1F
Part of subcall function 00000001800429F4: Sleep.KERNEL32(?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 0000000180042A32

free.LIBCMT ref: 0000000180047626

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

_lock.LIBCMT ref: 0000000180047656
free.LIBCMT ref: 00000001800476F9
free.LIBCMT ref: 0000000180047725
_errno.LIBCMT ref: 000000018004772A

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$FreeHeapSleep_lockmalloc
String ID:
API String ID: 2578750445-0
Opcode ID: 94a589883ec5155802fd95d7fab442aedf742fc852adba6379efa46134cd3324
Instruction ID: da64bb642503be74eb0f6c14831e4ed13401b41da4aced71e1065a25a4b3c3bf
Opcode Fuzzy Hash: 94a589883ec5155802fd95d7fab442aedf742fc852adba6379efa46134cd3324
Instruction Fuzzy Hash: 9351B132300E8846E7E69B24A4803EA77A1F348BC8F56C116FA4E473E7CE38C649C744

Function 0000000180045FFC Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 0000000180046015
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 000000018004606C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460A7
free.LIBCMT ref: 00000001800460B4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460BF
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460CD

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 162e3acb479bf9528d8707f072606d60b166762714a5c8eb78a8a61cfab57453
Instruction ID: 28af58077e327febc6153a716ebded174d2046a11fd0603b2a2b94e2c4208846
Opcode Fuzzy Hash: 162e3acb479bf9528d8707f072606d60b166762714a5c8eb78a8a61cfab57453
Instruction Fuzzy Hash: 31219532A04B8485EBA68F11B48039A77E4F78DFC8F498114FE8A07764EF38D695C709

Function 0000000180043934 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018004394D
_errno.LIBCMT ref: 0000000180043955

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3cad00805c535d9d6a24c2447e46d4ac982fe79615d762552acafacf46815b53
Instruction ID: 94c96575089f4780a32a9ec00bd264dd4655c24e9f54b770cefb0f1c2659e3b0
Opcode Fuzzy Hash: 3cad00805c535d9d6a24c2447e46d4ac982fe79615d762552acafacf46815b53
Instruction Fuzzy Hash: 6B110632A00E8C42F6976F2699C23DC2651A7487E9F27E518B516073D3CEB88E48C758

Function 00000001800432A8 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432B2
FlsGetValue.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432C0
SetLastError.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180043318

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

FlsSetValue.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432EC
free.LIBCMT ref: 000000018004330F

Part of subcall function 00000001800431F0: _lock.LIBCMT ref: 0000000180043244
Part of subcall function 00000001800431F0: _lock.LIBCMT ref: 0000000180043263

GetCurrentThreadId.KERNEL32 ref: 0000000180043300

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 6c9f45206866909c37ad9c1b1df65dd8d4f15302a450987df3cd1bb5765d3834
Instruction ID: e35cefd1ee5cff6cda42b7689ae65c05deeff37c9490ea75c646b2ce74ee25c0
Opcode Fuzzy Hash: 6c9f45206866909c37ad9c1b1df65dd8d4f15302a450987df3cd1bb5765d3834
Instruction Fuzzy Hash: 4B018830200F8886FFD79F6594C53A86261AB4D7D8F05C624FD25033D1EE38C68C8314

Function 000000018003F8D4 Relevance: 7.7, APIs: 5, Instructions: 170COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F913
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F91E
memcpy_s.LIBCMT ref: 000000018003F9E7
_fileno.LIBCMT ref: 000000018003FA5A
_errno.LIBCMT ref: 000000018003FAD9

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_fileno_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 897514287-0
Opcode ID: 9c77f83cd8700deaabc0fd9fd6977863926e76bbc046ac42a92e242d67ca67a7
Instruction ID: 0586abbaa753a26bf92c3da2f0c0844abfb432f7583a0abf359983cbd5339943
Opcode Fuzzy Hash: 9c77f83cd8700deaabc0fd9fd6977863926e76bbc046ac42a92e242d67ca67a7
Instruction Fuzzy Hash: 4B513431304A4895EAB79E2695007BB6B80B74DBE4F19C7217E6D57BD0CF36C69A8340

Function 0000000180048EF4 Relevance: 7.6, APIs: 5, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180046524: _FF_MSGBANNER.LIBCMT ref: 000000018004654B

_lock.LIBCMT ref: 0000000180048F2E
_lock.LIBCMT ref: 0000000180048F87
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048F9C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048FC7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048FD7

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin
String ID:
API String ID: 3451527041-0
Opcode ID: ad7bfc99954593bcf8eda28a1d2ef663cbe48e0c93a53522361127f56cae083a
Instruction ID: 8c218b1dd958de25de949e51088d6abf58d8baf781aaa410045e41d8f4ca076a
Opcode Fuzzy Hash: ad7bfc99954593bcf8eda28a1d2ef663cbe48e0c93a53522361127f56cae083a
Instruction Fuzzy Hash: 9351E672601F4886EBA28B50D4803ADA691F7987ECF068625FE6A033D5DF78C65DC705

Function 0000000180041920 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000000018004193D

Part of subcall function 00000001800439F8: _errno.LIBCMT ref: 0000000180043A01
Part of subcall function 00000001800439F8: _invalid_parameter_noinfo.LIBCMT ref: 0000000180043A0C

_errno.LIBCMT ref: 000000018004194D
_errno.LIBCMT ref: 0000000180041969
_isatty.LIBCMT ref: 00000001800419CA
_getbuf.LIBCMT ref: 00000001800419D6

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: 4ff880635ef4d904e09ebc87325dda54b86b1ac69e38fcb8f2c0d3ea48b9a742
Instruction ID: eb1a6f5e6da6c3769f147ceaaaa7fc0fc70cae78f6684998a98c0054d036f7c8
Opcode Fuzzy Hash: 4ff880635ef4d904e09ebc87325dda54b86b1ac69e38fcb8f2c0d3ea48b9a742
Instruction Fuzzy Hash: CD41F472600F4C4AEBD69F29C4913EC36A0F748BD8F168215FA69473D5DE34CA55C788

Function 000000018004A458 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000018004A4B2
malloc.LIBCMT ref: 000000018004A516
MultiByteToWideChar.KERNEL32 ref: 000000018004A55E
GetStringTypeW.KERNEL32 ref: 000000018004A575
free.LIBCMT ref: 000000018004A589

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 93dcc5b94d4ecd0e86884504227929fb1291d854fb79cbca14ab971fb09c5493
Instruction ID: c1e8cdc11ca7ad10a2207395aac586f5b43039c7c9522db95887dc8847b2f22a
Opcode Fuzzy Hash: 93dcc5b94d4ecd0e86884504227929fb1291d854fb79cbca14ab971fb09c5493
Instruction Fuzzy Hash: 1F419432204F8486FB929F25A8407DA6395F78DBECF5A8611BE2D477D4DF38C5098708

Function 0000000180042E78 Relevance: 7.6, APIs: 5, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 0000000180042EB9
_exception_enabled.LIBCMT ref: 0000000180042EDB

Part of subcall function 0000000180042DBC: _set_statfp.LIBCMT ref: 0000000180042DE3
Part of subcall function 0000000180042DBC: _set_statfp.LIBCMT ref: 0000000180042E56

_raise_excf.LIBCMT ref: 0000000180042F27
_ctrlfp.LIBCMT ref: 0000000180042F73
_ctrlfp.LIBCMT ref: 0000000180042FA4

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_excf
String ID:
API String ID: 3843346586-0
Opcode ID: 4fed85a8e9323bfe2c854ad3ef067d745824d256f9f05b55b1c983bcfd5a2ff9
Instruction ID: 35ab72a1ed03ce81a25cb5b39f41f12cf8ca01baf8c7fa63cc16a06614d8d2ce
Opcode Fuzzy Hash: 4fed85a8e9323bfe2c854ad3ef067d745824d256f9f05b55b1c983bcfd5a2ff9
Instruction Fuzzy Hash: 5041E432614E888AE752DB26E4813EEB771FBCD3C8F415325FA4956A58DF38D589CB00

Function 000000018003E624 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E64D
DecodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E65D

Part of subcall function 0000000180042B80: _errno.LIBCMT ref: 0000000180042B89
Part of subcall function 0000000180042B80: _invalid_parameter_noinfo.LIBCMT ref: 0000000180042B94

EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6DB

Part of subcall function 0000000180042AF8: realloc.LIBCMT ref: 0000000180042B23
Part of subcall function 0000000180042AF8: Sleep.KERNEL32(?,?,00000000,000000018003E6CB,?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 0000000180042B3F

EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6EB
EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6F8

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: ed15b638c86beb6079fb653881b7bedfcb1da94e35fa47f475b2029b95edd674
Instruction ID: fe7b83a0f1e081e7fa5e6d38d200593cd4bdb274e8300509f1d988dc7ce839eb
Opcode Fuzzy Hash: ed15b638c86beb6079fb653881b7bedfcb1da94e35fa47f475b2029b95edd674
Instruction Fuzzy Hash: B521A130302B8881EA939B52E9893CAA352B34EBD4F45C825F91E17394DE78C68D8344

Function 0000000180048DB0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180048DB9
_errno.LIBCMT ref: 0000000180048DC1

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 04538ce0f69410465c08cf912922deca18a28768c91d40277fbb7ad585d34a5d
Instruction ID: 3fb9fc9a06773a5ddc4cf9db8930bc32603d4213745492d31301100f49cfba50
Opcode Fuzzy Hash: 04538ce0f69410465c08cf912922deca18a28768c91d40277fbb7ad585d34a5d
Instruction Fuzzy Hash: 730181B2A01E4C41FE976B55C8C13EC22519B98BE9FA7CB05F629063D2CFB846089355

Function 000000018002E3F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

powf.LIBCMT ref: 000000018002E76E

Strings

..\..\Cooking\src\ConvexMeshBuilder.cpp, xrefs: 000000018002E912
Failed to rebuild Opcode model., xrefs: 000000018002E940
Failed to refit Opcode model., xrefs: 000000018002E902

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: powf
String ID: ..\..\Cooking\src\ConvexMeshBuilder.cpp$Failed to rebuild Opcode model.$Failed to refit Opcode model.
API String ID: 3445610689-3682976713
Opcode ID: 216dec962e8dca91ec4070bef38bf642e1f4696c0a72cbfcd53967bfc60aac4b
Instruction ID: c1c056e1c85f343c2078a2337025b71bb37fd292796a6b4142674db4036b91a6
Opcode Fuzzy Hash: 216dec962e8dca91ec4070bef38bf642e1f4696c0a72cbfcd53967bfc60aac4b
Instruction Fuzzy Hash: A5E14233A347C89AD342CB3694853E9B360FF6E789F299716EB04321B5DB2161D5AF10

Function 0000000180041694 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 00000001800416CF
_errno.LIBCMT ref: 00000001800416D9
_invalid_parameter_noinfo.LIBCMT ref: 00000001800416E0

Strings

-, xrefs: 00000001800416FB

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 7fdfd41007377c7044378e94245d290bf8d3290ad409f6aff9913dfa4249c632
Instruction ID: d709b449ce76c0cccf1e9d4ca559e2f814d34352179fa1e3acc4947a0398de61
Opcode Fuzzy Hash: 7fdfd41007377c7044378e94245d290bf8d3290ad409f6aff9913dfa4249c632
Instruction Fuzzy Hash: 5831F832308E8849EBA29A21E4807DDB7A0BB49BD9F55C211FF9807BC5DF38C649C704

Function 0000000180047EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180047F09
_invalid_parameter_noinfo.LIBCMT ref: 0000000180047F15
_errno.LIBCMT ref: 0000000180047F3C

Strings

1, xrefs: 0000000180047F8B

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: acab422b16e29b316407dfade680dd80396a7f151f61521eb08063fae4db2bda
Instruction ID: 3afd2d037a64dffeabbd375ce9f5099401c357d53f3d192c0fa9e8baf7547702
Opcode Fuzzy Hash: acab422b16e29b316407dfade680dd80396a7f151f61521eb08063fae4db2bda
Instruction Fuzzy Hash: 8C21C232719AC895F7979B2484903EC6A9097197C8F9BC071B64D06383DE2ACB4DC719

Function 0000000180043114 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0000000180043122
malloc.LIBCMT ref: 000000018004312E

Part of subcall function 000000018003E168: _FF_MSGBANNER.LIBCMT ref: 000000018003E198
Part of subcall function 000000018003E168: HeapAlloc.KERNEL32(?,?,00000000,0000000180042A24,?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 000000018003E1BD
Part of subcall function 000000018003E168: _callnewh.LIBCMT ref: 000000018003E1D6
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1E1
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1EC

std::exception::exception.LIBCMT ref: 000000018004319B

Strings

bad allocation, xrefs: 000000018004316B

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 69166dead89ba0001818fcb42f863f8f744a8727467665a40b2d329f3b4ae9c4
Instruction ID: 2638e90aacf5b7bd257e9f3c7290f5987344553ab20e9d5bcdf450cefdde47fc
Opcode Fuzzy Hash: 69166dead89ba0001818fcb42f863f8f744a8727467665a40b2d329f3b4ae9c4
Instruction Fuzzy Hash: FF012971210F4D95FAA2EF10FC913E923A1AB4C3C8F999515B98A466A6EF78C34CC744

Function 00000001800401B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00000001800401F9,?,?,00000028,000000018003E1B1,?,?,00000000,0000000180042A24,?,?,?,0000000180046585), ref: 00000001800401BF
GetProcAddress.KERNEL32(?,?,000000FF,00000001800401F9,?,?,00000028,000000018003E1B1,?,?,00000000,0000000180042A24,?,?,?,0000000180046585), ref: 00000001800401D4

Strings

mscoree.dll, xrefs: 00000001800401B8
CorExitProcess, xrefs: 00000001800401CA

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: ba0dafc19b2472185031fd18bc234a06f9b3256a42d53cff56055289a2376332
Instruction ID: a0660a350e574b67e0b4226d0f2eee7d3bf1d40f10e0bb7c7f0877cdf3d5dc59
Opcode Fuzzy Hash: ba0dafc19b2472185031fd18bc234a06f9b3256a42d53cff56055289a2376332
Instruction Fuzzy Hash: 47E01230701B0841FF9B5B90ACE87E812905B4DB85F49D428A81E163A0DE78C7CDC354

Function 0000000180032FB0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180030FB0: wprintf.LIBCMT ref: 00000001800310BC

sinf.LIBCMT ref: 00000001800330CF
cosf.LIBCMT ref: 00000001800330DA
sinf.LIBCMT ref: 00000001800331BF
cosf.LIBCMT ref: 00000001800331CA

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinf$wprintf
String ID:
API String ID: 2107656780-0
Opcode ID: 382b214eebf19062cad19f456cb08a0201fd66ced005d341dfe06ad299dadf82
Instruction ID: 46b4470296fbe892be20eddff3f83e40b80dd16ede03d11ccee520d7224549a9
Opcode Fuzzy Hash: 382b214eebf19062cad19f456cb08a0201fd66ced005d341dfe06ad299dadf82
Instruction Fuzzy Hash: D5819632A24B8C85E253973754823EAB350BF6E3D5F2ED712FE4436672DB3592859700

Function 0000000180012900 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

cosf.LIBCMT ref: 00000001800129EF
sinf.LIBCMT ref: 00000001800129FB
cosf.LIBCMT ref: 0000000180012A1F
sinf.LIBCMT ref: 0000000180012A33

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinf
String ID:
API String ID: 3160392742-0
Opcode ID: 710fe8378ab7627c6d3ad517a7fb43d291aca31b161ca0839560dead9768729b
Instruction ID: 1cead7b32d2bbf2f5b55d1c3a91411fd1ac8757cce8477ee880dc762cf88697a
Opcode Fuzzy Hash: 710fe8378ab7627c6d3ad517a7fb43d291aca31b161ca0839560dead9768729b
Instruction Fuzzy Hash: B961A332A20BCC89F3539B3598413E9B390FF6D399F59D316F958637A1EB3496968300

Function 00000001800466C4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180046712
_invalid_parameter_noinfo.LIBCMT ref: 000000018004671D
DecodePointer.KERNEL32(?,?,?,?,?,00000001800418D4), ref: 00000001800467CC
_lock.LIBCMT ref: 00000001800467F7

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 3ba312c050f11dc89975966b9274c87d68241d0575a534c57e7272571b709c94
Instruction ID: 3bc55bf60f611b24502ee0385f2e896cb3150c86a8d65ec0ab32753a95d692e4
Opcode Fuzzy Hash: 3ba312c050f11dc89975966b9274c87d68241d0575a534c57e7272571b709c94
Instruction Fuzzy Hash: BA519931A04F4882F6EB8B1494C43E96791F78D7CCF66C519F95A026A4EF39DA4DC30A

Function 000000018003F378 Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F39D
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F3A8
_fileno.LIBCMT ref: 000000018003F3B5

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fileno_invalid_parameter_noinfo
String ID:
API String ID: 3179357039-0
Opcode ID: d41cd86fc7fb8144f4059a54d214e4fa40f97208075d2dc81462a2ea984e8e8f
Instruction ID: d0906d9fb1a41af227b7a35f2f9a52febfb977d410d2cbb6bbfff6933d0bdc86
Opcode Fuzzy Hash: d41cd86fc7fb8144f4059a54d214e4fa40f97208075d2dc81462a2ea984e8e8f
Instruction Fuzzy Hash: 6B51AE32200B8D86EBB79E25C4453AB3791E788BD8F5AC115EE45073D5CE76CA49C340

Function 000000018003F6B8 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F6EF
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F6FA
_flush.LIBCMT ref: 000000018003F7AF
_fileno.LIBCMT ref: 000000018003F7D0

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fileno_flush_invalid_parameter_noinfo
String ID:
API String ID: 329365992-0
Opcode ID: 698076d28cb656be0e290576a6c6d4183abae3acb9cc80cd1dacd601588005bc
Instruction ID: 994570d0ed5c695223296e2820c58eafbc39b0a3d3290f0a7fd1d0bd978d184a
Opcode Fuzzy Hash: 698076d28cb656be0e290576a6c6d4183abae3acb9cc80cd1dacd601588005bc
Instruction Fuzzy Hash: 3041383130864846EEFB8E26A5443FFA781B74CBD4F2AC224BE55477D5DE39C64A8300

Function 0000000180041424 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180040AE0: _getptd.LIBCMT ref: 0000000180040AF2

_errno.LIBCMT ref: 0000000180041462
_invalid_parameter_noinfo.LIBCMT ref: 000000018004146C
_errno.LIBCMT ref: 0000000180041490
_invalid_parameter_noinfo.LIBCMT ref: 000000018004149A

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 685b8ff2d911154aa2a8e8b67757949be9fab10ec942415c646d9afbcf8df801
Instruction ID: 7cefe7ca653a2f4658f3ee0a3df96f0f0be2bf27072e95f2b595b8178f122df2
Opcode Fuzzy Hash: 685b8ff2d911154aa2a8e8b67757949be9fab10ec942415c646d9afbcf8df801
Instruction Fuzzy Hash: 2441B132204B888AEB92EF15D5C43DD77A0F788BD5F568121EB8A43B92DF38C559C704

Function 00000001800440E4 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800440F8

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,000000018001BA07), ref: 00000001800441B0
free.LIBCMT ref: 00000001800441C5
EnterCriticalSection.KERNEL32 ref: 00000001800441E7

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_amsg_exit_lockfree
String ID:
API String ID: 3786353176-0
Opcode ID: 2d8fe9b17452f9be50c8f4dde2f5c65ad41ce5bf3704b10e52e00b94b0c4d927
Instruction ID: 77d012aec7b7a8e0eae38a5513b7aa1e5a3cf52bfde04b3ae6aefb7f7a7b0724
Opcode Fuzzy Hash: 2d8fe9b17452f9be50c8f4dde2f5c65ad41ce5bf3704b10e52e00b94b0c4d927
Instruction Fuzzy Hash: BC419132611F8882F7969B15E8803AC7761F758BD8F16C515EA590B2F1DF38CA89C748

Function 000000018003F36C Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F2C3
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F2CE
_errno.LIBCMT ref: 000000018003F300
_errno.LIBCMT ref: 000000018003F312

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 99ea2aa7fa037c728c670b1af3ab4c704a45c8a6972333f03af08050f1a032be
Instruction ID: a8714d15938ca0f6a90d651474b82c1258147739466bb9e11812dd49b4ea1a94
Opcode Fuzzy Hash: 99ea2aa7fa037c728c670b1af3ab4c704a45c8a6972333f03af08050f1a032be
Instruction Fuzzy Hash: B921C335614A8A85FBA3AB21A8013AF6391B74CBC4F06D421BA8987B85DF3DC705C744

Function 00000001800471B8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800471C2

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

_lock.LIBCMT ref: 00000001800471F0
free.LIBCMT ref: 0000000180047226
_amsg_exit.LIBCMT ref: 000000018004725F

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 448ee291d70af40f8b290fc170a3ec04642eda76fc7755001fed3b988956531a
Instruction ID: 03751925d89ad7c75a090659d8e6fec9e03ae648af79c615cbbbc49a299d30f7
Opcode Fuzzy Hash: 448ee291d70af40f8b290fc170a3ec04642eda76fc7755001fed3b988956531a
Instruction Fuzzy Hash: F9110031215E4882EAD69B51E5817E973A4F78C7C8F499026FA4D037A6DF38C658CB05

Function 00000001800431C8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,000000018003FFDE), ref: 00000001800431D7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464B7
free.LIBCMT ref: 00000001800464C0
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464E7

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 9228b09e253a007911eda0d127ec13b25624cc88dbbd8a24fc5e966267fe7591
Instruction ID: 7a905e3c905827164463eee99df514b0c51316a8045c2e4bb92215e5cfa9d33c
Opcode Fuzzy Hash: 9228b09e253a007911eda0d127ec13b25624cc88dbbd8a24fc5e966267fe7591
Instruction Fuzzy Hash: 5011A731A41E88CAFFE68F11F4803987360F799BE8F598216F659022B5DF38C68D8705

Function 00000001800491D4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800491E8

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

fclose.LIBCMT ref: 0000000180049218
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180043D17), ref: 000000018004923C
free.LIBCMT ref: 000000018004924D

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
String ID:
API String ID: 594724896-0
Opcode ID: 68e91f0215962c8046d3153dc38de0d0fe5a82dc01a661f0b9ce8fe4bd2a4dd0
Instruction ID: 0c0a23507bb2629b1bc646a7cbb6b0bd2226b194344c5b0705f97f05c29633ea
Opcode Fuzzy Hash: 68e91f0215962c8046d3153dc38de0d0fe5a82dc01a661f0b9ce8fe4bd2a4dd0
Instruction Fuzzy Hash: 53119435505E4892E6928B59E8C43DD7760F7C8BD8F22C225FA6A433B5CF79C649C708

Function 0000000180047A88 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000180047A8E

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

_getptd.LIBCMT ref: 0000000180047AAE
_lock.LIBCMT ref: 0000000180047AC1
_amsg_exit.LIBCMT ref: 0000000180047AEF

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 1e2951db7288fe683079fa74c1d0abc9f5b6e3ca7d7c7624e94539af6c24109d
Instruction ID: 30bf2c9c459df01ed59fad58da7d5b88ae189090fbb2b18f494d1813002e01c0
Opcode Fuzzy Hash: 1e2951db7288fe683079fa74c1d0abc9f5b6e3ca7d7c7624e94539af6c24109d
Instruction Fuzzy Hash: 3EF0187170180881F6D6AB5184817ED2361E79C7C8F0A9175FA0D073D3DE24875CC719

Function 0000000180034DC0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 380COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180032FB0: sinf.LIBCMT ref: 00000001800330CF
Part of subcall function 0000000180032FB0: cosf.LIBCMT ref: 00000001800330DA

Part of subcall function 0000000180032FB0: sinf.LIBCMT ref: 00000001800331BF
Part of subcall function 0000000180032FB0: cosf.LIBCMT ref: 00000001800331CA

wprintf.LIBCMT ref: 00000001800350B0
wprintf.LIBCMT ref: 000000018003522C

Strings

Cant normalize ZERO vector, xrefs: 00000001800350A9, 0000000180035225

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinfwprintf
String ID: Cant normalize ZERO vector
API String ID: 478498997-1862362117
Opcode ID: 8f3b28573348b3f5bc6031dba9d50d39b873ffff9a8f37479b0f46ab6967f4a8
Instruction ID: f98a87a50659f58f53137574a4a326717961e7e6fcb01f50f0ee04a1c3ccac6a
Opcode Fuzzy Hash: 8f3b28573348b3f5bc6031dba9d50d39b873ffff9a8f37479b0f46ab6967f4a8
Instruction Fuzzy Hash: 08028633924B888AD352CB3790856AAB760FFAE3D4F299702FE44727B5DB35D5449B00

Function 000000018003FCA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018003FD5E

Part of subcall function 0000000180042E78: _ctrlfp.LIBCMT ref: 0000000180042EB9
Part of subcall function 0000000180042E78: _exception_enabled.LIBCMT ref: 0000000180042EDB
Part of subcall function 0000000180042E78: _raise_excf.LIBCMT ref: 0000000180042F27
Part of subcall function 0000000180042E78: _ctrlfp.LIBCMT ref: 0000000180042F73

Strings

asinf, xrefs: 000000018003FD12
!, xrefs: 000000018003FD88

Memory Dump Source

Source File: 0000000D.00000002.2171387112.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000D.00000002.2171351755.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171454307.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171473553.000000018005E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171491825.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171514098.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171537615.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000D.00000002.2171556581.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_180000000_rundll32.jbxd

Similarity

API ID: _ctrlfp$_exception_enabled_raise_excf_set_statfp
String ID: !$asinf
API String ID: 3072139147-2917828882
Opcode ID: ff56a0d4b1c6a47029269032c783d636fad6bda69c86f508603d91954b0104b9
Instruction ID: d0c98440cba4b73ae54bff3046531fc7f845b546b7e426e5b618ba2336869eec
Opcode Fuzzy Hash: ff56a0d4b1c6a47029269032c783d636fad6bda69c86f508603d91954b0104b9
Instruction Fuzzy Hash: C051AA329246CC86E2A3C73BA4813E6B750AFAD3C5F29C705F940756B5DF2A91995F00

Analysis Process: rundll32.exePID: 7556, Parent PID: 7252COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	97
Total number of Limit Nodes:	5

Executed Functions

Function 000000018003FF00 Relevance: 10.6, APIs: 7, Instructions: 93
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180040824: HeapCreate.KERNELBASE ref: 000000018004083A
Part of subcall function 0000000180040824: GetVersion.KERNEL32 ref: 000000018004084C
Part of subcall function 0000000180040824: HeapSetInformation.KERNEL32 ref: 000000018004086A

_RTC_Initialize.LIBCMT ref: 000000018003FF32
GetCommandLineA.KERNEL32 ref: 000000018003FF37

Part of subcall function 0000000180045FFC: GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 0000000180046015
Part of subcall function 0000000180045FFC: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 000000018004606C
Part of subcall function 0000000180045FFC: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460A7
Part of subcall function 0000000180045FFC: free.LIBCMT ref: 00000001800460B4
Part of subcall function 0000000180045FFC: FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460BF

Part of subcall function 00000001800442B4: GetStartupInfoW.KERNEL32 ref: 00000001800442D5

__setargv.LIBCMT ref: 000000018003FF60
_cinit.LIBCMT ref: 000000018003FF74

Part of subcall function 00000001800431C8: FlsFree.KERNEL32(?,?,?,?,000000018003FFDE), ref: 00000001800431D7
Part of subcall function 00000001800431C8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464B7
Part of subcall function 00000001800431C8: free.LIBCMT ref: 00000001800464C0
Part of subcall function 00000001800431C8: DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464E7

Part of subcall function 0000000180044588: free.LIBCMT ref: 00000001800445D9

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

FlsSetValue.KERNEL32 ref: 000000018004000E
GetCurrentThreadId.KERNEL32 ref: 0000000180040022
free.LIBCMT ref: 0000000180040031

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap$ByteCharCriticalDeleteEnvironmentMultiSectionStringsWide$CommandCreateCurrentInfoInformationInitializeLineSleepStartupThreadValueVersion__setargv_cinit_errno
String ID:
API String ID: 2481119767-0
Opcode ID: 61b5e00b11298625462c404e981e4dbee0cdad509bc41096663f8cfabbcd0743
Instruction ID: aa315cb78357cfe07c34d30648f785c9cd846825b8d2e9133f4b691ac97a99c6
Opcode Fuzzy Hash: 61b5e00b11298625462c404e981e4dbee0cdad509bc41096663f8cfabbcd0743
Instruction Fuzzy Hash: C3314C30200A0D89FAF7777059827FA12959F5D3D8F37D534B919852D3EE29874C836A

Function 0000000180040824 Relevance: 4.5, APIs: 3, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE ref: 000000018004083A
GetVersion.KERNEL32 ref: 000000018004084C
HeapSetInformation.KERNEL32 ref: 000000018004086A

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$CreateInformationVersion
String ID:
API String ID: 3563531100-0
Opcode ID: e32ab0bd0fee94bccc68f32d9a077722b0d5913c979a1ba73cc683a210d046bc
Instruction ID: 988e22e6e5946a36f70c9e45e8ed652961c4ed90b6ce8b9843ec7a251a3b24ee
Opcode Fuzzy Hash: e32ab0bd0fee94bccc68f32d9a077722b0d5913c979a1ba73cc683a210d046bc
Instruction Fuzzy Hash: 70E09274611F8882F7C69710AC897D52261B79C3C8FA18418F94A42B64DF3CC2CD8708

Non-executed Functions

Function 0000000180044774 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 465
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 00000001800447CA
_errno.LIBCMT ref: 00000001800447D1
_invalid_parameter_noinfo.LIBCMT ref: 00000001800447DC

Strings

U, xrefs: 0000000180044D58

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 2d5ce46ed2b1d32d86571561728c0a6fb84dd56a645abb6e696f7c4412cbdee7
Instruction ID: a924f4dc1a727bc392aaaba263266b47709fba0b4cecbfed23009677402f7412
Opcode Fuzzy Hash: 2d5ce46ed2b1d32d86571561728c0a6fb84dd56a645abb6e696f7c4412cbdee7
Instruction Fuzzy Hash: 3312F633204E4986EBA28F25D4C43EA67A1F38CBC8F568115FA494BA95DF7DC64DC708

Function 0000000180040580 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 159
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_set_error_mode.LIBCMT ref: 00000001800405C5
_set_error_mode.LIBCMT ref: 00000001800405D6
GetModuleFileNameW.KERNEL32 ref: 0000000180040638

Part of subcall function 00000001800427E4: GetCurrentProcess.KERNEL32(?,?,?,?,0000000180042886), ref: 00000001800427FC

GetStdHandle.KERNEL32 ref: 000000018004074D
WriteFile.KERNEL32 ref: 00000001800407AA

Strings

<program name unknown>, xrefs: 0000000180040647
Runtime Error!Program: , xrefs: 0000000180040605
Microsoft Visual C++ Runtime Library, xrefs: 00000001800406F1
..., xrefs: 000000018004068A

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: File_set_error_mode$CurrentHandleModuleNameProcessWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 2183313154-4022980321
Opcode ID: ba61b9740d2fabcbb053f7a8c1a04480db4f8b8fe58e62101f9bba5b1f63e096
Instruction ID: afc2a24109b5524a715c6b2c3ba94efa30044fcd1fda98386a67971cc6d85b1b
Opcode Fuzzy Hash: ba61b9740d2fabcbb053f7a8c1a04480db4f8b8fe58e62101f9bba5b1f63e096
Instruction Fuzzy Hash: 1851F131B04A8845F7E6DB25A8917DA22A1A78D7C8F668112FE5A03B95DF38C30DC709

Function 0000000180041044 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180040AE0: _getptd.LIBCMT ref: 0000000180040AF2

_errno.LIBCMT ref: 0000000180041094
_invalid_parameter_noinfo.LIBCMT ref: 000000018004109E
_errno.LIBCMT ref: 00000001800410C0
_invalid_parameter_noinfo.LIBCMT ref: 00000001800410CC
_errno.LIBCMT ref: 00000001800410F4
_cftoe_l.LIBCMT ref: 0000000180041138

Strings

gfffffff, xrefs: 00000001800413C3

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$_cftoe_l_getptd
String ID: gfffffff
API String ID: 1282097019-1523873471
Opcode ID: 24a95ef78a624545ba7c9d7dc106d39f48c7645bdea6b767835b0edbd9f1c844
Instruction ID: cd9f51b8cdbe88b98d15d95ecd3b9eaa2330d4955cd9fdd12c4ed391452db137
Opcode Fuzzy Hash: 24a95ef78a624545ba7c9d7dc106d39f48c7645bdea6b767835b0edbd9f1c844
Instruction Fuzzy Hash: 3EB17773704BC88AEB92CB25C6803DD6BA5F3197D9F05C621EF59877D5EA388629C304

Function 000000018003E5C0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001800428BB
RtlLookupFunctionEntry.KERNEL32 ref: 00000001800428DA
RtlVirtualUnwind.KERNEL32 ref: 0000000180042926
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 0000000180042998
SetUnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429B0
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429BD
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429D6
TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001800427CB), ref: 00000001800429E4

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: c3598976ca1632c357be4ba8301645e2a35c7deb92361203275c35b9385dcc3e
Instruction ID: 868fa4e71887f5911bd689abb344e6afb6984900060eeb71dea75f24283ff6da
Opcode Fuzzy Hash: c3598976ca1632c357be4ba8301645e2a35c7deb92361203275c35b9385dcc3e
Instruction Fuzzy Hash: 6C31F335208F8885EB929B10F8843DA73A1F78D3D8F518126FA9D42BA5DF7CC298C705

Function 0000000180042698 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000180042705
RtlLookupFunctionEntry.KERNEL32 ref: 000000018004271D
RtlVirtualUnwind.KERNEL32 ref: 0000000180042757
IsDebuggerPresent.KERNEL32 ref: 000000018004278D
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180042797
UnhandledExceptionFilter.KERNEL32 ref: 00000001800427A2

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 687f001dfb37a47157b6f2a046625e947f4851768aa9483d248bdf8ccabb4226
Instruction ID: ce6028df09523790c5ce4c1857c5788db5e4af3653a889637483fba63be9d821
Opcode Fuzzy Hash: 687f001dfb37a47157b6f2a046625e947f4851768aa9483d248bdf8ccabb4226
Instruction Fuzzy Hash: C8319132204F8486EBA1CF25E8807DE77A0F788798F51411AFA9D43B99DF38C649CB00

Function 000000018003E804 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 283COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018003E95B
_set_statfp.LIBCMT ref: 000000018003E990
_set_statfp.LIBCMT ref: 000000018003EAE5

Strings

atan2f, xrefs: 000000018003E8EC
!, xrefs: 000000018003E8FC

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _set_statfp
String ID: !$atan2f
API String ID: 1156100317-746904718
Opcode ID: 922dedef4b508459671a67f39f388c8a37360033d7157b9d186a1199daea5b28
Instruction ID: d5c9dca1ae84759df08d4f946077274373d06d771ca18e833c4e4ac63076a48d
Opcode Fuzzy Hash: 922dedef4b508459671a67f39f388c8a37360033d7157b9d186a1199daea5b28
Instruction Fuzzy Hash: 43C1D231624ECC88E6B78B3254103E7E3547F5F7D4F16D312B92A36AD4EF29868A8700

Function 000000018004A638 Relevance: 107.7, APIs: 86, Instructions: 180
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 000000018004A64D

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

free.LIBCMT ref: 000000018004A656
free.LIBCMT ref: 000000018004A65F
free.LIBCMT ref: 000000018004A668
free.LIBCMT ref: 000000018004A671
free.LIBCMT ref: 000000018004A67A
free.LIBCMT ref: 000000018004A682
free.LIBCMT ref: 000000018004A68B
free.LIBCMT ref: 000000018004A694
free.LIBCMT ref: 000000018004A69D
free.LIBCMT ref: 000000018004A6A6
free.LIBCMT ref: 000000018004A6AF
free.LIBCMT ref: 000000018004A6B8
free.LIBCMT ref: 000000018004A6C1
free.LIBCMT ref: 000000018004A6CA
free.LIBCMT ref: 000000018004A6D3
free.LIBCMT ref: 000000018004A6DF
free.LIBCMT ref: 000000018004A6EB
free.LIBCMT ref: 000000018004A6F7
free.LIBCMT ref: 000000018004A703
free.LIBCMT ref: 000000018004A70F
free.LIBCMT ref: 000000018004A71B
free.LIBCMT ref: 000000018004A727
free.LIBCMT ref: 000000018004A733
free.LIBCMT ref: 000000018004A73F
free.LIBCMT ref: 000000018004A74B
free.LIBCMT ref: 000000018004A757
free.LIBCMT ref: 000000018004A763
free.LIBCMT ref: 000000018004A76F
free.LIBCMT ref: 000000018004A77B
free.LIBCMT ref: 000000018004A787
free.LIBCMT ref: 000000018004A793
free.LIBCMT ref: 000000018004A79F
free.LIBCMT ref: 000000018004A7AB
free.LIBCMT ref: 000000018004A7B7
free.LIBCMT ref: 000000018004A7C3
free.LIBCMT ref: 000000018004A7CF
free.LIBCMT ref: 000000018004A7DB
free.LIBCMT ref: 000000018004A7E7
free.LIBCMT ref: 000000018004A7F3
free.LIBCMT ref: 000000018004A7FF
free.LIBCMT ref: 000000018004A80B
free.LIBCMT ref: 000000018004A817
free.LIBCMT ref: 000000018004A823
free.LIBCMT ref: 000000018004A82F
free.LIBCMT ref: 000000018004A83B
free.LIBCMT ref: 000000018004A847
free.LIBCMT ref: 000000018004A853
free.LIBCMT ref: 000000018004A85F
free.LIBCMT ref: 000000018004A86B
free.LIBCMT ref: 000000018004A877
free.LIBCMT ref: 000000018004A883
free.LIBCMT ref: 000000018004A88F
free.LIBCMT ref: 000000018004A89B
free.LIBCMT ref: 000000018004A8A7
free.LIBCMT ref: 000000018004A8B3
free.LIBCMT ref: 000000018004A8BF
free.LIBCMT ref: 000000018004A8CB
free.LIBCMT ref: 000000018004A8D7
free.LIBCMT ref: 000000018004A8E3
free.LIBCMT ref: 000000018004A8EF
free.LIBCMT ref: 000000018004A8FB
free.LIBCMT ref: 000000018004A907
free.LIBCMT ref: 000000018004A913
free.LIBCMT ref: 000000018004A91F
free.LIBCMT ref: 000000018004A92B
free.LIBCMT ref: 000000018004A937
free.LIBCMT ref: 000000018004A943
free.LIBCMT ref: 000000018004A94F
free.LIBCMT ref: 000000018004A95B
free.LIBCMT ref: 000000018004A967
free.LIBCMT ref: 000000018004A973
free.LIBCMT ref: 000000018004A97F
free.LIBCMT ref: 000000018004A98B
free.LIBCMT ref: 000000018004A997
free.LIBCMT ref: 000000018004A9A3
free.LIBCMT ref: 000000018004A9AF
free.LIBCMT ref: 000000018004A9BB
free.LIBCMT ref: 000000018004A9C7
free.LIBCMT ref: 000000018004A9D3
free.LIBCMT ref: 000000018004A9DF
free.LIBCMT ref: 000000018004A9EB
free.LIBCMT ref: 000000018004A9F7
free.LIBCMT ref: 000000018004AA03
free.LIBCMT ref: 000000018004AA0F
free.LIBCMT ref: 000000018004AA1B

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: 258e030ea8eef92e677a1f4030c5f0b19a91ecd9a257867854d2aa094b2d70cf
Instruction ID: 4d872ec27d9ca8d6f8751ad299c95db9e4a79eb5509a17a55bae787e74e0c8bc
Opcode Fuzzy Hash: 258e030ea8eef92e677a1f4030c5f0b19a91ecd9a257867854d2aa094b2d70cf
Instruction Fuzzy Hash: 54A1553121158885E6C3BB71F8957DF1325ABCAF84F059E32BB4D4B5E7CE10DA498390

Function 0000000180046A88 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 136
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046ACD
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046AE9
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046AFB
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B12
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B1B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B32
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B3B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B52
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B5B
GetProcAddress.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B7A
EncodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046B83
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046BB6
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046BC6
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C1C
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C3D
DecodePointer.KERNEL32(?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180046C57

Strings

GetActiveWindow, xrefs: 0000000180046B01
GetUserObjectInformationW, xrefs: 0000000180046B41
GetProcessWindowStation, xrefs: 0000000180046B70
USER32.DLL, xrefs: 0000000180046AC6
MessageBoxW, xrefs: 0000000180046ADF
GetLastActivePopup, xrefs: 0000000180046B21

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationW$MessageBoxW$USER32.DLL
API String ID: 2643518689-564504941
Opcode ID: 1824d7e647174aac9ba8a228052728ff37a26939126cb63fc2dd71cb4fdc05b6
Instruction ID: df7a2586361332801e439d358c24d371d3d75d19ea64f50f1298fa16b69f6015
Opcode Fuzzy Hash: 1824d7e647174aac9ba8a228052728ff37a26939126cb63fc2dd71cb4fdc05b6
Instruction Fuzzy Hash: A6514A30602F5980FED7DB51BC943E523A1BB8EBC8F068424BC5E433A0EE38968D8315

Function 0000000180045108 Relevance: 32.0, APIs: 21, Instructions: 482COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180045139
_errno.LIBCMT ref: 0000000180045142
__doserrno.LIBCMT ref: 000000018004519C
_errno.LIBCMT ref: 00000001800451A3
_invalid_parameter_noinfo.LIBCMT ref: 0000000180045812

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: 27ee3e071bdb6c1f7188517e3c46bf29d4632009371291bd4a31ced4f22275c5
Instruction ID: beaf73869c5ab8301a8de9efe598f3bfa40f1db9310f99e121f6dd647ad85f45
Opcode Fuzzy Hash: 27ee3e071bdb6c1f7188517e3c46bf29d4632009371291bd4a31ced4f22275c5
Instruction Fuzzy Hash: 8322F572205E8886F7A38F64D4C03EC2B91A749BDEF56C115EA96077D3DE78C649C309

Function 00000001800478B4 Relevance: 19.6, APIs: 13, Instructions: 90
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__free_lconv_mon.LIBCMT ref: 000000018004790C

Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAB2
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAC4
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAD6
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAE8
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AAFA
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB0C
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB1E
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB30
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB42
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB54
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB69
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB7E
Part of subcall function 000000018004AA94: free.LIBCMT ref: 000000018004AB93

free.LIBCMT ref: 0000000180047900

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

free.LIBCMT ref: 0000000180047922
__free_lconv_num.LIBCMT ref: 000000018004792E
free.LIBCMT ref: 000000018004793A
free.LIBCMT ref: 0000000180047946
free.LIBCMT ref: 000000018004796A
free.LIBCMT ref: 000000018004797E
free.LIBCMT ref: 000000018004798D
free.LIBCMT ref: 0000000180047999
free.LIBCMT ref: 00000001800479C6
free.LIBCMT ref: 00000001800479EE
free.LIBCMT ref: 0000000180047A08

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: free$FreeHeap__free_lconv_mon__free_lconv_num_errno
String ID:
API String ID: 2573795696-0
Opcode ID: 5a0bd3a4139776b5973723257e7de0a69dd99bb23b7eab651e3109ceedcb2a20
Instruction ID: 64e24b2416a1ca949d6f303a85acd9c423b1c112d23fea3cbc33af8ea2b513f7
Opcode Fuzzy Hash: 5a0bd3a4139776b5973723257e7de0a69dd99bb23b7eab651e3109ceedcb2a20
Instruction Fuzzy Hash: 6041113230298884FFD79F61D4903EE2354E78DBD8F059931BA4D4A2D6CF28CA99C355

Function 000000018004CB30 Relevance: 18.1, APIs: 12, Instructions: 115
memoryfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180048148: _errno.LIBCMT ref: 000000018004816A

_errno.LIBCMT ref: 000000018004CBB8

Part of subcall function 0000000180048148: SetFilePointer.KERNEL32(00000000,00000001,00000001,0000000180044F61,?,00000000,00000000,0000000180041A89,?,?,00000000,0000000180041AE5,?,?,00000200,0000000180042572), ref: 000000018004818A
Part of subcall function 0000000180048148: GetLastError.KERNEL32(?,00000000,00000000,0000000180041A89,?,?,00000000,0000000180041AE5,?,?,00000200,0000000180042572), ref: 0000000180048199

GetProcessHeap.KERNEL32(00000000,?,00000109,00000001800496A0), ref: 000000018004CB8A
HeapAlloc.KERNEL32 ref: 000000018004CB9F
_errno.LIBCMT ref: 000000018004CBAD
__doserrno.LIBCMT ref: 000000018004CC12
_errno.LIBCMT ref: 000000018004CC1C
GetProcessHeap.KERNEL32 ref: 000000018004CC35
HeapFree.KERNEL32 ref: 000000018004CC43
SetEndOfFile.KERNEL32(00000000,?,00000109,00000001800496A0), ref: 000000018004CC6E
_errno.LIBCMT ref: 000000018004CC85
__doserrno.LIBCMT ref: 000000018004CC90
GetLastError.KERNEL32 ref: 000000018004CC98

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
String ID:
API String ID: 3112900366-0
Opcode ID: 5c1484790b7029330c56b00ce7b4326b62192608e4fc1df10d09937e4c225644
Instruction ID: fe7456c0442f1bcdb1b8f511e1c750bbd640e26c1f04292c679d1de3200e95df
Opcode Fuzzy Hash: 5c1484790b7029330c56b00ce7b4326b62192608e4fc1df10d09937e4c225644
Instruction Fuzzy Hash: 6741E131300E5841EAD6AB3598857DC2291A74DBF8F56C711F939077D2DF38CA49878A

Function 000000018004A0F4 Relevance: 15.2, APIs: 10, Instructions: 206
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32 ref: 000000018004A18E
malloc.LIBCMT ref: 000000018004A1F7
MultiByteToWideChar.KERNEL32 ref: 000000018004A22B
LCMapStringW.KERNEL32 ref: 000000018004A252
LCMapStringW.KERNEL32 ref: 000000018004A29A
malloc.LIBCMT ref: 000000018004A2F7

Part of subcall function 000000018003E168: _FF_MSGBANNER.LIBCMT ref: 000000018003E198
Part of subcall function 000000018003E168: HeapAlloc.KERNEL32(?,?,00000000,0000000180042A24,?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 000000018003E1BD
Part of subcall function 000000018003E168: _callnewh.LIBCMT ref: 000000018003E1D6
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1E1
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1EC

LCMapStringW.KERNEL32 ref: 000000018004A32C
WideCharToMultiByte.KERNEL32 ref: 000000018004A36C
free.LIBCMT ref: 000000018004A380
free.LIBCMT ref: 000000018004A391

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiStringWide$_errnofreemalloc$AllocHeap_callnewh
String ID:
API String ID: 1080698880-0
Opcode ID: 8f87ab9d2ae227485477a57223987bd8726c4cafbcef0a4fabf5341cba31a906
Instruction ID: 746fdc849fb7efc80f96b9087f0f4f5be30642e255885f1a6576107973598593
Opcode Fuzzy Hash: 8f87ab9d2ae227485477a57223987bd8726c4cafbcef0a4fabf5341cba31a906
Instruction Fuzzy Hash: 0381B732208B8886FBA69F2594803DA77D5F74E7E8F158615FA1943BD4EF78C7488308

Function 0000000180048408 Relevance: 15.1, APIs: 10, Instructions: 123
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000000018004844F
_invalid_parameter_noinfo.LIBCMT ref: 000000018004845B
_errno.LIBCMT ref: 00000001800484A5
_errno.LIBCMT ref: 00000001800484B0
_errno.LIBCMT ref: 00000001800484E2
_invalid_parameter_noinfo.LIBCMT ref: 00000001800484EC
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,00000001800485DB), ref: 000000018004855E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000001FE,?,00000001800485DB), ref: 000000018004857B
_errno.LIBCMT ref: 00000001800485A1
_invalid_parameter_noinfo.LIBCMT ref: 00000001800485AD

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo$ByteCharErrorLastMultiWide
String ID:
API String ID: 2295021086-0
Opcode ID: d8226484d9b045e3bf121a32930208bfe2de1e8e9735e94a0eea8d55c1e7fd26
Instruction ID: 9c22cb322589bbaecf03df9c4e1f5db85217bda39a9a5de2319d300efcf44f58
Opcode Fuzzy Hash: d8226484d9b045e3bf121a32930208bfe2de1e8e9735e94a0eea8d55c1e7fd26
Instruction Fuzzy Hash: 2251EA32601E4949FBE79F60C4C03EC26A0BF897ECF56C524FA4916AC5DF3886499748

Function 00000001800442B4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00000001800442D5

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

GetFileType.KERNEL32 ref: 0000000180044440
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018004447E

Strings

@, xrefs: 0000000180044539

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalFileInfoInitializeSectionSleepSpinStartupType
String ID: @
API String ID: 3473179607-2766056989
Opcode ID: 731d2ca942fb7059f98ccea79a0825b347f719a010229efa7715c3398953b345
Instruction ID: 7b13a2a208b59659a7ff2164eb285c9a59e6247728ec510e04abe0ab60cf6499
Opcode Fuzzy Hash: 731d2ca942fb7059f98ccea79a0825b347f719a010229efa7715c3398953b345
Instruction Fuzzy Hash: CE81B472200F8986EB968F14D88439937A1F748BB8F59C324EA7A477D1DF78C659C309

Function 000000018004582C Relevance: 13.6, APIs: 9, Instructions: 81
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 0000000180045855
_errno.LIBCMT ref: 000000018004585E
__doserrno.LIBCMT ref: 00000001800458BC
_errno.LIBCMT ref: 00000001800458C3
_invalid_parameter_noinfo.LIBCMT ref: 0000000180045927

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno$_invalid_parameter_noinfo
String ID:
API String ID: 2315031519-0
Opcode ID: c62bc627254f1f1a9acb5995aa69af8956a7e938587757901c016c5564e10ee5
Instruction ID: 7682daf60427842ebd199fa13711cc73cf9a5fbc78c26fb93eb3438255fbe3e8
Opcode Fuzzy Hash: c62bc627254f1f1a9acb5995aa69af8956a7e938587757901c016c5564e10ee5
Instruction Fuzzy Hash: 7D310472310E8C86F7936F6598C13ED2650A7487E8F57C119FAA4177D3CE788A48C708

Function 0000000180043E2C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180043E7D
_invalid_parameter_noinfo.LIBCMT ref: 0000000180043E88
_wsopen_s.LIBCMT ref: 0000000180044099

Strings

UTF-16LE, xrefs: 0000000180044028
UTF-8, xrefs: 0000000180044005
ccs, xrefs: 0000000180043FC9
UNICODE, xrefs: 000000018004404B

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo_wsopen_s
String ID: UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 2053332431-3573488595
Opcode ID: b0c4c6ed9e8498d35fe9303ea9063a51c90cfbb9c06f99b476d42cc90f5ed235
Instruction ID: 3e9b913e688f760b830cb86a69413b8bce1326bacd42ec6ba54fe81f9aa2ab57
Opcode Fuzzy Hash: b0c4c6ed9e8498d35fe9303ea9063a51c90cfbb9c06f99b476d42cc90f5ed235
Instruction Fuzzy Hash: DD711472E04A0C55FBF75A12A9867EA16E0675D7CCE17E024FE0A029C5DF38CB4C8389

Function 0000000180044FB4 Relevance: 12.1, APIs: 8, Instructions: 95COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180044FCB
_invalid_parameter_noinfo.LIBCMT ref: 0000000180044FD6

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: ca76609593e7968924802dd47909a67a3de79fc0893ea02630d952cda44f7c31
Instruction ID: b8706fcba3373454a4b01edf78d16520a1e85cc0d5fe777b1d3ba09b79c1032e
Opcode Fuzzy Hash: ca76609593e7968924802dd47909a67a3de79fc0893ea02630d952cda44f7c31
Instruction Fuzzy Hash: 0C41D936604E4852EBE64B2581C13EC37A0F7097DDF258605FBA5836C2CF74CAA9C784

Function 0000000180044694 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001800446B7
_errno.LIBCMT ref: 00000001800446BF
_lseek_nolock.LIBCMT ref: 000000018004471C

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno_lseek_nolock
String ID:
API String ID: 3948042459-0
Opcode ID: 5491721df6ad7ab657e95dd21b0d4c728b4e8247b75b654f02dc873897995978
Instruction ID: bdeca9385717e63bca4346382234fa7d175972a54972681b325d5814d0ceb23a
Opcode Fuzzy Hash: 5491721df6ad7ab657e95dd21b0d4c728b4e8247b75b654f02dc873897995978
Instruction Fuzzy Hash: 43213133200E8842F787AF2599C03EC2511A7887E9F1BC104FA140B2D3CF788A4AC718

Function 0000000180046524 Relevance: 12.1, APIs: 8, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000018004654B

Part of subcall function 00000001800407E0: _set_error_mode.LIBCMT ref: 00000001800407E9
Part of subcall function 00000001800407E0: _set_error_mode.LIBCMT ref: 00000001800407F8

Part of subcall function 0000000180040580: _set_error_mode.LIBCMT ref: 00000001800405C5
Part of subcall function 0000000180040580: _set_error_mode.LIBCMT ref: 00000001800405D6
Part of subcall function 0000000180040580: GetModuleFileNameW.KERNEL32 ref: 0000000180040638

Part of subcall function 00000001800401EC: ExitProcess.KERNEL32 ref: 00000001800401FB

Part of subcall function 00000001800429F4: malloc.LIBCMT ref: 0000000180042A1F
Part of subcall function 00000001800429F4: Sleep.KERNEL32(?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 0000000180042A32

_errno.LIBCMT ref: 000000018004658D
_lock.LIBCMT ref: 00000001800465A1
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,000000018004662F), ref: 00000001800465B7
free.LIBCMT ref: 00000001800465C4
_errno.LIBCMT ref: 00000001800465C9
LeaveCriticalSection.KERNEL32(?,?,?,000000018004662F), ref: 00000001800465EC

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _set_error_mode$CriticalSection_errno$CountExitFileInitializeLeaveModuleNameProcessSleepSpin_lockfreemalloc
String ID:
API String ID: 113790786-0
Opcode ID: f6cddf33ec298a8bb8cbf7baaf3bba66f453517a4b756cab4bc748b5810b4bcf
Instruction ID: edbf6d34453fbc39e254c7b3028adf59088a67094ee2582bf57cf3f75258cf43
Opcode Fuzzy Hash: f6cddf33ec298a8bb8cbf7baaf3bba66f453517a4b756cab4bc748b5810b4bcf
Instruction Fuzzy Hash: 9421A471A01E8C81F6E7AB10E5843EE2264E74C7C8F16D425B646576E6DF38CA4CC74A

Function 0000000180040380 Relevance: 10.6, APIs: 7, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800403A9

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 00000001800403DC
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 00000001800403FA
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 000000018004043A
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 0000000180040454
DecodePointer.KERNEL32(?,?,?,?,?,?,00000000,0000000180040551,?,?,00000000,000000018004663B), ref: 0000000180040464
ExitProcess.KERNEL32 ref: 00000001800404F0

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: DecodePointer$ExitProcess_amsg_exit_lock
String ID:
API String ID: 3411037476-0
Opcode ID: 90629936087b4b343afb6f5e2ea20390e49e002a64f4209c8e454aa55673ad60
Instruction ID: 28dce3b8938bf884f7e9275428b3a2511fbaf5e224c98a8887a53a350d5d9406
Opcode Fuzzy Hash: 90629936087b4b343afb6f5e2ea20390e49e002a64f4209c8e454aa55673ad60
Instruction Fuzzy Hash: 5041BD71212F8885E6C28F11EC8439962A5F78CBCCF25C424FA5E537A5EF78C68D8709

Function 00000001800481E0 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180048203
_errno.LIBCMT ref: 000000018004820B

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 9c7078870c8113ac2fa39057a7caf9cf7a186e07d7669db40971e880b171e245
Instruction ID: 88e291cd6d8539d56209442e2423bdf494ec1d3842b4b11067e362a5da303880
Opcode Fuzzy Hash: 9c7078870c8113ac2fa39057a7caf9cf7a186e07d7669db40971e880b171e245
Instruction Fuzzy Hash: 4321D032310D4C41FA976F15DA813ED2611AB48BF8F1B8B05FE340B2D3CEB88A45A358

Function 0000000180044ED4 Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180044EF7
_errno.LIBCMT ref: 0000000180044EFF

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: e06bde92bf7a4f08831d8cf039223712935559a8b634ef27faa4aece7a856289
Instruction ID: 3623e0460e9e27de6361ba960c2d9fdc26985ee9637d6ca9ed7da609fcd3abb5
Opcode Fuzzy Hash: e06bde92bf7a4f08831d8cf039223712935559a8b634ef27faa4aece7a856289
Instruction Fuzzy Hash: 64212333210E4C46F697AF25D9C13ED2611AB88BE9F1BC114FA140B2D3CF788A49C758

Function 00000001800490FC Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180049115
FlushFileBuffers.KERNEL32(?,?,?,0000000180043B12), ref: 0000000180049178
GetLastError.KERNEL32(?,?,?,0000000180043B12), ref: 0000000180049182
__doserrno.LIBCMT ref: 0000000180049192
_errno.LIBCMT ref: 0000000180049199

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno
String ID:
API String ID: 1845094721-0
Opcode ID: efec3c3d13410bf04e0dd30c0ef053db8f256237de7b4ac0eddf3cca2fd18b4a
Instruction ID: aae8da55411f6dd9c1530ed359ea5e4f4d8b6876908d31b57a3ddde22457d520
Opcode Fuzzy Hash: efec3c3d13410bf04e0dd30c0ef053db8f256237de7b4ac0eddf3cca2fd18b4a
Instruction Fuzzy Hash: 3D21F931701E8D41F6936FA598C83ED2651A7887D8F1BC528B615173E2CE788A8CD358

Function 000000018004757C Relevance: 9.1, APIs: 6, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018004759B

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

Part of subcall function 00000001800471B8: _getptd.LIBCMT ref: 00000001800471C2
Part of subcall function 00000001800471B8: _amsg_exit.LIBCMT ref: 000000018004725F

Part of subcall function 0000000180047274: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,00000001800475B6,?,?,?,?,?,0000000180047773), ref: 000000018004729E

Part of subcall function 00000001800429F4: malloc.LIBCMT ref: 0000000180042A1F
Part of subcall function 00000001800429F4: Sleep.KERNEL32(?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 0000000180042A32

free.LIBCMT ref: 0000000180047626

Part of subcall function 000000018003E220: HeapFree.KERNEL32(?,?,?,000000018000110D), ref: 000000018003E236
Part of subcall function 000000018003E220: _errno.LIBCMT ref: 000000018003E240

_lock.LIBCMT ref: 0000000180047656
free.LIBCMT ref: 00000001800476F9
free.LIBCMT ref: 0000000180047725
_errno.LIBCMT ref: 000000018004772A

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: free$_amsg_exit_errno_getptd$FreeHeapSleep_lockmalloc
String ID:
API String ID: 2578750445-0
Opcode ID: 94a589883ec5155802fd95d7fab442aedf742fc852adba6379efa46134cd3324
Instruction ID: da64bb642503be74eb0f6c14831e4ed13401b41da4aced71e1065a25a4b3c3bf
Opcode Fuzzy Hash: 94a589883ec5155802fd95d7fab442aedf742fc852adba6379efa46134cd3324
Instruction Fuzzy Hash: 9351B132300E8846E7E69B24A4803EA77A1F348BC8F56C116FA4E473E7CE38C649C744

Function 0000000180045FFC Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 0000000180046015
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 000000018004606C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460A7
free.LIBCMT ref: 00000001800460B4
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460BF
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000018003FF49), ref: 00000001800460CD

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$free
String ID:
API String ID: 517548149-0
Opcode ID: 162e3acb479bf9528d8707f072606d60b166762714a5c8eb78a8a61cfab57453
Instruction ID: 28af58077e327febc6153a716ebded174d2046a11fd0603b2a2b94e2c4208846
Opcode Fuzzy Hash: 162e3acb479bf9528d8707f072606d60b166762714a5c8eb78a8a61cfab57453
Instruction Fuzzy Hash: 31219532A04B8485EBA68F11B48039A77E4F78DFC8F498114FE8A07764EF38D695C709

Function 0000000180043934 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018004394D
_errno.LIBCMT ref: 0000000180043955

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3cad00805c535d9d6a24c2447e46d4ac982fe79615d762552acafacf46815b53
Instruction ID: 94c96575089f4780a32a9ec00bd264dd4655c24e9f54b770cefb0f1c2659e3b0
Opcode Fuzzy Hash: 3cad00805c535d9d6a24c2447e46d4ac982fe79615d762552acafacf46815b53
Instruction Fuzzy Hash: 6B110632A00E8C42F6976F2699C23DC2651A7487E9F27E518B516073D3CEB88E48C758

Function 00000001800432A8 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432B2
FlsGetValue.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432C0
SetLastError.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 0000000180043318

Part of subcall function 0000000180042A74: Sleep.KERNEL32(?,?,?,00000001800432DB,?,?,?,00000001800408ED,?,?,?,?,000000018003E245), ref: 0000000180042AB9

FlsSetValue.KERNEL32(?,?,?,00000001800408ED,?,?,?,?,000000018003E245,?,?,?,000000018000110D), ref: 00000001800432EC
free.LIBCMT ref: 000000018004330F

Part of subcall function 00000001800431F0: _lock.LIBCMT ref: 0000000180043244
Part of subcall function 00000001800431F0: _lock.LIBCMT ref: 0000000180043263

GetCurrentThreadId.KERNEL32 ref: 0000000180043300

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 6c9f45206866909c37ad9c1b1df65dd8d4f15302a450987df3cd1bb5765d3834
Instruction ID: e35cefd1ee5cff6cda42b7689ae65c05deeff37c9490ea75c646b2ce74ee25c0
Opcode Fuzzy Hash: 6c9f45206866909c37ad9c1b1df65dd8d4f15302a450987df3cd1bb5765d3834
Instruction Fuzzy Hash: 4B018830200F8886FFD79F6594C53A86261AB4D7D8F05C624FD25033D1EE38C68C8314

Function 000000018003F8D4 Relevance: 7.7, APIs: 5, Instructions: 170COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F913
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F91E
memcpy_s.LIBCMT ref: 000000018003F9E7
_fileno.LIBCMT ref: 000000018003FA5A
_errno.LIBCMT ref: 000000018003FAD9

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_fileno_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 897514287-0
Opcode ID: 9c77f83cd8700deaabc0fd9fd6977863926e76bbc046ac42a92e242d67ca67a7
Instruction ID: 0586abbaa753a26bf92c3da2f0c0844abfb432f7583a0abf359983cbd5339943
Opcode Fuzzy Hash: 9c77f83cd8700deaabc0fd9fd6977863926e76bbc046ac42a92e242d67ca67a7
Instruction Fuzzy Hash: 4B513431304A4895EAB79E2695007BB6B80B74DBE4F19C7217E6D57BD0CF36C69A8340

Function 0000000180048EF4 Relevance: 7.6, APIs: 5, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180046524: _FF_MSGBANNER.LIBCMT ref: 000000018004654B

_lock.LIBCMT ref: 0000000180048F2E
_lock.LIBCMT ref: 0000000180048F87
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048F9C
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048FC7
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000109,0000000180049480), ref: 0000000180048FD7

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin
String ID:
API String ID: 3451527041-0
Opcode ID: ad7bfc99954593bcf8eda28a1d2ef663cbe48e0c93a53522361127f56cae083a
Instruction ID: 8c218b1dd958de25de949e51088d6abf58d8baf781aaa410045e41d8f4ca076a
Opcode Fuzzy Hash: ad7bfc99954593bcf8eda28a1d2ef663cbe48e0c93a53522361127f56cae083a
Instruction Fuzzy Hash: 9351E672601F4886EBA28B50D4803ADA691F7987ECF068625FE6A033D5DF78C65DC705

Function 0000000180041920 Relevance: 7.6, APIs: 5, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000000018004193D

Part of subcall function 00000001800439F8: _errno.LIBCMT ref: 0000000180043A01
Part of subcall function 00000001800439F8: _invalid_parameter_noinfo.LIBCMT ref: 0000000180043A0C

_errno.LIBCMT ref: 000000018004194D
_errno.LIBCMT ref: 0000000180041969
_isatty.LIBCMT ref: 00000001800419CA
_getbuf.LIBCMT ref: 00000001800419D6

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
String ID:
API String ID: 2574049805-0
Opcode ID: 4ff880635ef4d904e09ebc87325dda54b86b1ac69e38fcb8f2c0d3ea48b9a742
Instruction ID: eb1a6f5e6da6c3769f147ceaaaa7fc0fc70cae78f6684998a98c0054d036f7c8
Opcode Fuzzy Hash: 4ff880635ef4d904e09ebc87325dda54b86b1ac69e38fcb8f2c0d3ea48b9a742
Instruction Fuzzy Hash: CD41F472600F4C4AEBD69F29C4913EC36A0F748BD8F168215FA69473D5DE34CA55C788

Function 000000018004A458 Relevance: 7.6, APIs: 5, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 000000018004A4B2
malloc.LIBCMT ref: 000000018004A516
MultiByteToWideChar.KERNEL32 ref: 000000018004A55E
GetStringTypeW.KERNEL32 ref: 000000018004A575
free.LIBCMT ref: 000000018004A589

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$StringTypefreemalloc
String ID:
API String ID: 307345228-0
Opcode ID: 93dcc5b94d4ecd0e86884504227929fb1291d854fb79cbca14ab971fb09c5493
Instruction ID: c1e8cdc11ca7ad10a2207395aac586f5b43039c7c9522db95887dc8847b2f22a
Opcode Fuzzy Hash: 93dcc5b94d4ecd0e86884504227929fb1291d854fb79cbca14ab971fb09c5493
Instruction Fuzzy Hash: 1F419432204F8486FB929F25A8407DA6395F78DBECF5A8611BE2D477D4DF38C5098708

Function 0000000180042E78 Relevance: 7.6, APIs: 5, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

_ctrlfp.LIBCMT ref: 0000000180042EB9
_exception_enabled.LIBCMT ref: 0000000180042EDB

Part of subcall function 0000000180042DBC: _set_statfp.LIBCMT ref: 0000000180042DE3
Part of subcall function 0000000180042DBC: _set_statfp.LIBCMT ref: 0000000180042E56

_raise_excf.LIBCMT ref: 0000000180042F27
_ctrlfp.LIBCMT ref: 0000000180042F73
_ctrlfp.LIBCMT ref: 0000000180042FA4

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _ctrlfp$_set_statfp$_exception_enabled_raise_excf
String ID:
API String ID: 3843346586-0
Opcode ID: 4fed85a8e9323bfe2c854ad3ef067d745824d256f9f05b55b1c983bcfd5a2ff9
Instruction ID: 35ab72a1ed03ce81a25cb5b39f41f12cf8ca01baf8c7fa63cc16a06614d8d2ce
Opcode Fuzzy Hash: 4fed85a8e9323bfe2c854ad3ef067d745824d256f9f05b55b1c983bcfd5a2ff9
Instruction Fuzzy Hash: 5041E432614E888AE752DB26E4813EEB771FBCD3C8F415325FA4956A58DF38D589CB00

Function 000000018003E624 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E64D
DecodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E65D

Part of subcall function 0000000180042B80: _errno.LIBCMT ref: 0000000180042B89
Part of subcall function 0000000180042B80: _invalid_parameter_noinfo.LIBCMT ref: 0000000180042B94

EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6DB

Part of subcall function 0000000180042AF8: realloc.LIBCMT ref: 0000000180042B23
Part of subcall function 0000000180042AF8: Sleep.KERNEL32(?,?,00000000,000000018003E6CB,?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 0000000180042B3F

EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6EB
EncodePointer.KERNEL32(?,?,?,000000018003E739,?,?,?,?,00000001800129B9), ref: 000000018003E6F8

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errno_invalid_parameter_noinforealloc
String ID:
API String ID: 1909145217-0
Opcode ID: ed15b638c86beb6079fb653881b7bedfcb1da94e35fa47f475b2029b95edd674
Instruction ID: fe7b83a0f1e081e7fa5e6d38d200593cd4bdb274e8300509f1d988dc7ce839eb
Opcode Fuzzy Hash: ed15b638c86beb6079fb653881b7bedfcb1da94e35fa47f475b2029b95edd674
Instruction Fuzzy Hash: B521A130302B8881EA939B52E9893CAA352B34EBD4F45C825F91E17394DE78C68D8344

Function 000000018004634C Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000180046383
GetCurrentProcessId.KERNEL32 ref: 000000018004638E
GetCurrentThreadId.KERNEL32 ref: 000000018004639A
GetTickCount.KERNEL32 ref: 00000001800463A6
QueryPerformanceCounter.KERNEL32 ref: 00000001800463B7

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 92565ea8d5c85b212df12a7ebaa521c2a5878a6861afd3c9b07c384d7c5c1395
Instruction ID: 4acdcd43e76b003da33731daa7b3035c29bec53c6226794cfad176108422307a
Opcode Fuzzy Hash: 92565ea8d5c85b212df12a7ebaa521c2a5878a6861afd3c9b07c384d7c5c1395
Instruction Fuzzy Hash: 3101A131214E4886E792CF21E8847857360F74DBD8F05A520FE6A177A0DF38CAC88305

Function 0000000180048DB0 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180048DB9
_errno.LIBCMT ref: 0000000180048DC1

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 04538ce0f69410465c08cf912922deca18a28768c91d40277fbb7ad585d34a5d
Instruction ID: 3fb9fc9a06773a5ddc4cf9db8930bc32603d4213745492d31301100f49cfba50
Opcode Fuzzy Hash: 04538ce0f69410465c08cf912922deca18a28768c91d40277fbb7ad585d34a5d
Instruction Fuzzy Hash: 730181B2A01E4C41FE976B55C8C13EC22519B98BE9FA7CB05F629063D2CFB846089355

Function 000000018002E3F0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 281COMMON

Download Yara Rule

APIs

powf.LIBCMT ref: 000000018002E76E

Strings

Failed to refit Opcode model., xrefs: 000000018002E902
..\..\Cooking\src\ConvexMeshBuilder.cpp, xrefs: 000000018002E912
Failed to rebuild Opcode model., xrefs: 000000018002E940

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: powf
String ID: ..\..\Cooking\src\ConvexMeshBuilder.cpp$Failed to rebuild Opcode model.$Failed to refit Opcode model.
API String ID: 3445610689-3682976713
Opcode ID: 216dec962e8dca91ec4070bef38bf642e1f4696c0a72cbfcd53967bfc60aac4b
Instruction ID: c1c056e1c85f343c2078a2337025b71bb37fd292796a6b4142674db4036b91a6
Opcode Fuzzy Hash: 216dec962e8dca91ec4070bef38bf642e1f4696c0a72cbfcd53967bfc60aac4b
Instruction Fuzzy Hash: A5E14233A347C89AD342CB3694853E9B360FF6E789F299716EB04321B5DB2161D5AF10

Function 0000000180041694 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_fltout2.LIBCMT ref: 00000001800416CF
_errno.LIBCMT ref: 00000001800416D9
_invalid_parameter_noinfo.LIBCMT ref: 00000001800416E0

Strings

-, xrefs: 00000001800416FB

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fltout2_invalid_parameter_noinfo
String ID: -
API String ID: 485257318-2547889144
Opcode ID: 7fdfd41007377c7044378e94245d290bf8d3290ad409f6aff9913dfa4249c632
Instruction ID: d709b449ce76c0cccf1e9d4ca559e2f814d34352179fa1e3acc4947a0398de61
Opcode Fuzzy Hash: 7fdfd41007377c7044378e94245d290bf8d3290ad409f6aff9913dfa4249c632
Instruction Fuzzy Hash: 5831F832308E8849EBA29A21E4807DDB7A0BB49BD9F55C211FF9807BC5DF38C649C704

Function 0000000180047EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180047F09
_invalid_parameter_noinfo.LIBCMT ref: 0000000180047F15
_errno.LIBCMT ref: 0000000180047F3C

Strings

1, xrefs: 0000000180047F8B

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: 1
API String ID: 2819658684-2212294583
Opcode ID: acab422b16e29b316407dfade680dd80396a7f151f61521eb08063fae4db2bda
Instruction ID: 3afd2d037a64dffeabbd375ce9f5099401c357d53f3d192c0fa9e8baf7547702
Opcode Fuzzy Hash: acab422b16e29b316407dfade680dd80396a7f151f61521eb08063fae4db2bda
Instruction Fuzzy Hash: 8C21C232719AC895F7979B2484903EC6A9097197C8F9BC071B64D06383DE2ACB4DC719

Function 0000000180043114 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0000000180043122
malloc.LIBCMT ref: 000000018004312E

Part of subcall function 000000018003E168: _FF_MSGBANNER.LIBCMT ref: 000000018003E198
Part of subcall function 000000018003E168: HeapAlloc.KERNEL32(?,?,00000000,0000000180042A24,?,?,?,0000000180046585,?,?,?,000000018004662F), ref: 000000018003E1BD
Part of subcall function 000000018003E168: _callnewh.LIBCMT ref: 000000018003E1D6
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1E1
Part of subcall function 000000018003E168: _errno.LIBCMT ref: 000000018003E1EC

std::exception::exception.LIBCMT ref: 000000018004319B

Strings

bad allocation, xrefs: 000000018004316B

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _callnewh_errno$AllocHeapmallocstd::exception::exception
String ID: bad allocation
API String ID: 2837191506-2104205924
Opcode ID: 69166dead89ba0001818fcb42f863f8f744a8727467665a40b2d329f3b4ae9c4
Instruction ID: 2638e90aacf5b7bd257e9f3c7290f5987344553ab20e9d5bcdf450cefdde47fc
Opcode Fuzzy Hash: 69166dead89ba0001818fcb42f863f8f744a8727467665a40b2d329f3b4ae9c4
Instruction Fuzzy Hash: FF012971210F4D95FAA2EF10FC913E923A1AB4C3C8F999515B98A466A6EF78C34CC744

Function 00000001800401B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00000001800401F9,?,?,00000028,000000018003E1B1,?,?,00000000,0000000180042A24,?,?,?,0000000180046585), ref: 00000001800401BF
GetProcAddress.KERNEL32(?,?,000000FF,00000001800401F9,?,?,00000028,000000018003E1B1,?,?,00000000,0000000180042A24,?,?,?,0000000180046585), ref: 00000001800401D4

Strings

mscoree.dll, xrefs: 00000001800401B8
CorExitProcess, xrefs: 00000001800401CA

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: ba0dafc19b2472185031fd18bc234a06f9b3256a42d53cff56055289a2376332
Instruction ID: a0660a350e574b67e0b4226d0f2eee7d3bf1d40f10e0bb7c7f0877cdf3d5dc59
Opcode Fuzzy Hash: ba0dafc19b2472185031fd18bc234a06f9b3256a42d53cff56055289a2376332
Instruction Fuzzy Hash: 47E01230701B0841FF9B5B90ACE87E812905B4DB85F49D428A81E163A0DE78C7CDC354

Function 0000000180032FB0 Relevance: 6.2, APIs: 4, Instructions: 194COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180030FB0: wprintf.LIBCMT ref: 00000001800310BC

sinf.LIBCMT ref: 00000001800330CF
cosf.LIBCMT ref: 00000001800330DA
sinf.LIBCMT ref: 00000001800331BF
cosf.LIBCMT ref: 00000001800331CA

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinf$wprintf
String ID:
API String ID: 2107656780-0
Opcode ID: 382b214eebf19062cad19f456cb08a0201fd66ced005d341dfe06ad299dadf82
Instruction ID: 46b4470296fbe892be20eddff3f83e40b80dd16ede03d11ccee520d7224549a9
Opcode Fuzzy Hash: 382b214eebf19062cad19f456cb08a0201fd66ced005d341dfe06ad299dadf82
Instruction Fuzzy Hash: D5819632A24B8C85E253973754823EAB350BF6E3D5F2ED712FE4436672DB3592859700

Function 0000000180012900 Relevance: 6.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

APIs

cosf.LIBCMT ref: 00000001800129EF
sinf.LIBCMT ref: 00000001800129FB
cosf.LIBCMT ref: 0000000180012A1F
sinf.LIBCMT ref: 0000000180012A33

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinf
String ID:
API String ID: 3160392742-0
Opcode ID: 710fe8378ab7627c6d3ad517a7fb43d291aca31b161ca0839560dead9768729b
Instruction ID: 1cead7b32d2bbf2f5b55d1c3a91411fd1ac8757cce8477ee880dc762cf88697a
Opcode Fuzzy Hash: 710fe8378ab7627c6d3ad517a7fb43d291aca31b161ca0839560dead9768729b
Instruction Fuzzy Hash: B961A332A20BCC89F3539B3598413E9B390FF6D399F59D316F958637A1EB3496968300

Function 00000001800466C4 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180046712
_invalid_parameter_noinfo.LIBCMT ref: 000000018004671D
DecodePointer.KERNEL32(?,?,?,?,?,00000001800418D4), ref: 00000001800467CC
_lock.LIBCMT ref: 00000001800467F7

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: DecodePointer_errno_invalid_parameter_noinfo_lock
String ID:
API String ID: 27599310-0
Opcode ID: 3ba312c050f11dc89975966b9274c87d68241d0575a534c57e7272571b709c94
Instruction ID: 3bc55bf60f611b24502ee0385f2e896cb3150c86a8d65ec0ab32753a95d692e4
Opcode Fuzzy Hash: 3ba312c050f11dc89975966b9274c87d68241d0575a534c57e7272571b709c94
Instruction Fuzzy Hash: BA519931A04F4882F6EB8B1494C43E96791F78D7CCF66C519F95A026A4EF39DA4DC30A

Function 000000018003F378 Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F39D
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F3A8
_fileno.LIBCMT ref: 000000018003F3B5

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fileno_invalid_parameter_noinfo
String ID:
API String ID: 3179357039-0
Opcode ID: d41cd86fc7fb8144f4059a54d214e4fa40f97208075d2dc81462a2ea984e8e8f
Instruction ID: d0906d9fb1a41af227b7a35f2f9a52febfb977d410d2cbb6bbfff6933d0bdc86
Opcode Fuzzy Hash: d41cd86fc7fb8144f4059a54d214e4fa40f97208075d2dc81462a2ea984e8e8f
Instruction Fuzzy Hash: 6B51AE32200B8D86EBB79E25C4453AB3791E788BD8F5AC115EE45073D5CE76CA49C340

Function 000000018003F6B8 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F6EF
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F6FA
_flush.LIBCMT ref: 000000018003F7AF
_fileno.LIBCMT ref: 000000018003F7D0

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_fileno_flush_invalid_parameter_noinfo
String ID:
API String ID: 329365992-0
Opcode ID: 698076d28cb656be0e290576a6c6d4183abae3acb9cc80cd1dacd601588005bc
Instruction ID: 994570d0ed5c695223296e2820c58eafbc39b0a3d3290f0a7fd1d0bd978d184a
Opcode Fuzzy Hash: 698076d28cb656be0e290576a6c6d4183abae3acb9cc80cd1dacd601588005bc
Instruction Fuzzy Hash: 3041383130864846EEFB8E26A5443FFA781B74CBD4F2AC224BE55477D5DE39C64A8300

Function 0000000180041424 Relevance: 6.1, APIs: 4, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000180040AE0: _getptd.LIBCMT ref: 0000000180040AF2

_errno.LIBCMT ref: 0000000180041462
_invalid_parameter_noinfo.LIBCMT ref: 000000018004146C
_errno.LIBCMT ref: 0000000180041490
_invalid_parameter_noinfo.LIBCMT ref: 000000018004149A

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd
String ID:
API String ID: 1297830140-0
Opcode ID: 685b8ff2d911154aa2a8e8b67757949be9fab10ec942415c646d9afbcf8df801
Instruction ID: 7cefe7ca653a2f4658f3ee0a3df96f0f0be2bf27072e95f2b595b8178f122df2
Opcode Fuzzy Hash: 685b8ff2d911154aa2a8e8b67757949be9fab10ec942415c646d9afbcf8df801
Instruction Fuzzy Hash: 2441B132204B888AEB92EF15D5C43DD77A0F788BD5F568121EB8A43B92DF38C559C704

Function 00000001800440E4 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800440F8

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,000000018001BA07), ref: 00000001800441B0
free.LIBCMT ref: 00000001800441C5
EnterCriticalSection.KERNEL32 ref: 00000001800441E7

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CountEnterInitializeSpin_amsg_exit_lockfree
String ID:
API String ID: 3786353176-0
Opcode ID: 2d8fe9b17452f9be50c8f4dde2f5c65ad41ce5bf3704b10e52e00b94b0c4d927
Instruction ID: 77d012aec7b7a8e0eae38a5513b7aa1e5a3cf52bfde04b3ae6aefb7f7a7b0724
Opcode Fuzzy Hash: 2d8fe9b17452f9be50c8f4dde2f5c65ad41ce5bf3704b10e52e00b94b0c4d927
Instruction Fuzzy Hash: BC419132611F8882F7969B15E8803AC7761F758BD8F16C515EA590B2F1DF38CA89C748

Function 000000018003F36C Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018003F2C3
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F2CE
_errno.LIBCMT ref: 000000018003F300
_errno.LIBCMT ref: 000000018003F312

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID:
API String ID: 2819658684-0
Opcode ID: 99ea2aa7fa037c728c670b1af3ab4c704a45c8a6972333f03af08050f1a032be
Instruction ID: a8714d15938ca0f6a90d651474b82c1258147739466bb9e11812dd49b4ea1a94
Opcode Fuzzy Hash: 99ea2aa7fa037c728c670b1af3ab4c704a45c8a6972333f03af08050f1a032be
Instruction Fuzzy Hash: B921C335614A8A85FBA3AB21A8013AF6391B74CBC4F06D421BA8987B85DF3DC705C744

Function 00000001800471B8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800471C2

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

_lock.LIBCMT ref: 00000001800471F0
free.LIBCMT ref: 0000000180047226
_amsg_exit.LIBCMT ref: 000000018004725F

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _amsg_exit$_getptd_lockfree
String ID:
API String ID: 2148533958-0
Opcode ID: 448ee291d70af40f8b290fc170a3ec04642eda76fc7755001fed3b988956531a
Instruction ID: 03751925d89ad7c75a090659d8e6fec9e03ae648af79c615cbbbc49a299d30f7
Opcode Fuzzy Hash: 448ee291d70af40f8b290fc170a3ec04642eda76fc7755001fed3b988956531a
Instruction Fuzzy Hash: F9110031215E4882EAD69B51E5817E973A4F78C7C8F499026FA4D037A6DF38C658CB05

Function 00000001800431C8 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,000000018003FFDE), ref: 00000001800431D7
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464B7
free.LIBCMT ref: 00000001800464C0
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000018003FFDE), ref: 00000001800464E7

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 9228b09e253a007911eda0d127ec13b25624cc88dbbd8a24fc5e966267fe7591
Instruction ID: 7a905e3c905827164463eee99df514b0c51316a8045c2e4bb92215e5cfa9d33c
Opcode Fuzzy Hash: 9228b09e253a007911eda0d127ec13b25624cc88dbbd8a24fc5e966267fe7591
Instruction Fuzzy Hash: 5011A731A41E88CAFFE68F11F4803987360F799BE8F598216F659022B5DF38C68D8705

Function 00000001800491D4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00000001800491E8

Part of subcall function 000000018004660C: _amsg_exit.LIBCMT ref: 0000000180046636

fclose.LIBCMT ref: 0000000180049218
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180043D17), ref: 000000018004923C
free.LIBCMT ref: 000000018004924D

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalDeleteSection_amsg_exit_lockfclosefree
String ID:
API String ID: 594724896-0
Opcode ID: 68e91f0215962c8046d3153dc38de0d0fe5a82dc01a661f0b9ce8fe4bd2a4dd0
Instruction ID: 0c0a23507bb2629b1bc646a7cbb6b0bd2226b194344c5b0705f97f05c29633ea
Opcode Fuzzy Hash: 68e91f0215962c8046d3153dc38de0d0fe5a82dc01a661f0b9ce8fe4bd2a4dd0
Instruction Fuzzy Hash: 53119435505E4892E6928B59E8C43DD7760F7C8BD8F22C225FA6A433B5CF79C649C708

Function 0000000180047A88 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000180047A8E

Part of subcall function 000000018004332C: _amsg_exit.LIBCMT ref: 0000000180043342

_getptd.LIBCMT ref: 0000000180047AAE
_lock.LIBCMT ref: 0000000180047AC1
_amsg_exit.LIBCMT ref: 0000000180047AEF

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _amsg_exit_getptd$_lock
String ID:
API String ID: 3670291111-0
Opcode ID: 1e2951db7288fe683079fa74c1d0abc9f5b6e3ca7d7c7624e94539af6c24109d
Instruction ID: 30bf2c9c459df01ed59fad58da7d5b88ae189090fbb2b18f494d1813002e01c0
Opcode Fuzzy Hash: 1e2951db7288fe683079fa74c1d0abc9f5b6e3ca7d7c7624e94539af6c24109d
Instruction Fuzzy Hash: 3EF0187170180881F6D6AB5184817ED2361E79C7C8F0A9175FA0D073D3DE24875CC719

Function 0000000180034DC0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 380COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180032FB0: sinf.LIBCMT ref: 00000001800330CF
Part of subcall function 0000000180032FB0: cosf.LIBCMT ref: 00000001800330DA

Part of subcall function 0000000180032FB0: sinf.LIBCMT ref: 00000001800331BF
Part of subcall function 0000000180032FB0: cosf.LIBCMT ref: 00000001800331CA

wprintf.LIBCMT ref: 00000001800350B0
wprintf.LIBCMT ref: 000000018003522C

Strings

Cant normalize ZERO vector, xrefs: 00000001800350A9, 0000000180035225

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: cosfsinfwprintf
String ID: Cant normalize ZERO vector
API String ID: 478498997-1862362117
Opcode ID: 8f3b28573348b3f5bc6031dba9d50d39b873ffff9a8f37479b0f46ab6967f4a8
Instruction ID: f98a87a50659f58f53137574a4a326717961e7e6fcb01f50f0ee04a1c3ccac6a
Opcode Fuzzy Hash: 8f3b28573348b3f5bc6031dba9d50d39b873ffff9a8f37479b0f46ab6967f4a8
Instruction Fuzzy Hash: 08028633924B888AD352CB3790856AAB760FFAE3D4F299702FE44727B5DB35D5449B00

Function 000000018003FCA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018003FD5E

Part of subcall function 0000000180042E78: _ctrlfp.LIBCMT ref: 0000000180042EB9
Part of subcall function 0000000180042E78: _exception_enabled.LIBCMT ref: 0000000180042EDB
Part of subcall function 0000000180042E78: _raise_excf.LIBCMT ref: 0000000180042F27
Part of subcall function 0000000180042E78: _ctrlfp.LIBCMT ref: 0000000180042F73

Strings

!, xrefs: 000000018003FD88
asinf, xrefs: 000000018003FD12

Memory Dump Source

Source File: 0000000F.00000002.2151047013.0000000180001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 0000000F.00000002.2151028838.0000000180000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151099750.000000018005C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151116725.0000000180062000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151131977.0000000180064000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151147650.0000000180068000.00000010.00000001.01000000.00000003.sdmpDownload File
Associated: 0000000F.00000002.2151162376.0000000180069000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_180000000_rundll32.jbxd

Similarity

API ID: _ctrlfp$_exception_enabled_raise_excf_set_statfp
String ID: !$asinf
API String ID: 3072139147-2917828882
Opcode ID: ff56a0d4b1c6a47029269032c783d636fad6bda69c86f508603d91954b0104b9
Instruction ID: d0c98440cba4b73ae54bff3046531fc7f845b546b7e426e5b618ba2336869eec
Opcode Fuzzy Hash: ff56a0d4b1c6a47029269032c783d636fad6bda69c86f508603d91954b0104b9
Instruction Fuzzy Hash: C051AA329246CC86E2A3C73BA4813E6B750AFAD3C5F29C705F940756B5DF2A91995F00

Analysis Process: rundll32.exePID: 7564, Parent PID: 7252COMMON

Execution Graph

Execution Coverage:	5.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.8%
Total number of Nodes:	250
Total number of Limit Nodes:	22

Executed Functions

Function 0000000273F41380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
injectionsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 0000000273F413A0
VirtualAllocEx.KERNEL32 ref: 0000000273F413C3
WriteProcessMemory.KERNEL32 ref: 0000000273F413F8
CreateRemoteThread.KERNEL32 ref: 0000000273F4142E
WaitForSingleObject.KERNEL32 ref: 0000000273F41448

Strings

@, xrefs: 0000000273F413A6

Memory Dump Source

Source File: 00000010.00000002.3521962854.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true

Associated: 00000010.00000002.3521946624.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.3521962854.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_273f40000_rundll32.jbxd

Similarity

API ID: AllocCreateMemoryObjectProcessRemoteSingleSleepThreadVirtualWaitWrite
String ID: @
API String ID: 3172812169-2766056989
Opcode ID: 7fcec4437536d1c811a67ff0d3e935be9d4b92fa0fac673d0b509e6aa8ba7f62
Instruction ID: 70ca693b3c1452cbeb4233b6b91bedeb956dc212f3bce1284f7759b325db5040
Opcode Fuzzy Hash: 7fcec4437536d1c811a67ff0d3e935be9d4b92fa0fac673d0b509e6aa8ba7f62
Instruction Fuzzy Hash: 5F117F22709E9042F6A0CF26BC08B5666A0B789FF4F644324EFBD17BE5DB38C6059605

Function 000002C0CFA1DACE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.1799563429.000002C0CF9E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_2c0cf9e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633259c266d87a5b95fda6ce05470889e09af076b0dc8ff2f0ee963c60a24a3d
Instruction ID: 7fab87dd66e75dc0bfcff947ced448f477f0386d2d28368c8c6c5269dc7de3dc
Opcode Fuzzy Hash: 633259c266d87a5b95fda6ce05470889e09af076b0dc8ff2f0ee963c60a24a3d
Instruction Fuzzy Hash: 4911E770618B888FD6A4DF499889BAAB7E1FBD8711F544A2FE48CD3210C7319441C793

Function 000002C0CFA1D9FE Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.1799563429.000002C0CF9E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_2c0cf9e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe48e069b0bf4257b6ece8509336bdb1b8fe3d1efb0e08b23792c235e305b72c
Instruction ID: 33bca329bb03c6a26a27ec47fd3475ce49b11827a73823d3fa8a9eb30fc3bc59
Opcode Fuzzy Hash: fe48e069b0bf4257b6ece8509336bdb1b8fe3d1efb0e08b23792c235e305b72c
Instruction Fuzzy Hash: 89F049B0628B448BE744DF1884C967977E1FBD8655F64452FE889C7361DB3198428B43

Function 000002C0CFA1D98E Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.1799563429.000002C0CF9E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_2c0cf9e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3f95c2c9417701ba101d61fb74fecea45e223f9a8c54239b1753508d96a613
Instruction ID: 5960d9abacb1adefdf90835045597848b875249578ff9cd82e611af3837cc16a
Opcode Fuzzy Hash: ba3f95c2c9417701ba101d61fb74fecea45e223f9a8c54239b1753508d96a613
Instruction Fuzzy Hash: E4F044B0618B448BE744DF1884C967AB7E1FBD8755F24452FE899C7361DB319842CB43

Function 000002C0CFA1DA6E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000003.1799563429.000002C0CF9E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_2c0cf9e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611503c2f2b608366220324c20f94816b5761d40c9c053a388f9cbb19c4f0105
Instruction ID: c6fa763bf72b29af7094b9d4efacc01fcc47498973f5c5e69f833974aaf0e7ba
Opcode Fuzzy Hash: 611503c2f2b608366220324c20f94816b5761d40c9c053a388f9cbb19c4f0105
Instruction Fuzzy Hash: 13F05B70624F448BD704AF1C848AA7977D1F7D8655F54462EE444C7361DB35D5428B43

Function 000002C0CF992050 Relevance: 22.8, APIs: 15, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002C0CF991340: SetLastError.KERNEL32 ref: 000002C0CF991364

SetLastError.KERNEL32 ref: 000002C0CF9920C4

Memory Dump Source

Source File: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF990000, based on PE: true

Associated: 00000010.00000002.3522388941.000002C0CF9D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2c0cf990000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d975507dabfc9bcff4ce07bface502bc42e706bf54c750510e23b7039734968
Instruction ID: 909283acd9b2741667af0c246a069474a563ec50a46a492be50126d098cad7fd
Opcode Fuzzy Hash: 4d975507dabfc9bcff4ce07bface502bc42e706bf54c750510e23b7039734968
Instruction Fuzzy Hash: 27F1E136619B84C6EB60CF15E494B6EB7A0F3C8B90F11511AEB8E87B64DF79C644CB01

Function 000002C0CFA1CABE Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 323COMMON

Download Yara Rule

Strings

@, xrefs: 000002C0CFA1CD21
0, xrefs: 000002C0CFA1CBCE
@, xrefs: 000002C0CFA1CBE5
`, xrefs: 000002C0CFA1CB5B

Memory Dump Source

Source File: 00000010.00000003.1799563429.000002C0CF9E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_2c0cf9e0000_rundll32.jbxd

Similarity

API ID:
String ID: 0$@$@$`
API String ID: 0-307318802
Opcode ID: 790f92f7944892e3d38ff7d826f4987b9e3c0bb28676424d5e8019a2330f5ae1
Instruction ID: dbfde0de70f23c69d7b9deffb8303c0fcef56621f482790af599ed518272a6b4
Opcode Fuzzy Hash: 790f92f7944892e3d38ff7d826f4987b9e3c0bb28676424d5e8019a2330f5ae1
Instruction Fuzzy Hash: F0B10C70618B488FE764EF1CD885B9AB7E1FB98314F108A1EE499C3291DB74D9458B83

Function 000002C0CFA1BE8E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

, xrefs: 000002C0CFA1C0F8

Memory Dump Source

Source File: 00000010.00000003.1799563429.000002C0CF9E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF9E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_3_2c0cf9e0000_rundll32.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 9457dfe6ec60ebb388675859c3b208fc461dcabcf6edda219dbca694cf0c5acf
Instruction ID: 74f7d76f8572c9c4e9258e601c6b88ff189557193d55e82e5b90d1fc9a6791ce
Opcode Fuzzy Hash: 9457dfe6ec60ebb388675859c3b208fc461dcabcf6edda219dbca694cf0c5acf
Instruction Fuzzy Hash: 0CB17171618A08CFEB54EF1CD885B9EB7E1FB98310F01866EE489C7251DB34E945CB82

Function 000002C0CF9915E0 Relevance: 3.1, APIs: 2, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNEL32 ref: 000002C0CF99167C

Memory Dump Source

Source File: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF990000, based on PE: true

Associated: 00000010.00000002.3522388941.000002C0CF9D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2c0cf990000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 75ce38d37ca8cf5b7d06ded007de5ea175a415d9990679de99291eeea22f5aae
Instruction ID: 436a6ae1a21cbb60b81ef6f8e37c3edf9697ab91149c42a215800db3aaa470a9
Opcode Fuzzy Hash: 75ce38d37ca8cf5b7d06ded007de5ea175a415d9990679de99291eeea22f5aae
Instruction Fuzzy Hash: 8651CA76618744CBEB60CF1AE484B1EB7A1F3C8B84F160116EA9D87754DB79D680CF01

Function 000002C0CF991380 Relevance: 2.6, APIs: 2, Instructions: 119
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000002C0CF991445
VirtualAlloc.KERNEL32 ref: 000002C0CF9914F4

Memory Dump Source

Source File: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF990000, based on PE: true

Associated: 00000010.00000002.3522388941.000002C0CF9D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2c0cf990000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 816fc88231aa2467bf2252115963d1d14762f6c5c40f282537df11a36abcc1ab
Instruction ID: 5fbf0cd2172acf7555c36ea4b3efd9f721022f47992632b50033c0debfe551dd
Opcode Fuzzy Hash: 816fc88231aa2467bf2252115963d1d14762f6c5c40f282537df11a36abcc1ab
Instruction Fuzzy Hash: 2A51DC76618B44C6DB60CB16E48461EB7B0F3C8BD4F11521AEE8E83B68DB79C681CF01

Function 0000000273F414D0 Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 0000000273F414E5

Memory Dump Source

Source File: 00000010.00000002.3521962854.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true

Associated: 00000010.00000002.3521946624.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.3521962854.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_273f40000_rundll32.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 490134546b41fa5f3525d4fc16026bee51ec6a607ddd3dfaa8bb0cc5ac4d8099
Instruction ID: 0bf00bace8f2674ea540bcf736f3f2282d979a864102f6c7b7d6f84e33ec7844
Opcode Fuzzy Hash: 490134546b41fa5f3525d4fc16026bee51ec6a607ddd3dfaa8bb0cc5ac4d8099
Instruction Fuzzy Hash: 06B09B14F04594C7E2255791B44D7699610B74FBD1F249451C55D13755851455425702

Function 000002C0CF9911C0 Relevance: 1.3, APIs: 1, Instructions: 12
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 000002C0CF9911DC

Memory Dump Source

Source File: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF990000, based on PE: true

Associated: 00000010.00000002.3522388941.000002C0CF9D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2c0cf990000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a26db5a74adc6119d098d68705d28c1916c0da013186a83d7531f391c9707544
Instruction ID: af7aedca85ea2e4c6ab80c5591e6c6d4722e649881127169f592680be277a219
Opcode Fuzzy Hash: a26db5a74adc6119d098d68705d28c1916c0da013186a83d7531f391c9707544
Instruction Fuzzy Hash: 50D092B6B14680C7DB289F25E455A0A6B64F389744FA04119EA8D47B68CA3EC7568F04

Non-executed Functions

Function 0000000273F41740 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualQuery.KERNEL32 ref: 0000000273F4185B

Strings

Address %p has no image-section, xrefs: 0000000273F417B2, 0000000273F41905
Mingw-w64 runtime failure:, xrefs: 0000000273F41777
VirtualProtect failed with code 0x%x, xrefs: 0000000273F418CE
VirtualQuery failed for %d bytes at address %p, xrefs: 0000000273F418F1

Memory Dump Source

Source File: 00000010.00000002.3521962854.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true

Associated: 00000010.00000002.3521946624.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.3521962854.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_273f40000_rundll32.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 0cce06267e1579f90ae27719d32f235d794723324326edd454bf682594529e94
Instruction ID: 663189738c40874af7135dc25b0b982f4eec5aa8fa6ad61ed8319b582aa1f326
Opcode Fuzzy Hash: 0cce06267e1579f90ae27719d32f235d794723324326edd454bf682594529e94
Instruction Fuzzy Hash: CB41AF72F08F4482EB14DB51E8497DA77A0F789BE0F644220DA4D07BA5EB38C685E742

Function 000002C0CF9926B0 Relevance: 6.4, APIs: 5, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 000002C0CF992707
SetLastError.KERNEL32 ref: 000002C0CF992746

Memory Dump Source

Source File: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF990000, based on PE: true

Associated: 00000010.00000002.3522388941.000002C0CF9D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2c0cf990000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 50d4aa64397910f34370dcdd3f25db7b3cd1b44d2d627c561aa8e3d7ca6c4d4e
Instruction ID: 1e91e9112e432eaf7b1e41f9f5f91464a16c52b9dc8ebd79983d0eaf110c0dee
Opcode Fuzzy Hash: 50d4aa64397910f34370dcdd3f25db7b3cd1b44d2d627c561aa8e3d7ca6c4d4e
Instruction Fuzzy Hash: 0D511E36618B44C7EB64CF1AE48472E77A0F7C8B94F11052AEA8E877A4DB7DC644CB05

Function 0000000273F41010 Relevance: 6.1, APIs: 4, Instructions: 107
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 0000000273F41055
_amsg_exit.MSVCRT ref: 0000000273F4107F

Memory Dump Source

Source File: 00000010.00000002.3521962854.0000000273F41000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000000273F40000, based on PE: true

Associated: 00000010.00000002.3521946624.0000000273F40000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.3521962854.0000000273F85000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_273f40000_rundll32.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 1aa7096d3279892f89bb6938d1e8f798873b932fab0900364294d29769eafb3e
Instruction ID: b36ed253b1f92ff08f278adfa0ead6049e2a2874eebc081211355efa6209b103
Opcode Fuzzy Hash: 1aa7096d3279892f89bb6938d1e8f798873b932fab0900364294d29769eafb3e
Instruction Fuzzy Hash: 08417C31E0CA4885F765DB1AEC497AA2395B784BE4F744025DE0C87FA1EE28CA40B343

Function 000002C0CF991C80 Relevance: 5.2, APIs: 4, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadReadPtr.KERNEL32 ref: 000002C0CF991D0E
SetLastError.KERNEL32 ref: 000002C0CF991D6A

Memory Dump Source

Source File: 00000010.00000002.3522388941.000002C0CF990000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002C0CF990000, based on PE: true

Associated: 00000010.00000002.3522388941.000002C0CF9D6000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2c0cf990000_rundll32.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 5e3dd03f4e36ac629c9e35720315601d05ef0c3755c38ff15dc0a5ec62299b24
Instruction ID: 371d074c8419b86ea01d91347a663184eca4f71c6fb0dcff6967c2d587af26fa
Opcode Fuzzy Hash: 5e3dd03f4e36ac629c9e35720315601d05ef0c3755c38ff15dc0a5ec62299b24
Instruction Fuzzy Hash: 0E91A836219B88C6DB60CB4AE49475EB7B0F7C8B94F514116EA8E83B68DF7DC584CB00

Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 82.115.223.39:8041
Source: global traffic	TCP traffic: 192.168.2.4:49754 -> 80.78.24.30:8041

Source: Joe Sandbox View	IP Address: 82.115.223.39 82.115.223.39
Source: Joe Sandbox View	IP Address: 80.78.24.30 80.78.24.30
Source: Joe Sandbox View	IP Address: 80.78.24.30 80.78.24.30

Source: Joe Sandbox View	ASN Name: MIDNET-ASTK-TelecomRU MIDNET-ASTK-TelecomRU
Source: Joe Sandbox View	ASN Name: CYBERDYNELR CYBERDYNELR

Source: global traffic	DNS traffic detected: DNS query: greshunka.com
Source: global traffic	DNS traffic detected: DNS query: tiguanin.com
Source: global traffic	DNS traffic detected: DNS query: bazarunet.com

Source: Amcache.hve.24.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com/
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com/=V
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/)V
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/-
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/EV%
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/IV)
Source: rundll32.exe, 00000010.00000003.2835381414.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2557004600.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2802742724.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.3083473122.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.3060518341.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2664944924.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2791767449.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.3093867812.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2741313698.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2567784185.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.3028538370.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2588014378.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/admin.php
Source: rundll32.exe, 00000010.00000002.3522214794.000002C0CDEC8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.php
Source: rundll32.exe, 00000010.00000002.3522214794.000002C0CDEC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/bazar.phpf
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/dmin.php
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bazarunet.com:8041/e
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com/
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/%
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/5V
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/MV-
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/U
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/admin.php=
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2128158286.000002C0CFB48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.php
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phpm
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://greshunka.com:8041/bazar.phppf
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com/
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/
Source: rundll32.exe, 00000010.00000003.2171584349.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2171985521.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2160623774.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2183097480.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2194230464.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.php
Source: rundll32.exe, 00000010.00000003.2183097480.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2194230464.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.php.
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/admin.phpB
Source: rundll32.exe, 00000010.00000003.2390010044.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2400649688.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2515549993.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2431560715.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2492513786.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2504826097.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2545831482.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2420826608.000002C0CFB49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.php
Source: rundll32.exe, 00000010.00000002.3522485761.000002C0CFB3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiguanin.com:8041/bazar.phpp

Source:	Binary string: kernel32.pdbUGP source: rundll32.exe, 00000010.00000003.1778372338.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: rundll32.exe, 00000010.00000003.1767044867.000002C0CFC17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000010.00000003.1765060404.000002C0CFB1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: rundll32.exe, 00000010.00000003.1778372338.000002C0CFB11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000010.00000003.1765060404.000002C0CFB1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\w\328b3cc762394cc5\sw\physx\PhysXSDK\2.8.3\RELEASE\bin\win64\PhysXCooking64.pdb source: rundll32.exe, 0000000D.00000002.2171430395.000000018004E000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2151082112.000000018004E000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.3521810110.000000018004E000.00000002.00000001.01000000.00000003.sdmp, PhysXCooking64.dll.dll
Source:	Binary string: kernelbase.pdb source: rundll32.exe, 00000010.00000003.1767044867.000002C0CFC17000.00000004.00000020.00020000.00000000.sdmp

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Yara match	File source: 00000010.00000003.1767044867.000002C0CFC17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7564, type: MEMORYSTR

Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002C0CFA1DA6E NtProtectVirtualMemory,	16_3_000002C0CFA1DA6E
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002C0CFA1D98E NtAllocateVirtualMemory,	16_3_000002C0CFA1D98E
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002C0CFA1D9FE NtOpenFile,	16_3_000002C0CFA1D9FE
Source: C:\Windows\System32\rundll32.exe	Code function: 16_3_000002C0CFA1DACE NtReadFile,	16_3_000002C0CFA1DACE

Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018003E804	13_2_000000018003E804
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180029010	13_2_0000000180029010
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018004B820	13_2_000000018004B820
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180041044	13_2_0000000180041044
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018003A050	13_2_000000018003A050
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180017880	13_2_0000000180017880
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018004C084	13_2_000000018004C084
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180036160	13_2_0000000180036160
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018004D178	13_2_000000018004D178
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180049280	13_2_0000000180049280
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018002A290	13_2_000000018002A290
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180041BE4	13_2_0000000180041BE4
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180012C00	13_2_0000000180012C00
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018000B460	13_2_000000018000B460
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018004AC9C	13_2_000000018004AC9C
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018001D4D0	13_2_000000018001D4D0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018002C4F0	13_2_000000018002C4F0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180017540	13_2_0000000180017540
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180043548	13_2_0000000180043548
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180018550	13_2_0000000180018550
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180040580	13_2_0000000180040580
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018000BDA0	13_2_000000018000BDA0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018000A600	13_2_000000018000A600
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180007E50	13_2_0000000180007E50
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180048684	13_2_0000000180048684
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018003BEB0	13_2_000000018003BEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180038EF0	13_2_0000000180038EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_000000018002BF20	13_2_000000018002BF20
Source: C:\Windows\System32\rundll32.exe	Code function: 13_2_0000000180044774	13_2_0000000180044774
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018003E804	15_2_000000018003E804
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180029010	15_2_0000000180029010
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018004B820	15_2_000000018004B820
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180041044	15_2_0000000180041044
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018003A050	15_2_000000018003A050
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180017880	15_2_0000000180017880
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018004C084	15_2_000000018004C084
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180036160	15_2_0000000180036160
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018004D178	15_2_000000018004D178
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180049280	15_2_0000000180049280
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018002A290	15_2_000000018002A290
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180041BE4	15_2_0000000180041BE4
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180012C00	15_2_0000000180012C00
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018000B460	15_2_000000018000B460
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018004AC9C	15_2_000000018004AC9C
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018001D4D0	15_2_000000018001D4D0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018002C4F0	15_2_000000018002C4F0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180017540	15_2_0000000180017540
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180043548	15_2_0000000180043548
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180018550	15_2_0000000180018550
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180040580	15_2_0000000180040580
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018000BDA0	15_2_000000018000BDA0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018000A600	15_2_000000018000A600
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180007E50	15_2_0000000180007E50
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180048684	15_2_0000000180048684
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018003BEB0	15_2_000000018003BEB0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180038EF0	15_2_0000000180038EF0
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_000000018002BF20	15_2_000000018002BF20
Source: C:\Windows\System32\rundll32.exe	Code function: 15_2_0000000180044774	15_2_0000000180044774
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_000002C0CF9D31BE	16_2_000002C0CF9D31BE
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_000002C0CF9D29EE	16_2_000002C0CF9D29EE
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_0000000273F807BE	16_2_0000000273F807BE
Source: C:\Windows\System32\rundll32.exe	Code function: 16_2_0000000273F7FFEE	16_2_0000000273F7FFEE

Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7540
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7556

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCloseCooking
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCookClothMesh
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCookConvexMesh
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCloseCooking
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookClothMesh
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookConvexMesh
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxReportCooking
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxReleasePMap
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxInitCooking
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",GetDeepDVCState
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCreatePMap
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookTriangleMesh
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookSoftBodyMesh
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7556 -s 332
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7540 -s 332
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCloseCooking	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCookClothMesh	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\PhysXCooking64.dll.dll,NxCookConvexMesh	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCloseCooking	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookClothMesh	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookConvexMesh	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxReportCooking	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxReleasePMap	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxInitCooking	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",GetDeepDVCState	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",DetDeepDVCState	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCreatePMap	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookTriangleMesh	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",NxCookSoftBodyMesh	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\PhysXCooking64.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PhysXCooking64.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Phy_7ca7a2b16edcec4f9d89ef5e5b35598cfaa1d9f8_b8a7de85_6b37bfd3-0a7a-485b-b7f0-9c8ae12cdd88\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_Phy_c3a79390dd8838633e02848bed15afc3568f0e5_b8a7de85_fcac10d6-a9a7-48ed-b4a5-7f7b4faa505f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACF9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD28.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF7B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB018.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB095.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0B5.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
PhysXCooking64.dll.dll

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre