Edit tour

Windows Analysis Report
appgpuset.dll.dll

Overview

General Information

Sample name:	appgpuset.dll.dll (renamed file extension from exe to dll)
Original sample name:	appgpuset.dll.exe
Analysis ID:	1576903
MD5:	4717c34252551071aa41c2881315a4b8
SHA1:	b239d502a5c200e63d13730219f7272a8d9e0fe7
SHA256:	ea2c9e620d779449a2d5176ace0c4993934e85be7a0207f3f51b4a432627ad2f
Tags:	exeuser-pr0xylife
Infos:

Detection

BruteRatel

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

System process connects to network (likely due to code injection or exploit)

Yara detected BruteRatel

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Sigma detected: RunDLL32 Spawning Explorer

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7484 cmdline: loaddll64.exe "C:\Users\user\Desktop\appgpuset.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7536 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7560 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7680 cmdline: C:\Windows\system32\WerFault.exe -u -p 7560 -s 500 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7544 cmdline: rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,DllMain MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7660 cmdline: C:\Windows\system32\WerFault.exe -u -p 7544 -s 488 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7756 cmdline: rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFunc MD5: EF3179D498793BF4234F708D3BE28633)

explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

rundll32.exe (PID: 7848 cmdline: rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFuncEx MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7888 cmdline: C:\Windows\system32\WerFault.exe -u -p 7848 -s 492 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 7984 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",DllMain MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7992 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeFunc MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8012 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeFuncEx MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8036 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NvOptimusEnablementCuda MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 4340 cmdline: C:\Windows\system32\WerFault.exe -u -p 8036 -s 488 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 8048 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_Shutdown MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8068 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_ReleaseFeature MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8076 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_Init MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8088 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_GetScratchBufferSize MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8104 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_GetParameters MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8116 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_EvaluateFeature MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8132 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_CreateFeature MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8144 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeMontage MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8160 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeImageEx MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 8172 cmdline: rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeImage MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Brute Ratel C4, BruteRatel	Brute Ratel C4 (BRC4) is a commercial framework for red-teaming and adversarial attack simulation, which made its first appearance in December 2020. It was specifically designed to evade detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. BRC4 allows operators to deploy a backdoor agent known as Badger (aka BOLDBADGER) within a target environment.This agent enables arbitrary command execution, facilitating lateral movement, privilege escalation, and the establishment of additional persistence avenues. The Badger backdoor agent can communicate with a remote server via DNS over HTTPS, HTTP, HTTPS, SMB, and TCP, using custom encrypted channels. It supports a variety of backdoor commands including shell command execution, file transfers, file execution, and credential harvesting. Additionally, the Badger agent can perform tasks such as port scanning, screenshot capturing, and keystroke logging. Notably, in September 2022, a cracked version of Brute Ratel C4 was leaked in the cybercriminal underground, leading to its use by threat actors.	No Attribution	https://0xdarkvortex.dev/hiding-in-plainsight/ https://0xdarkvortex.dev/proxying-dll-loads-for-hiding-etwti-stack-tracing/ https://andreafortuna.org/2023/02/23/how-to-detect-brute-ratel-activities https://blog.krakz.fr/articles/latrodectus/ https://blog.reveng.ai/latrodectus-distribution-via-brc4/	https://malpedia.caad.fkie.fraunhofer.de/details/win.brute_ratel_c4

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000003.2414624070.000001FE3A46B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
0000000F.00000002.2962539764.000001FE3A5AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
0000000F.00000002.2962539764.000001FE3A53C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
0000000A.00000002.2962176181.000001E0D3354000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
0000000A.00000002.2962176181.000001E0D32AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
0000000F.00000003.2414485576.000001FE3A46B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
0000000F.00000002.2962097879.000001FE3A43C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
0000000A.00000002.2962681517.000001E0D33F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Process Memory Space: rundll32.exe PID: 7756	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Process Memory Space: rundll32.exe PID: 7992	JoeSecurity_BruteRatel_1	Yara detected BruteRatel	Joe Security
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: RunDLL32 Spawning Explorer

Source: Process started

Author: elhoim, CD_ROM_: Data: Command: C:\Windows\Explorer.EXE, CommandLine: C:\Windows\Explorer.EXE, CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFunc, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7756, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\Explorer.EXE, ProcessId: 2580, ProcessName: explorer.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://dogirafer.com/test/	Avira URL Cloud: Label: malware
Source: https://dogirafer.com/test/t/	Avira URL Cloud: Label: malware

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.2% probability

Source: appgpuset.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source:	Binary string: C:\dvs\p4\build\sw\rel\gfclient\rel_03&3!ZxZQ9rbTQA!n8N>7T3de\GfeXCode\win7_amd64_release\GfeXCode64.pdb source: rundll32.exe, 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2194504652.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.2963884666.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2139679245.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1856381780.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2963614847.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1843605015.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2166764908.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1852143994.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1852021925.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1852109573.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1851992579.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, appgpuset.dll.dll
Source:	Binary string: de\GfeXCode\win7_amd64_release\GfeXCode64.pdb source: rundll32.exe, 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2194504652.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.2963884666.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2139679245.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1856381780.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2963614847.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1843605015.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2166764908.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1852143994.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1852021925.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1852109573.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1851992579.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, appgpuset.dll.dll

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFDFB4C56A0 FindFirstFileExW,

3_2_00007FFDFB4C56A0

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_fa34a916-0ee7-420e-b892-7538d510bc46\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_app_368b75c013d478ef855eadbf85b69d15b5c85bc_a483008d_7ce35560-ca5a-4c7d-a743-57bb1d3c6542\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.46.11 8817			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.40.41 8817			Jump to behavior

Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 94.232.40.41:8817
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 94.232.46.11:8817

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: cronoze.com
Source: global traffic	DNS traffic detected: DNS query: muuxxu.com

Source: explorer.exe, 00000027.00000000.2184484783.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000027.00000000.2184484783.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000027.00000000.2184484783.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000027.00000000.2184484783.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.000000000982D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165896288.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2087468711.000001E0CF6E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2200930383.000001E0CF6E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2930304243.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2929221409.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962832147.000001FE3A70A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE3685D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962474666.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2926653866.000001FE3A4FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2413952720.000001FE3685A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2417966553.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.i.lencr.org/0
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.
Source: rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165896288.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2087468711.000001E0CF6E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2200930383.000001E0CF6E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2930304243.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2929221409.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962832147.000001FE3A70A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE3685D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962474666.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2926653866.000001FE3A4FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2413952720.000001FE3685A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2417966553.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r11.o.lencr.org0#
Source: explorer.exe, 00000027.00000000.2183852697.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000027.00000000.2183127751.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000027.00000000.2186384789.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165896288.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2930304243.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2929221409.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE3685D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962474666.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2926653866.000001FE3A4FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2413952720.000001FE3685A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2417966553.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165896288.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2930304243.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2929221409.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE3685D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962474666.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2926653866.000001FE3A4FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2413952720.000001FE3685A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2417966553.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: explorer.exe, 00000027.00000002.2972862768.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2188497338.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000027.00000000.2174927693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000027.00000000.2174927693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000027.00000000.2184484783.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000027.00000000.2184484783.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000027.00000002.2960469238.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2170153430.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2171088884.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2958220102.0000000001240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000027.00000002.2968437613.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2184484783.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000027.00000000.2184484783.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000027.00000002.2968437613.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2184484783.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com/
Source: rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com/sp
Source: rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com/~
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/intel.php
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/intel.php%K
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/intel.php8J
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/intel.phpLMEMP
Source: rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/pentium.php
Source: rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/pentium.php0
Source: rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/pentium.phpF
Source: rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/pentium.phpV
Source: rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/pentium.phpf
Source: rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/pentium.phpn
Source: rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cronoze.com:8817/pentium.phpor
Source: explorer.exe, 00000027.00000002.2968287949.00000000093BD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/
Source: explorer.exe, 00000027.00000002.2968287949.00000000093BD000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dogirafer.com/test/t/
Source: explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com/
Source: rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com/J7
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com/_J
Source: rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com/i6
Source: rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com/o
Source: rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com/o6
Source: rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.php
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.php1K
Source: rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.php=J
Source: rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/intel.phpSK
Source: rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414235751.000001FE367DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.php
Source: rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414235751.000001FE367DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.php6
Source: rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.phpS
Source: rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.phpXr
Source: rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.phplt
Source: rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://muuxxu.com:8817/pentium.phpz:
Source: explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000027.00000000.2188497338.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: C:\Windows\System32\rundll32.exe	Code function: 10_3_000001E0D2F2D270 NtAllocateVirtualMemory,		10_3_000001E0D2F2D270
Source: C:\Windows\System32\rundll32.exe	Code function: 10_3_000001E0D2F2D2E0 NtProtectVirtualMemory,		10_3_000001E0D2F2D2E0

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004437C	0_2_000000018004437C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180037788	0_2_0000000180037788
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800147EC	0_2_00000001800147EC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002600C	0_2_000000018002600C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002A01C	0_2_000000018002A01C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180019020	0_2_0000000180019020
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180047834	0_2_0000000180047834
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180013078	0_2_0000000180013078
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003D08C	0_2_000000018003D08C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180026890	0_2_0000000180026890
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800158A0	0_2_00000001800158A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800330A8	0_2_00000001800330A8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003A904	0_2_000000018003A904
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003D91C	0_2_000000018003D91C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001B924	0_2_000000018001B924
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001B138	0_2_000000018001B138
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003713C	0_2_000000018003713C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800329B4	0_2_00000001800329B4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800279B8	0_2_00000001800279B8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180042A10	0_2_0000000180042A10
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180045A60	0_2_0000000180045A60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180033278	0_2_0000000180033278
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001F28C	0_2_000000018001F28C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003B294	0_2_000000018003B294
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001FA9C	0_2_000000018001FA9C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800462C4	0_2_00000001800462C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000A314	0_2_000000018000A314
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180013BA0	0_2_0000000180013BA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800193F0	0_2_00000001800193F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800423EC	0_2_00000001800423EC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018001A47C	0_2_000000018001A47C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003B508	0_2_000000018003B508
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180012550	0_2_0000000180012550
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003A554	0_2_000000018003A554
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180008D6C	0_2_0000000180008D6C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180029D90	0_2_0000000180029D90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180032E14	0_2_0000000180032E14
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018004363C	0_2_000000018004363C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180048E5A	0_2_0000000180048E5A
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180036E70	0_2_0000000180036E70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180015EA0	0_2_0000000180015EA0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800176E4	0_2_00000001800176E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018003E704	0_2_000000018003E704
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180016744	0_2_0000000180016744
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002FF50	0_2_000000018002FF50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180024F60	0_2_0000000180024F60
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000AF74	0_2_000000018000AF74
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800097A8	0_2_00000001800097A8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800197C0	0_2_00000001800197C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB49D40	0_2_000001E39FB49D40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB53524	0_2_000001E39FB53524
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB6AD64	0_2_000001E39FB6AD64
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB7C4DC	0_2_000001E39FB7C4DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB5B450	0_2_000001E39FB5B450
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB54B74	0_2_000001E39FB54B74
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB4B2E8	0_2_000001E39FB4B2E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB7C268	0_2_000001E39FB7C268
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB839E4	0_2_000001E39FB839E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB56874	0_2_000001E39FB56874
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB7407C	0_2_000001E39FB7407C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB7E060	0_2_000001E39FB7E060
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB5404C	0_2_000001E39FB5404C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB557C0	0_2_000001E39FB557C0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB5A794	0_2_000001E39FB5A794
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB6AFF0	0_2_000001E39FB6AFF0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB66FE0	0_2_000001E39FB66FE0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB4A77C	0_2_000001E39FB4A77C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB4BF48	0_2_000001E39FB4BF48
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB56E74	0_2_000001E39FB56E74
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB77E44	0_2_000001E39FB77E44
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DA4C0	3_2_00007FFDFB4DA4C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C18B0	3_2_00007FFDFB4C18B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4D5890	3_2_00007FFDFB4D5890
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C7F10	3_2_00007FFDFB4C7F10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB6F78A4	3_2_00007FFDFB6F78A4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CE680	3_2_00007FFDFB4CE680
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C4F20	3_2_00007FFDFB4C4F20
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CB010	3_2_00007FFDFB4CB010
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4D64E0	3_2_00007FFDFB4D64E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C59E0	3_2_00007FFDFB4C59E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3C80	3_2_00007FFDFB4C3C80
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C38E0	3_2_00007FFDFB4C38E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CB780	3_2_00007FFDFB4CB780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3790	3_2_00007FFDFB4C3790
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CDAB0	3_2_00007FFDFB4CDAB0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CF860	3_2_00007FFDFB4CF860
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3450	3_2_00007FFDFB4C3450
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C1AA0	3_2_00007FFDFB4C1AA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3450	3_2_00007FFDFB4C3450
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3450	3_2_00007FFDFB4C3450
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2210	3_2_00007FFDFB4C2210
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3450	3_2_00007FFDFB4C3450
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C55E0	3_2_00007FFDFB4C55E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3830	3_2_00007FFDFB4C3830
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C5160	3_2_00007FFDFB4C5160
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C5160	3_2_00007FFDFB4C5160
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CB090	3_2_00007FFDFB4CB090
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C88B0	3_2_00007FFDFB4C88B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4D60E0	3_2_00007FFDFB4D60E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4D60E0	3_2_00007FFDFB4D60E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB5EC200	3_2_00007FFDFB5EC200
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CC930	3_2_00007FFDFB4CC930
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C76B0	3_2_00007FFDFB4C76B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C1710	3_2_00007FFDFB4C1710
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C57B0	3_2_00007FFDFB4C57B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C8300	3_2_00007FFDFB4C8300
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CC7B0	3_2_00007FFDFB4CC7B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C42A0	3_2_00007FFDFB4C42A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB5D38E0	3_2_00007FFDFB5D38E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C8300	3_2_00007FFDFB4C8300
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C42A0	3_2_00007FFDFB4C42A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C42A0	3_2_00007FFDFB4C42A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C8CC0	3_2_00007FFDFB4C8CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C8CC0	3_2_00007FFDFB4C8CC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C42A0	3_2_00007FFDFB4C42A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C8300	3_2_00007FFDFB4C8300
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DAA30	3_2_00007FFDFB4DAA30
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DA8A0	3_2_00007FFDFB4DA8A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CAF90	3_2_00007FFDFB4CAF90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB5E2E50	3_2_00007FFDFB5E2E50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DA3C0	3_2_00007FFDFB4DA3C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C4BE0	3_2_00007FFDFB4C4BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DA360	3_2_00007FFDFB4DA360
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DA250	3_2_00007FFDFB4DA250
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DA0A0	3_2_00007FFDFB4DA0A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB5D20B0	3_2_00007FFDFB5D20B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DA100	3_2_00007FFDFB4DA100
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4DA6E0	3_2_00007FFDFB4DA6E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C2920	3_2_00007FFDFB4C2920
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3870	3_2_00007FFDFB4C3870
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CEB00	3_2_00007FFDFB4CEB00
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CFAC0	3_2_00007FFDFB4CFAC0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3790	3_2_00007FFDFB4C3790
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3870	3_2_00007FFDFB4C3870
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C4BE0	3_2_00007FFDFB4C4BE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3870	3_2_00007FFDFB4C3870
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4D45D0	3_2_00007FFDFB4D45D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB5E1410	3_2_00007FFDFB5E1410
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C7780	3_2_00007FFDFB4C7780
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB6E91F8	3_2_00007FFDFB6E91F8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C1D70	3_2_00007FFDFB4C1D70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CD4C0	3_2_00007FFDFB4CD4C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CCA50	3_2_00007FFDFB4CCA50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4D18D0	3_2_00007FFDFB4D18D0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C55B0	3_2_00007FFDFB4C55B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C40B0	3_2_00007FFDFB4C40B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C3050	3_2_00007FFDFB4C3050
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C1D60	3_2_00007FFDFB4C1D60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4C7020	3_2_00007FFDFB4C7020
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CE590	3_2_00007FFDFB4CE590
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB5F03E0	3_2_00007FFDFB5F03E0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CF5C0	3_2_00007FFDFB4CF5C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CE680	3_2_00007FFDFB4CE680
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB608150	3_2_00007FFDFB608150
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4D54B0	3_2_00007FFDFB4D54B0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CD0C0	3_2_00007FFDFB4CD0C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4D3970	3_2_00007FFDFB4D3970
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004437C	3_2_000000018004437C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180037788	3_2_0000000180037788
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800147EC	3_2_00000001800147EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180008D6C	3_2_0000000180008D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180048E5A	3_2_0000000180048E5A
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180024F60	3_2_0000000180024F60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180019020	3_2_0000000180019020
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003D08C	3_2_000000018003D08C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800193F0	3_2_00000001800193F0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800097A8	3_2_00000001800097A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800197C0	3_2_00000001800197C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800158A0	3_2_00000001800158A0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003D91C	3_2_000000018003D91C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180045A60	3_2_0000000180045A60
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180029D90	3_2_0000000180029D90
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180015EA0	3_2_0000000180015EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002600C	3_2_000000018002600C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002A01C	3_2_000000018002A01C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800462C4	3_2_00000001800462C4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000A314	3_2_000000018000A314
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800423EC	3_2_00000001800423EC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001A47C	3_2_000000018001A47C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180012550	3_2_0000000180012550
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003A554	3_2_000000018003A554
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003E704	3_2_000000018003E704
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180016744	3_2_0000000180016744
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180026890	3_2_0000000180026890
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003A904	3_2_000000018003A904
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800329B4	3_2_00000001800329B4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180042A10	3_2_0000000180042A10
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032E14	3_2_0000000180032E14
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180036E70	3_2_0000000180036E70
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018000AF74	3_2_000000018000AF74
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013078	3_2_0000000180013078
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800330A8	3_2_00000001800330A8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B138	3_2_000000018001B138
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003713C	3_2_000000018003713C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180033278	3_2_0000000180033278
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001F28C	3_2_000000018001F28C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003B294	3_2_000000018003B294
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018003B508	3_2_000000018003B508
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018004363C	3_2_000000018004363C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800176E4	3_2_00000001800176E4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180047834	3_2_0000000180047834
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001B924	3_2_000000018001B924
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00000001800279B8	3_2_00000001800279B8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018001FA9C	3_2_000000018001FA9C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180013BA0	3_2_0000000180013BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002FF50	3_2_000000018002FF50
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0D39E4	3_2_000002B38D0D39E4
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0A3524	3_2_000002B38D0A3524
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0AB450	3_2_000002B38D0AB450
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D09B2E8	3_2_000002B38D09B2E8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0BAD64	3_2_000002B38D0BAD64
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0B6FE0	3_2_000002B38D0B6FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0BAFF0	3_2_000002B38D0BAFF0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0A6E74	3_2_000002B38D0A6E74
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0A4B74	3_2_000002B38D0A4B74
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0CC4DC	3_2_000002B38D0CC4DC
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0C407C	3_2_000002B38D0C407C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0CC268	3_2_000002B38D0CC268
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0C7E44	3_2_000002B38D0C7E44
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0A404C	3_2_000002B38D0A404C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D09BF48	3_2_000002B38D09BF48
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0A57C0	3_2_000002B38D0A57C0
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0A6874	3_2_000002B38D0A6874
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D09A77C	3_2_000002B38D09A77C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0AA794	3_2_000002B38D0AA794
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0CE060	3_2_000002B38D0CE060
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D099D40	3_2_000002B38D099D40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018004437C	4_2_000000018004437C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180037788	4_2_0000000180037788
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800147EC	4_2_00000001800147EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002600C	4_2_000000018002600C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002A01C	4_2_000000018002A01C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180019020	4_2_0000000180019020
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180047834	4_2_0000000180047834
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013078	4_2_0000000180013078
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003D08C	4_2_000000018003D08C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180026890	4_2_0000000180026890
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800158A0	4_2_00000001800158A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800330A8	4_2_00000001800330A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003A904	4_2_000000018003A904
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003D91C	4_2_000000018003D91C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B924	4_2_000000018001B924
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001B138	4_2_000000018001B138
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003713C	4_2_000000018003713C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800329B4	4_2_00000001800329B4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800279B8	4_2_00000001800279B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180042A10	4_2_0000000180042A10
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180045A60	4_2_0000000180045A60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180033278	4_2_0000000180033278
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001F28C	4_2_000000018001F28C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003B294	4_2_000000018003B294
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001FA9C	4_2_000000018001FA9C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800462C4	4_2_00000001800462C4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000A314	4_2_000000018000A314
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180013BA0	4_2_0000000180013BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800193F0	4_2_00000001800193F0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800423EC	4_2_00000001800423EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018001A47C	4_2_000000018001A47C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003B508	4_2_000000018003B508
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180012550	4_2_0000000180012550
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003A554	4_2_000000018003A554
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008D6C	4_2_0000000180008D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180029D90	4_2_0000000180029D90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180032E14	4_2_0000000180032E14
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018004363C	4_2_000000018004363C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180048E5A	4_2_0000000180048E5A
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180036E70	4_2_0000000180036E70
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180015EA0	4_2_0000000180015EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800176E4	4_2_00000001800176E4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018003E704	4_2_000000018003E704
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180016744	4_2_0000000180016744
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002FF50	4_2_000000018002FF50
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180024F60	4_2_0000000180024F60
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000AF74	4_2_000000018000AF74
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800097A8	4_2_00000001800097A8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800197C0	4_2_00000001800197C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659CB2E8	4_2_000002AC659CB2E8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659FC268	4_2_000002AC659FC268
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC65A039E4	4_2_000002AC65A039E4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659FC4DC	4_2_000002AC659FC4DC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659D3524	4_2_000002AC659D3524
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659DB450	4_2_000002AC659DB450
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659D4B74	4_2_000002AC659D4B74
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659F7E44	4_2_000002AC659F7E44
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659D6E74	4_2_000002AC659D6E74
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659C9D40	4_2_000002AC659C9D40
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659EAD64	4_2_000002AC659EAD64
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659FE060	4_2_000002AC659FE060
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659D404C	4_2_000002AC659D404C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659F407C	4_2_000002AC659F407C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659D6874	4_2_000002AC659D6874
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659D57C0	4_2_000002AC659D57C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659E6FE0	4_2_000002AC659E6FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659EAFF0	4_2_000002AC659EAFF0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659CBF48	4_2_000002AC659CBF48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659CA77C	4_2_000002AC659CA77C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659DA794	4_2_000002AC659DA794
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018004437C	10_2_000000018004437C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180037788	10_2_0000000180037788
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800147EC	10_2_00000001800147EC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018002600C	10_2_000000018002600C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018002A01C	10_2_000000018002A01C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180019020	10_2_0000000180019020
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180047834	10_2_0000000180047834
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180013078	10_2_0000000180013078
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018003D08C	10_2_000000018003D08C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180026890	10_2_0000000180026890
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800158A0	10_2_00000001800158A0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800330A8	10_2_00000001800330A8
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018003A904	10_2_000000018003A904
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018003D91C	10_2_000000018003D91C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018001B924	10_2_000000018001B924
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018001B138	10_2_000000018001B138
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018003713C	10_2_000000018003713C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800329B4	10_2_00000001800329B4
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800279B8	10_2_00000001800279B8
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180042A10	10_2_0000000180042A10
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180045A60	10_2_0000000180045A60
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180033278	10_2_0000000180033278
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018001F28C	10_2_000000018001F28C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018003B294	10_2_000000018003B294
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018001FA9C	10_2_000000018001FA9C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800462C4	10_2_00000001800462C4
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018000A314	10_2_000000018000A314
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180013BA0	10_2_0000000180013BA0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800193F0	10_2_00000001800193F0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800423EC	10_2_00000001800423EC
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018001A47C	10_2_000000018001A47C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018003B508	10_2_000000018003B508
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180012550	10_2_0000000180012550
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018003A554	10_2_000000018003A554
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180008D6C	10_2_0000000180008D6C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180029D90	10_2_0000000180029D90
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180032E14	10_2_0000000180032E14
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018004363C	10_2_000000018004363C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180048E5A	10_2_0000000180048E5A
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180036E70	10_2_0000000180036E70
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180015EA0	10_2_0000000180015EA0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800176E4	10_2_00000001800176E4
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018003E704	10_2_000000018003E704
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180016744	10_2_0000000180016744
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018002FF50	10_2_000000018002FF50
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180024F60	10_2_0000000180024F60
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018000AF74	10_2_000000018000AF74
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800097A8	10_2_00000001800097A8
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_00000001800197C0	10_2_00000001800197C0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10BBF48	10_2_000001E0D10BBF48
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10BA77C	10_2_000001E0D10BA77C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10CA794	10_2_000001E0D10CA794
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10C57C0	10_2_000001E0D10C57C0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10E7E44	10_2_000001E0D10E7E44
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10C6E74	10_2_000001E0D10C6E74
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10D6FE0	10_2_000001E0D10D6FE0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10DAFF0	10_2_000001E0D10DAFF0
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10C404C	10_2_000001E0D10C404C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10EE060	10_2_000001E0D10EE060
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10E407C	10_2_000001E0D10E407C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10C6874	10_2_000001E0D10C6874
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10BB2E8	10_2_000001E0D10BB2E8
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10C4B74	10_2_000001E0D10C4B74
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10F39E4	10_2_000001E0D10F39E4
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10EC268	10_2_000001E0D10EC268
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10C3524	10_2_000001E0D10C3524
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10B9D40	10_2_000001E0D10B9D40
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10DAD64	10_2_000001E0D10DAD64
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10CB450	10_2_000001E0D10CB450
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10EC4DC	10_2_000001E0D10EC4DC

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180007B54 appears 51 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018002CC54 appears 117 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFB4EA4B0 appears 324 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800389F4 appears 48 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFB7F0390 appears 72 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFB4EBAB0 appears 196 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFB4D0370 appears 32 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180007B1C appears 114 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00000001800020F0 appears 42 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 00007FFDFB4ECF20 appears 62 times
Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 0000000180007B1C appears 38 times
Source: C:\Windows\System32\loaddll64.exe	Code function: String function: 000000018002CC54 appears 39 times

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7544 -s 488

Source: appgpuset.dll.dll

Static PE information: Number of sections : 12 > 10

Source: appgpuset.dll.dll

Binary or memory string: OriginalFilenameGfeXCode.dll` vs appgpuset.dll.dll

Source: classification engine

Classification label: mal100.troj.evad.winDLL@44/18@4/2

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFDFB4D1180 FreeLibrary,FreeLibrary,GetModuleFileNameW,GetLastError,FormatMessageW,

3_2_00007FFDFB4D1180

Source: C:\Windows\System32\rundll32.exe

Code function: 10_3_00007DF415050000 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,

10_3_00007DF415050000

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFDFB4C6B90 CoCreateInstance,CoTaskMemFree,

3_2_00007FFDFB4C6B90

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\NTUSER.DAT.Not

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7560
Source: C:\Windows\System32\rundll32.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8036
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7848
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7544

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ed004bc9-21a2-41b6-92e3-b98eff3b2da3

Jump to behavior

Source: appgpuset.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,DllMain

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\appgpuset.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,DllMain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7544 -s 488
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7560 -s 500
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFunc
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFuncEx
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7848 -s 492
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",DllMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeFunc
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeFuncEx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NvOptimusEnablementCuda
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_Shutdown
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_ReleaseFeature
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_Init
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_GetScratchBufferSize
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_GetParameters
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_EvaluateFeature
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_CreateFeature
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeMontage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeImageEx
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeImage
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 8036 -s 488
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFunc	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFuncEx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeFunc	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeFuncEx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NvOptimusEnablementCuda	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_Shutdown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_ReleaseFeature	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_Init	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_GetScratchBufferSize	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_GetParameters	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_EvaluateFeature	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_CreateFeature	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeMontage	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeImageEx	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeImage	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: netapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: dsrole.dll

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: appgpuset.dll.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: appgpuset.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: appgpuset.dll.dll

Static file information: File size 3954176 > 1048576

Source: appgpuset.dll.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x251200

Source: appgpuset.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: appgpuset.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: appgpuset.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: appgpuset.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: appgpuset.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: appgpuset.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: appgpuset.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: appgpuset.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\dvs\p4\build\sw\rel\gfclient\rel_03&3!ZxZQ9rbTQA!n8N>7T3de\GfeXCode\win7_amd64_release\GfeXCode64.pdb source: rundll32.exe, 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2194504652.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.2963884666.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2139679245.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1856381780.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2963614847.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1843605015.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2166764908.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1852143994.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1852021925.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1852109573.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1851992579.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, appgpuset.dll.dll
Source:	Binary string: de\GfeXCode\win7_amd64_release\GfeXCode64.pdb source: rundll32.exe, 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2194504652.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.2963884666.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000B.00000002.2139679245.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1856381780.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.2963614847.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000010.00000002.1843605015.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000011.00000002.2166764908.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1852143994.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1852021925.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1852109573.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1851992579.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmp, appgpuset.dll.dll

Source: appgpuset.dll.dll

Static PE information: real checksum: 0x32b556 should be: 0x3d53c2

Source: appgpuset.dll.dll	Static PE information: section name: .giats
Source: appgpuset.dll.dll	Static PE information: section name: minATL
Source: appgpuset.dll.dll	Static PE information: section name: .00cfg

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018002CF10 push rsp; iretd	0_2_000000018002CF11
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001E39FB58D98 push ebp; iretd	0_2_000001E39FB58D9C
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000000018002CF10 push rsp; iretd	3_2_000000018002CF11
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002B38D0A8D98 push ebp; iretd	3_2_000002B38D0A8D9C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018002CF10 push rsp; iretd	4_2_000000018002CF11
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000002AC659D8D98 push ebp; iretd	4_2_000002AC659D8D9C
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000000018002CF10 push rsp; iretd	10_2_000000018002CF11
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_000001E0D10C8D98 push ebp; iretd	10_2_000001E0D10C8D9C

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00000001800329B4 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00000001800329B4

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 389
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3647
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5436
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 868

Source: C:\Windows\System32\loaddll64.exe	API coverage: 7.9 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 1.3 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.2 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 6.5 %

Source: C:\Windows\System32\loaddll64.exe TID: 7488	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8072	Thread sleep count: 389 > 30
Source: C:\Windows\explorer.exe TID: 8072	Thread sleep time: -38900s >= -30000s
Source: C:\Windows\explorer.exe TID: 8016	Thread sleep count: 3647 > 30
Source: C:\Windows\explorer.exe TID: 8016	Thread sleep time: -3647000s >= -30000s
Source: C:\Windows\explorer.exe TID: 8016	Thread sleep count: 5436 > 30
Source: C:\Windows\explorer.exe TID: 8016	Thread sleep time: -5436000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFDFB4C56A0 FindFirstFileExW,

3_2_00007FFDFB4C56A0

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFDFB4CD230 GetSystemInfo,

3_2_00007FFDFB4CD230

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_fa34a916-0ee7-420e-b892-7538d510bc46\	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_app_368b75c013d478ef855eadbf85b69d15b5c85bc_a483008d_7ce35560-ca5a-4c7d-a743-57bb1d3c6542\	Jump to behavior

Source: explorer.exe, 00000027.00000002.2969688985.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: explorer.exe, 00000027.00000002.2958220102.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000027.00000002.2964787553.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2184484783.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2184484783.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.000000000982D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 00000027.00000002.2969688985.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: explorer.exe, 00000027.00000000.2184484783.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000027.00000000.2184484783.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: explorer.exe, 00000027.00000002.2969688985.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: explorer.exe, 00000027.00000002.2969688985.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: explorer.exe, 00000027.00000000.2184484783.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5%
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: explorer.exe, 00000027.00000000.2174927693.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000027.00000002.2958220102.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000027.00000000.2184484783.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000027.00000002.2958220102.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll64.exe	API call chain: ExitProcess graph end node	graph_0-50800
Source: C:\Windows\System32\loaddll64.exe	API call chain: ExitProcess graph end node	graph_0-50947
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node	graph_3-103332
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000180035B54 IsDebuggerPresent,

0_2_0000000180035B54

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000018003EEEC EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_000000018003EEEC

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000180047394 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,_write_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,

0_2_0000000180047394

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180032DD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000000180032DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFDFB4CF120 __scrt_fastfail,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFDFB4CF120
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_0000000180032DD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000000180032DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180032DD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0000000180032DD8
Source: C:\Windows\System32\rundll32.exe	Code function: 10_2_0000000180032DD8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0000000180032DD8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.46.11 8817			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 94.232.40.41 8817			Jump to behavior

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\explorer.exe base: 13A0000 protect: page execute and read and write			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\explorer.exe base: 1360000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Windows\System32\rundll32.exe

Code function: 10_3_00007DF415050100 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,

10_3_00007DF415050100

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\explorer.exe EIP: 13A0000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\explorer.exe EIP: 1360000			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 13A0000 value starts with: 4D5A			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 1360000 value starts with: 4D5A			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 2580 base: 13A0000 value: 4D			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 2580 base: 1360000 value: 4D			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7560	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7560	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7560	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7560	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7560	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7848	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7848	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7848	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7848	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread register set: target process: 7848	Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Windows\System32\rundll32.exe

Thread register set: 7560 1

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 13A0000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\explorer.exe base: 1360000			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1

Jump to behavior

Source: explorer.exe, 00000027.00000002.2968437613.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2170674410.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000027.00000000.2174570277.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000027.00000000.2170674410.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000027.00000002.2959374393.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000027.00000000.2170153430.0000000001248000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2958220102.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000027.00000000.2170674410.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000027.00000002.2959374393.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000027.00000000.2170674410.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000027.00000002.2959374393.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoEx,__crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	0_2_00000001800354AC
Source: C:\Windows\System32\loaddll64.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	0_2_0000000180042858
Source: C:\Windows\System32\loaddll64.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	0_2_00000001800298D8
Source: C:\Windows\System32\loaddll64.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	0_2_00000001800400E0
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	0_2_0000000180043100
Source: C:\Windows\System32\loaddll64.exe	Code function: __crtGetLocaleInfoEx,	0_2_000000018004290C
Source: C:\Windows\System32\loaddll64.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	0_2_00000001800419E8
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	0_2_0000000180042A10
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000000018004324C
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,GetLocaleInfoW,	0_2_00000001800432FC
Source: C:\Windows\System32\loaddll64.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0000000180041B54
Source: C:\Windows\System32\loaddll64.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	0_2_000000018002E394
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	0_2_00000001800433A4
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00000001800353EC
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00000001800423EC
Source: C:\Windows\System32\loaddll64.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	0_2_00000001800384A0
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	0_2_000000018003B508
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_0000000180042D88
Source: C:\Windows\System32\loaddll64.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	0_2_0000000180040DB0
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,EnumSystemLocalesW,	0_2_0000000180042E3C
Source: C:\Windows\System32\loaddll64.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	0_2_000000018004064C
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	0_2_0000000180042ED0
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,	0_2_000001E39FB7C4DC
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_getptd,_getptd,LcidFromHexString,	0_2_000001E39FB839E4
Source: C:\Windows\System32\loaddll64.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	0_2_000001E39FB6A8AC
Source: C:\Windows\System32\loaddll64.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,	0_2_000001E39FB8382C
Source: C:\Windows\System32\rundll32.exe	Code function: try_get_function,try_get_function,GetLocaleInfoW,	3_2_00007FFDFB4CC4B0
Source: C:\Windows\System32\rundll32.exe	Code function: try_get_function,try_get_function,GetLocaleInfoW,	3_2_00007FFDFB4CC4B0
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,GetLocaleInfoW,	3_2_00007FFDFB4CACC0
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00007FFDFB4C3260
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFDFB6F09A8
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFDFB6F08A8
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00007FFDFB6F0F30
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoEx,__crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	3_2_00000001800354AC
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	3_2_00000001800400E0
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	3_2_00000001800384A0
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	3_2_000000018004064C
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	3_2_0000000180040DB0
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_00000001800353EC
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	3_2_00000001800298D8
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	3_2_00000001800419E8
Source: C:\Windows\System32\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_0000000180041B54
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	3_2_000000018002E394
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	3_2_00000001800423EC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	3_2_0000000180042858
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,	3_2_000000018004290C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	3_2_0000000180042A10
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	3_2_0000000180042D88
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	3_2_0000000180042E3C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	3_2_0000000180042ED0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	3_2_0000000180043100
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_000000018004324C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,GetLocaleInfoW,	3_2_00000001800432FC
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	3_2_00000001800433A4
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	3_2_000000018003B508
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_getptd,_getptd,LcidFromHexString,	3_2_000002B38D0D39E4
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,	3_2_000002B38D0D382C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,	3_2_000002B38D0CC4DC
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	3_2_000002B38D0BA8AC
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoEx,__crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	4_2_00000001800354AC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	4_2_0000000180042858
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	4_2_00000001800298D8
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	4_2_00000001800400E0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	4_2_0000000180043100
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,	4_2_000000018004290C
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	4_2_00000001800419E8
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	4_2_0000000180042A10
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_000000018004324C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,GetLocaleInfoW,	4_2_00000001800432FC
Source: C:\Windows\System32\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_0000000180041B54
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	4_2_000000018002E394
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	4_2_00000001800433A4
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	4_2_00000001800353EC
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	4_2_00000001800423EC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	4_2_00000001800384A0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	4_2_000000018003B508
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	4_2_0000000180042D88
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	4_2_0000000180040DB0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	4_2_0000000180042E3C
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	4_2_000000018004064C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	4_2_0000000180042ED0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_getptd,_getptd,LcidFromHexString,	4_2_000002AC65A039E4
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,	4_2_000002AC659FC4DC
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	4_2_000002AC659EA8AC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,	4_2_000002AC65A0382C
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoEx,__crtDownlevelLocaleNameToLCID,GetLocaleInfoW,	10_2_00000001800354AC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,GetACP,	10_2_0000000180042858
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	10_2_00000001800298D8
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free,	10_2_00000001800400E0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,TestDefaultLanguage,	10_2_0000000180043100
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,	10_2_000000018004290C
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,malloc,__crtGetLocaleInfoEx,WideCharToMultiByte,free,	10_2_00000001800419E8
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_invoke_watson,_invoke_watson,_getptd,_getptd,LcidFromHexString,GetLocaleInfoW,	10_2_0000000180042A10
Source: C:\Windows\System32\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_000000018004324C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,GetLocaleInfoW,	10_2_00000001800432FC
Source: C:\Windows\System32\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	10_2_0000000180041B54
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free,	10_2_000000018002E394
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,TranslateName,GetLcidFromLangCountry,GetLcidFromLanguage,_getptd,EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,__crtDownlevelLCIDToLocaleName,__crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,_itow_s,	10_2_00000001800433A4
Source: C:\Windows\System32\rundll32.exe	Code function: EnumSystemLocalesW,	10_2_00000001800353EC
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,TestDefaultCountry,__crtGetLocaleInfoEx,TestDefaultCountry,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_getptd,__crtGetLocaleInfoEx,_invoke_watson,	10_2_00000001800423EC
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,__crtGetLocaleInfoEx,_calloc_crt,__crtGetLocaleInfoEx,free,__crtGetLocaleInfoEx,_invoke_watson,	10_2_00000001800384A0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,GetACP,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,	10_2_000000018003B508
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	10_2_0000000180042D88
Source: C:\Windows\System32\rundll32.exe	Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,	10_2_0000000180040DB0
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,EnumSystemLocalesW,	10_2_0000000180042E3C
Source: C:\Windows\System32\rundll32.exe	Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free,	10_2_000000018004064C
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,_getptd,LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,TestDefaultLanguage,	10_2_0000000180042ED0
Source: C:\Windows\System32\rundll32.exe	Code function: __crtGetLocaleInfoEx,__crtGetLocaleInfoEx,	10_2_000001E0D10F382C
Source: C:\Windows\System32\rundll32.exe	Code function: ___lc_locale_name_func,__crtGetLocaleInfoEx,	10_2_000001E0D10DA8AC
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,__crtGetLocaleInfoEx,__crtGetLocaleInfoEx,wcschr,wcschr,__crtGetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage,__crtGetUserDefaultLocaleName,_getptd,_getptd,LcidFromHexString,	10_2_000001E0D10F39E4
Source: C:\Windows\System32\rundll32.exe	Code function: _getptd,__lc_wcstolc,__get_qualified_locale_downlevel,__get_qualified_locale,__lc_lctowcs,__crtGetLocaleInfoEx,	10_2_000001E0D10EC4DC

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000180039844 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0000000180039844

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000018003E704 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,

0_2_000000018003E704

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected BruteRatel

Source: Yara match	File source: 0000000F.00000003.2414624070.000001FE3A46B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2962539764.000001FE3A5AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2962539764.000001FE3A53C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2962176181.000001E0D3354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2962176181.000001E0D32AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2414485576.000001FE3A46B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2962097879.000001FE3A43C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2962681517.000001E0D33F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7992, type: MEMORYSTR

Remote Access Functionality

Yara detected BruteRatel

Source: Yara match	File source: 0000000F.00000003.2414624070.000001FE3A46B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2962539764.000001FE3A5AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2962539764.000001FE3A53C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2962176181.000001E0D3354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2962176181.000001E0D32AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2414485576.000001FE3A46B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2962097879.000001FE3A43C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2962681517.000001E0D33F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7992, type: MEMORYSTR

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFDFB4C34A0 Concurrency::details::WorkItem::BindTo,

3_2_00007FFDFB4C34A0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	912 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	51 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	912 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://muuxxu.com/i6	0%	Avira URL Cloud	safe
https://cronoze.com:8817/intel.php8J	0%	Avira URL Cloud	safe
https://cronoze.com/	0%	Avira URL Cloud	safe
https://cronoze.com:8817/pentium.phpF	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.php	0%	Avira URL Cloud	safe
https://cronoze.com:8817/intel.phpLMEMP	0%	Avira URL Cloud	safe
https://cronoze.com:8817/pentium.php	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.phpXr	0%	Avira URL Cloud	safe
https://dogirafer.com/test/	100%	Avira URL Cloud	malware
https://muuxxu.com:8817/pentium.phplt	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.phpS	0%	Avira URL Cloud	safe
https://cronoze.com:8817/pentium.phpn	0%	Avira URL Cloud	safe
https://cronoze.com/sp	0%	Avira URL Cloud	safe
https://cronoze.com:8817/	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/intel.php=J	0%	Avira URL Cloud	safe
https://cronoze.com:8817/pentium.phpV	0%	Avira URL Cloud	safe
https://muuxxu.com/_J	0%	Avira URL Cloud	safe
https://cronoze.com/~	0%	Avira URL Cloud	safe
https://cronoze.com:8817/intel.php%K	0%	Avira URL Cloud	safe
http://r11.o.lencr.org0#	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.phpz:	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/intel.php	0%	Avira URL Cloud	safe
https://muuxxu.com/J7	0%	Avira URL Cloud	safe
https://muuxxu.com/o6	0%	Avira URL Cloud	safe
https://cronoze.com:8817/pentium.phpor	0%	Avira URL Cloud	safe
https://cronoze.com:8817/intel.php	0%	Avira URL Cloud	safe
https://muuxxu.com/o	0%	Avira URL Cloud	safe
http://r11.o.lencr.	0%	Avira URL Cloud	safe
https://muuxxu.com/	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/intel.php1K	0%	Avira URL Cloud	safe
https://muuxxu.com:8817/pentium.php6	0%	Avira URL Cloud	safe
https://dogirafer.com/test/t/	100%	Avira URL Cloud	malware
https://muuxxu.com:8817/intel.phpSK	0%	Avira URL Cloud	safe
https://cronoze.com:8817/pentium.php0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cronoze.com	94.232.40.41	true	false		high
muuxxu.com	94.232.46.11	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000027.00000000.2174927693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://muuxxu.com:8817/pentium.php	rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414235751.000001FE367DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000027.00000000.2184484783.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://muuxxu.com/i6	rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com:8817/pentium.php	rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000027.00000000.2183852697.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000027.00000000.2183127751.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000027.00000000.2186384789.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false		high
https://muuxxu.com:8817/pentium.phpXr	rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com:8817/pentium.phpF	rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cronoze.com:8817/intel.php8J	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/intel.php=J	rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cronoze.com:8817/intel.phpLMEMP	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/	explorer.exe, 00000027.00000002.2968287949.00000000093BD000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com/	rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/intel.php	rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165896288.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2930304243.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2929221409.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE3685D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962474666.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2926653866.000001FE3A4FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2413952720.000001FE3685A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2417966553.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165896288.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2930304243.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2929221409.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE3685D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962474666.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2926653866.000001FE3A4FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2413952720.000001FE3685A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2417966553.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com:8817/pentium.phpV	rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/q	explorer.exe, 00000027.00000000.2184484783.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://muuxxu.com:8817/pentium.phpS	rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://muuxxu.com/_J	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000027.00000002.2972862768.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2188497338.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com:8817/pentium.phpn	rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com:8817/pentium.phplt	rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2418010016.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com/sp	rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg	explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com:8817/	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cronoze.com:8817/pentium.phpf	rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://muuxxu.com:8817/pentium.phpz:	rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/L	explorer.exe, 00000027.00000000.2188497338.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com	explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
http://r11.o.lencr.org0#	rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165896288.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2087468711.000001E0CF6E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2200930383.000001E0CF6E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2930304243.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2929221409.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962832147.000001FE3A70A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE3685D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962474666.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2926653866.000001FE3A4FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2413952720.000001FE3685A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2417966553.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cronoze.com:8817/intel.php%K	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com/~	rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com/o6	rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://muuxxu.com/J7	rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://muuxxu.com/o	rundll32.exe, 0000000F.00000003.2418010016.000001FE367FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE367FC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE367F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.8.dr	false		high
https://muuxxu.com:8817/pentium.php6	rundll32.exe, 0000000F.00000002.2960069200.000001FE36798000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414235751.000001FE367DD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://r11.o.lencr.	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com:8817/pentium.phpor	rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aka.ms/Vh5j3k	explorer.exe, 00000027.00000000.2174927693.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://r11.i.lencr.org/0	rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165896288.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF620000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2087468711.000001E0CF6E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2200930383.000001E0CF6E2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6E0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2930304243.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2414051332.000001FE36827000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2929221409.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962832147.000001FE3A70A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2960069200.000001FE3685D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.2962474666.000001FE3A50B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2926653866.000001FE3A4FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2413952720.000001FE3685A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2417966553.000001FE3685E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?&	explorer.exe, 00000027.00000002.2968437613.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2184484783.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://muuxxu.com/	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cronoze.com:8817/intel.php	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://muuxxu.com:8817/intel.php1K	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://dogirafer.com/test/t/	explorer.exe, 00000027.00000002.2968287949.00000000093BD000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000027.00000002.2964787553.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000000.2174927693.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 00000027.00000000.2184484783.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2968437613.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://muuxxu.com:8817/intel.phpSK	rundll32.exe, 0000000A.00000003.2642128534.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.2960126544.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF6AD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cronoze.com:8817/pentium.php0	rundll32.exe, 0000000A.00000002.2960126544.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2642128534.000001E0CF67F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.2165929680.000001E0CF67D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com_	explorer.exe, 00000027.00000000.2188497338.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2972862768.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of	explorer.exe, 00000027.00000000.2174927693.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000027.00000002.2964787553.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.232.46.11	muuxxu.com	Russian Federation		44477	WELLWEBNL	false
94.232.40.41	cronoze.com	Russian Federation		44477	WELLWEBNL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576903
Start date and time:	2024-12-17 17:55:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	appgpuset.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	appgpuset.dll.exe
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@44/18@4/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 247

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.190.181.4, 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: appgpuset.dll.dll

Simulations

Behavior and APIs

Time	Type	Description
11:56:15	API Interceptor	1x Sleep call for process: loaddll64.exe modified
11:56:46	API Interceptor	4x Sleep call for process: WerFault.exe modified
11:56:56	API Interceptor	934055x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
94.232.46.11	45c62e.msi	Get hash	malicious	Unknown	Browse
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
94.232.40.41	45c62e.msi	Get hash	malicious	Unknown	Browse
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
muuxxu.com	45c62e.msi	Get hash	malicious	Unknown	Browse	94.232.46.11
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.46.11
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.46.11
cronoze.com	45c62e.msi	Get hash	malicious	Unknown	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WELLWEBNL	45c62e.msi	Get hash	malicious	Unknown	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	avutil.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.43.224
	fes.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	merd.msi	Get hash	malicious	Unknown	Browse	94.232.40.38
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185
WELLWEBNL	45c62e.msi	Get hash	malicious	Unknown	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	TiNgny4xSB.dll	Get hash	malicious	BruteRatel	Browse	94.232.40.41
	avutil.dll.dll	Get hash	malicious	BruteRatel	Browse	94.232.43.224
	fes.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	wait.dll.dll	Get hash	malicious	BruteRatel, Latrodectus	Browse	94.232.43.224
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	merd.msi	Get hash	malicious	Unknown	Browse	94.232.40.38
	sqx.dll.dll	Get hash	malicious	Unknown	Browse	94.232.40.38
	mesh.exe	Get hash	malicious	MeshAgent	Browse	94.232.43.185

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_a92ee45c-4a8c-48e2-ae99-7ffc8905fe0f\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5801993457484474
Encrypted:	false
SSDEEP:	96:5QhFOwgDkyKy67tsQhMov7JfNQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAzfH:ukDky67ts0WbkQzuiFTZ24lO8bB
MD5:	95F74688877A9B79EDB11BBF1DCF85BF
SHA1:	F46E0693AF355B5D403EA312A402C17114DA6F72
SHA-256:	92D998EA8B5AFA37DEE9AD01732C0E052AF870A08109D02C83D442E8BC81DA3F
SHA-512:	47A0D50D668CADFC1863DB6D6FA6B538FE2D0573457F30D7F83660C8DEBAB9F30A7188C0D3E02413A4166AC7A485EFA4B210288B522B0566698316F36B605098
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.2.8.1.6.6.4.1.8.9.2.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.2.8.1.7.0.9.1.8.8.5.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.2.e.e.4.5.c.-.4.a.8.c.-.4.8.e.2.-.a.e.9.9.-.7.f.f.c.8.9.0.5.f.e.0.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.d.2.b.5.5.c.-.c.5.d.b.-.4.0.d.d.-.9.d.1.a.-.4.a.a.5.7.4.9.5.6.d.2.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.8.8.-.0.0.0.1.-.0.0.1.4.-.3.6.e.a.-.c.3.8.f.a.4.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.1.0.3././.0.8././.0.7.:.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_fa34a916-0ee7-420e-b892-7538d510bc46\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.5802948640427046
Encrypted:	false
SSDEEP:	96:sQhFVRBayKy6QsQhMov7JfNQXIDcQ4c6fcE+cw3tZAX/d5FMT2SlPkpXmTAzf/Vi:1fqy6Qs0WbkQzuiFTZ24lO8b+
MD5:	4583A0FB4BB9AC949BB61C45FE762046
SHA1:	3CC9A4705011EE4926626901C73A53D0B171DEE3
SHA-256:	981889A7D42B5CCBADA93ECD476315018E712EF602E93205E2E5201ED0D02F63
SHA-512:	8EE79D7C8F6FE031D1A4393A5668ACD868F5F2BFF5643C6C68569729F4A4E619157B3425DBFD04DE98A1A9B78C6886C59887F3E9A3646AAA5851EB7983AA86D1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.2.8.1.6.6.4.0.4.0.3.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.2.8.1.7.0.9.1.9.6.5.4.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.a.3.4.a.9.1.6.-.0.e.e.7.-.4.2.0.e.-.b.8.9.2.-.7.5.3.8.d.5.1.0.b.c.4.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.f.d.1.5.f.0.-.a.7.0.c.-.4.0.7.7.-.b.9.f.c.-.2.a.d.5.1.4.f.1.0.3.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.b.a.d._.m.o.d.u.l.e._.i.n.f.o.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.7.8.-.0.0.0.1.-.0.0.1.4.-.d.a.e.4.-.c.1.8.f.a.4.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.1.0.3././.0.8././.0.7.:.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_app_368b75c013d478ef855eadbf85b69d15b5c85bc_a483008d_7ce35560-ca5a-4c7d-a743-57bb1d3c6542\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8251913814473193
Encrypted:	false
SSDEEP:	192:wTi89y6Fz0T5J39KAjjHZFPxzuiFTZ24lO8+q:ki56FgNZ9HjNzuiFTY4lO8+q
MD5:	8DE6717E266CA5374081D5D3F2C687F3
SHA1:	D4C407BDC32A6D7D70D2DC3A20BB62A55EB265E8
SHA-256:	878A06D371BEBAA635AF03B789F08097C797572B6A22E6CC9E47B7820270BF5A
SHA-512:	7D0629D66263969DD498CC43694AC3E4F615ED4A6139CBE8D7EB33F0CF232378B89CCAD3D2EC0D076A2D1A77E42252F23EE48D7ADC44E2658A3BCEC3D7D1A5EF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.2.8.1.7.2.0.1.1.1.4.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.2.8.1.7.2.9.6.4.2.6.6.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.e.3.5.5.6.0.-.c.a.5.a.-.4.c.7.d.-.a.7.4.3.-.5.7.b.b.1.d.3.c.6.5.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.5.5.a.3.9.b.-.d.e.a.9.-.4.0.c.7.-.b.9.0.7.-.7.f.8.6.2.3.b.a.a.4.7.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.a.p.p.g.p.u.s.e.t...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.a.8.-.0.0.0.1.-.0.0.1.4.-.9.0.e.7.-.5.9.9.3.a.4.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_app_ea5749b1d7fa548c1274df7cdb4372edb8fea1_a483008d_bfa66183-2a7d-437b-ad39-dcd0dc11a1c6\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8352023478588372
Encrypted:	false
SSDEEP:	192:OmViSypF0Hw7irjHZFPxzuiFTZ24lO8xq:5ViPpmHw7irjNzuiFTY4lO8xq
MD5:	A9721C1950420CAC6EEC701EA3114A7E
SHA1:	0782210C1FC03BB51CEF9692C2B10E6179F87591
SHA-256:	29702B74DEAFA84C044F12E1147EB28E9E4BDE5F52833AFA13F8AA091802E94E
SHA-512:	A52004264203759C1DA27220223AE68D6C970F711BFE73F9A1705BBC08D6382D4FAA3B67B1A2CEA17BD46090D4B41E3BE11C0081C499483DEF8F4B73EF93AB1B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.2.8.1.7.9.7.2.5.6.9.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.2.8.1.8.0.9.4.4.4.4.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.a.6.6.1.8.3.-.2.a.7.d.-.4.3.7.b.-.a.d.3.9.-.d.c.d.0.d.c.1.1.a.1.c.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.0.1.8.c.d.e.-.0.f.2.1.-.4.0.6.6.-.9.0.d.5.-.5.3.4.f.3.6.a.6.6.8.f.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.a.p.p.g.p.u.s.e.t...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.6.4.-.0.0.0.1.-.0.0.1.4.-.9.c.a.a.-.7.b.9.5.a.4.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB04.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8474
Entropy (8bit):	3.6787037508592686
Encrypted:	false
SSDEEP:	192:R6l7wVeJHmVk6YmE8Dgmfs0pDP89bG1z0fuoCm:R6lXJGVk6Y9YgmfspGh0fX
MD5:	BEDB48EF60283F987860C32C17E81BA9
SHA1:	F225BA759B00C7D0BB9702AFE6AAF241108B6F11
SHA-256:	818372CA1C4CA7CC3580787EF136569C09EF9F53C31AB03805F44BA4A21536EF
SHA-512:	6A474F9960E4298D5B03B355145BA296D470B2822F7E51DFFE9018E803FA686888056945B68DED8BE81E5F5F77B3BBA23E7A4AEA0287898E2EC96D64E12F24AD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.4.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8482
Entropy (8bit):	3.677725209937005
Encrypted:	false
SSDEEP:	192:R6l7wVeJhdVf3e6Yc7LJfgmfs0pDP89bG6z0f0SCm:R6lXJrVG6Y4NgmfspG+0fr
MD5:	D312883EC11176475B419DE9325E7915
SHA1:	BB19FCECB636F31A3776FE41FF6DEC3782B20066
SHA-256:	4EB63A47651EA3C357B3F3E4840B7ACF55A8895F923CB178AB980D9F0C913E95
SHA-512:	0DDA5C9E81D539D92FB007601408029A34D34388D77B9E62AE18AAE05A1A4D40BDDDD349073C52C811CA745DCFE0905CC772DFE39F26E96CDE34846F710DDFBC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBC1.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4620
Entropy (8bit):	4.434217818370224
Encrypted:	false
SSDEEP:	48:cvIwWl8zsGJg771I9jgWpW8VYBYm8M4JTNFPyq85pZptSTSpd:uIjfcI7YZ7VpJrcpoOpd
MD5:	0647EF82A83F16E6A1E806B7AAF6A313
SHA1:	447E8B1A5F3DB023AC6FE459B41DB7DBDF7C0583
SHA-256:	F79A322FCDD7BBF9EAE1E26C1EC875B5422512EE799170859ADB5CE2B6E51498
SHA-512:	07CD73844845143A48D3F0AAA64F848E644081384A92DEB2EFD9430351E498BD6A310C12CD7B895E30D41B0775793BD9F0DC0E0CE07C66E610B4E08D67CCB83B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="635518" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBD0.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4620
Entropy (8bit):	4.433924498614432
Encrypted:	false
SSDEEP:	48:cvIwWl8zsGJg771I9jgWpW8VY3Ym8M4JTNF6yq85pjptSTS4d:uIjfcI7YZ7VrJeqpoO4d
MD5:	61307D548372468145AF41ECFB289621
SHA1:	BE1D32CDA15A9E8C2FC77FE7AFD05575361456E5
SHA-256:	0493DB58D53433578ACF5DE9048E8E5138D00B0CFB12BB64B82DEF5CE1ADED75
SHA-512:	B79E61446672B3C800F7ADA46F367BB450E6EB8E8739BD63B89F6C9CF0FA85C0C06DC2B5A53C9FE3AC38690804F502927A2792D5B2DB54B5225BDC93C0EDBB59
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="635518" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0EE.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Dec 17 16:56:12 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	59776
Entropy (8bit):	1.6973090159812392
Encrypted:	false
SSDEEP:	192:t+bhXOM2717MiSNaMFavvXaHl5yXS9+Z:nt7MiSNaMFavv65yXEw
MD5:	4309EEFF9DED5896F55F00153DDDD00F
SHA1:	451491EA94E89E7BB414C1F5647ABF4288D1A2A8
SHA-256:	5750653CEBE9B432155223E7D8D0156AFA799767F464B2F52C0DA64E6DDDB46D
SHA-512:	AA18AC5EF5E72E199368F407C4096C90D5B83DE25C1929CFA0A7A4921FE06D73A5551710D2BB0F4DA5A9170D549B4E9FE812A0E15B321A13BDF9F0FF6A889799
Malicious:	false
Preview:	MDMP..a..... .......,.ag........................@................,..........T.......8...........T.......................................................................................................................eJ......`.......Lw......................T...........+.ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD350.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8544
Entropy (8bit):	3.6956435913730328
Encrypted:	false
SSDEEP:	192:R6l7wVeJe8Jx6Ym88Dgmf9xllnAvprG89bUTz0fccm:R6lXJ9Jx6YlYgmf9xKUn0f+
MD5:	AE3814D7138D0E1E9C535854AEB14775
SHA1:	03557DE78B96E919FE30C4A8C4A65FA31A74C23C
SHA-256:	1987F1E7BEFC19694865A146AF86F43101F8C2953F626BCFAC5CF3234658822D
SHA-512:	16975DD937594F2237522A2360F84A83DD94769CD03695E41345D2B7A2E5125F1B824CBE19AA07A09F8C66095D2864BEC579F99EAA7A63BED924FE9EEF205F5B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD370.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4768
Entropy (8bit):	4.475495984781202
Encrypted:	false
SSDEEP:	48:cvIwWl8zsGJg771I9jgWpW8VY1Ym8M4JCWC0TF0yq85mwCptSTSZd:uIjfcI7YZ7V1JKVpoOZd
MD5:	657F39164982A9D648F5A2A4298E6109
SHA1:	96763B8B45FB74D651C7D8736698AA9D22C6DCE9
SHA-256:	2C2727CCEB3E5C640EDC8A145858BCD49C65DD1863FADCEEEF334103065107FB
SHA-512:	EE978420112BE54B38051DFC34FD74AA247E8AA0645B957E1CF6C454F0BFD200B135BD8E92EE785B9D7CA0BB8467FB2EB30623CA360C9F47AFCB4A916914CE82
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="635518" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF24.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Dec 17 16:56:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	52856
Entropy (8bit):	1.4696579989810787
Encrypted:	false
SSDEEP:	96:5w8slnFnJQGdU1pyNgXK31OvGJcjZSBUoi7MrBQ/RiW++2x5q+RmER0WI7DIBrxH:1svVgQBROM2P2xQ+RpRVM5VnSPB
MD5:	A7A110A4BC9D4FFBEA1D96B1ED92C773
SHA1:	0A880252F52E6D902CE96B03F89843F5A3F07B85
SHA-256:	D07D2BF46D5F997B1A86533A5BD1657D77B8B03562F6CB41D7232EB149D89881
SHA-512:	3916B111553EE045CE637FBFDD1FFE0D859D98BDEC020A2F89984992F7F22384D26C5660E236CF04437B4891DA49BF26F21CBF66E442D53740EBE53D53952CF9
Malicious:	false
Preview:	MDMP..a..... .......4.ag........................@................,..........T.......8...........T...........p...........................................................................................................eJ......`.......Lw......................T.......d.../.ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0BB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8912
Entropy (8bit):	3.695293620260482
Encrypted:	false
SSDEEP:	192:R6l7wVeJwVVa6Ymsg+gmfIiNs3pDRv89bVJK1lffenm:R6lXJKVa6Y9g+gmfIiNsrQVE1lff/
MD5:	431F7191007AC72266BE0D16D7D9FB60
SHA1:	63446D1EFCE82FB97321ECA292DD812044947371
SHA-256:	F6ACAB357D053A295B70DEC5F38293315B78B72D5B7E6DA4E5514AFB4CD7D0F8
SHA-512:	5B2E687A46AA1E6F0AD45656581AC80BC217826274022D8A1B34E32F73F3D6517BBA1086B3B623234CDE1CD6ECE1C671BD78182B0823C629C5D9EC7720B8761E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0FB.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4888
Entropy (8bit):	4.461172168169055
Encrypted:	false
SSDEEP:	48:cvIwWl8zs9Jg771I9jgWpW8VYDYm8M4JCWC0YgFryq8vh0YTptSTSMd:uIjfXI7YZ7VPJLWbpoOMd
MD5:	22041C0BF03A328B15D3952DFD2E4D01
SHA1:	C188C2D160262C94490616A48939BEBF42B59ADB
SHA-256:	2B5C29071D88CBFB33F56FC1EAF8AF25208AE2B8CC2BE0C9D472E48BE524FFAE
SHA-512:	9F16FD16D3E038E527E2AF86E4FBFBCA666BAB71C66D8BE375846975A52BA8CCBBD91601181F4CEA31B28B833E89714C90FDFF48AE32D172AD6CCAAF0E974C77
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="635519" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\WERBB15.tmp.WERDataCollectionStatus.txt

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4770
Entropy (8bit):	3.2452230383792315
Encrypted:	false
SSDEEP:	96:pwpIiqkXkkXGkYFuWC0Qj0QS0Qg4O0QXm0QR0Qe3rDgPXf/szeuzSzbxGQI5Cm65:p/lvpuXlIPoeyOkNs
MD5:	2A737B3478F047412DC5D0D34EA9CDFF
SHA1:	EDF65A0EBA64B01030BB0D41185BFB230D814DBB
SHA-256:	01170A5360EB9DEA2C132A65818FCAC6B8CE37727A9DF6176FDF9CE7D20FEE56
SHA-512:	BFA010E847F09E2CB1EE146CF59FE4FA4D1C752773B54C77A95B00DCE60D870A18E5CBB7E02DD12A8BE916D1F9C16A4A25C55BE6A5A017006BDACB57C6747F82
Malicious:	false
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .4.5.1.6.8. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .7.6.8.2. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .3. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .4.0.8.0. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .1.6.3.1.1.3.9.1. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . .

C:\Users\user\AppData\Local\Temp\WERBB25.tmp.WERDataCollectionStatus.txt

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	4766
Entropy (8bit):	3.248373347702452
Encrypted:	false
SSDEEP:	96:pwpIiSkXkkX/kYFuWxvO0Q90QOKV0Qgq0QX/0QLQ0QxmcgwXKt+szeuzSzbxGQIf:pHlmpuMbKMkDyoeyOkNf
MD5:	3C7993CA58046A313D624902BCE6A297
SHA1:	666DEF03EAD991D58A6173F1715175824D123B5D
SHA-256:	B4CD96C9EE7BD3388870D20704D74A1E7034F24311A8901AF94B553F119F0573
SHA-512:	586DF6EA4D6CAED918B52A94CCA811ADF5AEBCAB178F17012C4C45358CBFA604D48E3B1915C38D2CA22AA698C2A8D7D6CD5DD61646FF28F29CF6B1B242FD0C51
Malicious:	false
Preview:	......S.n.a.p.s.h.o.t. .s.t.a.t.i.s.t.i.c.s.:.....-. .S.i.g.n.a.t.u.r.e. . . . . . . . . . . . . . . . .:. .P.S.S.D.......-. .F.l.a.g.s./.C.a.p.t.u.r.e.F.l.a.g.s. . . . . . . .:. .0.0.0.0.0.0.0.1./.d.0.0.0.3.9.f.f.......-. .A.u.x. .p.a.g.e.s. . . . . . . . . . . . . . . . .:. .1. .e.n.t.r.i.e.s. .l.o.n.g.......-. .V.A. .s.p.a.c.e. .s.t.r.e.a.m. . . . . . . . . . .:. .4.5.0.9.6. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .t.r.a.c.e. .s.t.r.e.a.m. . . . . . .:. .0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .H.a.n.d.l.e. .s.t.r.e.a.m. . . . . . . . . . . . .:. .7.8.5.0. .b.y.t.e.s. .i.n. .s.i.z.e.......-. .T.h.r.e.a.d.s. . . . . . . . . . . . . . . . . . .:. .3. .t.h.r.e.a.d.s.......-. .T.h.r.e.a.d. .s.t.r.e.a.m. . . . . . . . . . . . .:. .4.0.8.0. .b.y.t.e.s. .i.n. .s.i.z.e...........S.n.a.p.s.h.o.t. .p.e.r.f.o.r.m.a.n.c.e. .c.o.u.n.t.e.r.s.:.....-. .T.o.t.a.l.C.y.c.l.e.C.o.u.n.t. . . . . . . . . . .:. .1.6.2.9.1.9.9.8. .c.y.c.l.e.s.......-. .V.a.C.l.o.n.e.C.y.c.l.e.C.o.u.n.t. . . . . .

C:\Users\user\NTUSER.DAT.Not

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	5.14236681738789
Encrypted:	false
SSDEEP:	3:BkWVm3DjiSYJazdRVg3qRJDWVm3DjiSlyLrci5gn:BkSADjeJ4Jg6RJDSADjPET+n
MD5:	954076BC489701C562DF7671EF0FB594
SHA1:	DA72DBA3ADFDA01CCFED93DAA8170F34C3BC19A8
SHA-256:	3100BBCBAC1CE0E912FE437E93EA53FBEF08275488E7DE7C33E1E7D34272313B
SHA-512:	E9EC00715072F61B4B29CF344D8DD5F8CF06C1A27F71B85F6DE44998156F44CA9283C31DE028B8FD39B256AC9D9BFCF17F3DF85482668BB8366CE6882C972561
Malicious:	false
Preview:	{YXBwZ3B1c2V0LmRsbC5kbGw=, IkM6XFVzZXJzXGpvbmVzXERlc2t0b3BcYXBwZ3B1c2V0LmRsbC5kbGwi, MQ==, R2ZlWGNvZGVGdW5j}

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46639324163195
Encrypted:	false
SSDEEP:	6144:HIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:oXD94zWlLZMM6YFHa+9
MD5:	2E7236220274BD11ED60B88FBAEB8B5E
SHA1:	CB965950AF1397B4BAC07455D2F2DB24FA6359BC
SHA-256:	38BE76E17A19D23B38923753BFC812E563CDF6B22D607AF809E2227DD593F389
SHA-512:	18CC215820E7769E1564BF4D40B8F6665085DBBE4F4413A1055310AEF1EDD74F64A41BBC59DF4703B1B5A9B73DA946EBAD8DCD5DEEF401CF4CF4C02F42C8665A
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.P..P...............................................................................................................................................................................................................................................................................................................................................AG.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.141171944490726
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	appgpuset.dll.dll
File size:	3'954'176 bytes
MD5:	4717c34252551071aa41c2881315a4b8
SHA1:	b239d502a5c200e63d13730219f7272a8d9e0fe7
SHA256:	ea2c9e620d779449a2d5176ace0c4993934e85be7a0207f3f51b4a432627ad2f
SHA512:	2fda6766651ae4a2bd766026fab9410cca738ec0099302aa962243b11c6cb80d432a50d94d6ddc085b23eb71576732bea1adf0b9b2f5d6a127e60066ab379564
SSDEEP:	49152:uUhs9XR3wxZXRTZUcuVHleFPH1FBJtFfmHrgdvs+s9bj5ZDhN4q:SagbONF30blJ7B
TLSH:	F7069D5AF7A81048D17B917D8AAB4B4AEA72F40187315BCF019442EE1F63BE50D3E7B1
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......#?U.g^;.g^;.g^;..:8.j^;..:?.\|^;..:>..^;.t88.n^;.t8>..^;.t8?.D^;.....f^;.....d^;...>.b^;.\|...w^;.....f^;.....e^;.....z^;.g^:..^;

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180019fa0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0x66687C67 [Tue Jun 11 16:33:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	50e60cb08521b483a152f5300e46b8e7

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
push esp
push eax
push ebx
push ecx
push edx
push esi
push edi
inc ecx
push eax
inc ecx
push ecx
inc ecx
push edx
inc ecx
push ebx
inc ecx
push esp
inc ecx
push ebp
inc ecx
push esi
inc ecx
push edi
dec eax
mov eax, edx
dec eax
xor eax, esp
dec eax
sub eax, esp
dec eax
mov ecx, esi
dec eax
or eax, ebx
dec ecx
mov eax, esp
dec ebp
xor eax, eax
dec ax
movd edx, mm0
dec eax
sub edx, eax
dec eax
add edx, 00000132h
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
dec edx
dec eax
inc ecx
dec eax
add edx, ecx
dec eax
cmp edx, ecx
dec eax
cmp eax, ecx
dec esp
cmp edx, esp
dec esp
test eax, ebp
xorps xmm1, xmm1
dec eax
mov eax, edi
setne dl
setne dl
inc esp
mov ecx, esi
shr ecx, 0Ah
inc ecx
add edi, edx
ror ecx, 07h
inc ecx
ror eax, 13h
inc ecx
xor eax, ecx
shr ecx, 03h
inc ecx
ror eax, 13h
ror edx, 12h
add edx, ebp
dec eax
add eax, FFFFFFD4h
dec eax
add eax, FFFFFFD4h
dec eax
add edx, FFFFFFD4h
ror eax, 0Bh
inc ecx
pop edi
inc ecx
pop esi
inc ecx
pop ebp
inc ecx
pop esp
inc ecx
pop ebx
inc ecx
pop edx
inc ecx
pop ecx
inc ecx
pop eax
pop edi
pop esi
pop edx
pop ecx
pop ebx
pop eax
pop esp
dec eax
cmp edx, 01h
je 00007FD4FD07AADAh
dec eax
mov eax, 00000001h
ret
push ebp
dec eax
sub esp, 00000090h
push esp
push eax
push ebx
push ecx
push edx
push esi
push edi
inc ecx

Rich Headers

Programming Language:

[C++] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2f5b80	0x358	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x330de8	0x12c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x33c000	0xa4c3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x315000	0x17d9c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x321000	0x2628	.pdata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e1000	0x208c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2b7870	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2b9e38	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2b78b0	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x330000	0xde8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x251051	0x251200	f540f5591a49b467ced498036d3f4d1d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x253000	0xa2ed8	0xa3000	5e7f7f61f7e25594fc59137c9a47ba36	False	0.3123322469325153	data	4.743581618389728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2f6000	0x1e250	0x6200	7b032f630f6c3069375cf388ef849a7b	False	0.14190051020408162	DIY-Thermocam raw data (Lepton 2.x), scale 26673-10880, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.836933	3.865732095199724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x315000	0x1a4f0	0x1a600	d725a30faec48ea01072f8c22e02b360	False	0.48789247630331756	data	5.914896767169826	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x330000	0x33b3	0x3400	a7da85c02bab675e06ff41413f954480	False	0.23760516826923078	OpenPGP Secret Key	3.7389867108154293	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gfids	0x334000	0x3124	0x3200	6311f57e3dfd2a8e8a72d9c548e7575b	False	0.283125	data	3.679119352047938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.giats	0x338000	0x108	0x200	4cc405a3bc0d47a4f8fdff591662692b	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
minATL	0x339000	0x329	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.00cfg	0x33a000	0x11b	0x200	0157595f914df79257793a9922d03c21	False	0.044921875	data	0.18415065608732903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x33b000	0x309	0x400	c573bd7cea296a9c5d230ca6b5aee1a6	False	0.021484375	data	0.011173818721219527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x33c000	0xa4c3c	0xa4e00	8556040774f462165ffb5bdcff02cfff	False	0.8276822521796816	data	7.837978893359296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e1000	0x45cc	0x4600	fdd2fe0e2b4ab624ba1d395d0136dba5	False	0.19765625	data	3.4190001534701606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0x33c0e8	0x30	data	English	United States	0.625
RT_VERSION	0x33c118	0x350	data	English	United States	0.4257075471698113
RT_VXD	0x33c468	0xa47d4	data			0.8289508837131984

Imports

DLL	Import
SHELL32.dll	SHGetFolderPathW, SHGetKnownFolderPath, SHCreateDirectoryExW, SHFileOperationA, SHGetPropertyStoreFromParsingName
USER32.dll	GetWindowThreadProcessId, SetRectEmpty, GetDC, MessageBoxA, GetDesktopWindow, MessageBoxW, SetRect
ADVAPI32.dll	RegCloseKey, RegQueryValueExW, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegOpenKeyExW
SHLWAPI.dll	PathFileExistsW, SHCreateStreamOnFileEx
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CoUninitialize, CoInitializeEx, PropVariantClear, CoCreateInstance
gdiplus.dll	GdipAlloc, GdipFree, GdipCreateHBITMAPFromBitmap, GdiplusShutdown, GdipCloneImage, GdipDisposeImage, GdipSetPropertyItem, GdipCreateBitmapFromScan0, GdipCreateBitmapFromGdiDib, GdipGetImageEncodersSize, GdipGetImageEncoders, GdiplusStartup
GDI32.dll	CreateDIBSection, GetDeviceCaps, DeleteObject
KERNEL32.dll	GetProcessHeap, SetCurrentDirectoryW, GetCurrentDirectoryW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetTimeZoneInformation, HeapQueryInformation, SetEnvironmentVariableW, FlushFileBuffers, GetConsoleCP, SetConsoleCtrlHandler, SetEndOfFile, SetFilePointerEx, ReadConsoleW, GetConsoleMode, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetDriveTypeW, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapSize, GetCommandLineW, ResumeThread, ExitThread, SetStdHandle, WriteConsoleW, GetFileType, GetModuleHandleExW, ExitProcess, RaiseException, RtlPcToFileHeader, RtlUnwindEx, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, WriteFile, AcquireSRWLockExclusive, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, WaitForMultipleObjectsEx, CreateFileW, DeleteFileW, CloseHandle, CreateDirectoryW, ExpandEnvironmentStringsW, GetLastError, InitializeCriticalSection, DeleteCriticalSection, SetEvent, WaitForSingleObject, CreateEventW, Sleep, CreateThread, GetCurrentThread, SetThreadPriority, WaitForMultipleObjects, MulDiv, ResetEvent, FreeLibrary, GetProcAddress, LoadLibraryW, DebugBreak, EnterCriticalSection, LeaveCriticalSection, CopyFileW, OutputDebugStringW, QueryPerformanceCounter, QueryPerformanceFrequency, GetCurrentThreadId, GetSystemTime, GetVersionExW, SystemTimeToTzSpecificLocalTime, ReadFile, SetFilePointer, VerSetConditionMask, GetFileAttributesW, GetFullPathNameW, SetLastError, CreateProcessA, CreateProcessW, GetSystemDirectoryW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleW, LoadLibraryExW, LocalAlloc, LocalFree, VerifyVersionInfoW, GetLocalTime, SetEnvironmentVariableA, GetEnvironmentVariableA, VirtualQuery, VirtualAlloc, VirtualFree, VirtualProtect, GetSystemInfo, GlobalMemoryStatusEx, LoadLibraryA, GetNativeSystemInfo, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryEnterCriticalSection, InitializeSRWLock, AcquireSRWLockShared, RtlCaptureStackBackTrace, TryAcquireSRWLockShared, TryAcquireSRWLockExclusive, ReleaseSRWLockShared, ReleaseSRWLockExclusive, GetCurrentProcessId, CreateSemaphoreA, ReleaseSemaphore, SwitchToThread, CreateEventA, CreateDirectoryA, RemoveDirectoryA, DeleteFileA, GetFileAttributesExA, LockFileEx, UnlockFileEx, GetCurrentDirectoryA, HeapDestroy, HeapAlloc, HeapFree, HeapReAlloc, GetComputerNameA, SetThreadAffinityMask, GetProcessAffinityMask, GetCurrentProcess, GetModuleHandleA, FreeLibraryAndExitThread, GetModuleHandleExA, HeapCreate, CompareFileTime, ReleaseMutex, CreateMutexA, FormatMessageW, lstrcmpA, FileTimeToSystemTime, WideCharToMultiByte, GetStdHandle, OutputDebugStringA, AllocConsole, WriteConsoleA, SetConsoleTitleA, GetConsoleWindow, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, GetTickCount, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, GetThreadTimes, WaitForSingleObjectEx, SignalObjectAndWait, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, RegisterWaitForSingleObject, UnregisterWait, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, DuplicateHandle, InitializeSListHead, UnregisterWaitEx, SetProcessAffinityMask, CreateTimerQueue

Exports

Name	Ordinal	Address
DllMain	1	0x18001a200
GfeXcodeFunc	2	0x180008b40
GfeXcodeFuncEx	3	0x18000ee10
GfeXcodeImage	4	0x180014e10
GfeXcodeImageEx	5	0x18000b870
GfeXcodeMontage	6	0x18000c460
NVSDK_NGX_CUDA_CreateFeature	7	0x180003c30
NVSDK_NGX_CUDA_EvaluateFeature	8	0x18002f5a0
NVSDK_NGX_CUDA_GetParameters	9	0x1800091a0
NVSDK_NGX_CUDA_GetScratchBufferSize	10	0x180026a00
NVSDK_NGX_CUDA_Init	11	0x180005ec0
NVSDK_NGX_CUDA_ReleaseFeature	12	0x180013020
NVSDK_NGX_CUDA_Shutdown	13	0x18000a7e0
NvOptimusEnablementCuda	14	0x1802f60c8

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 17:56:13.426536083 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:13.546544075 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:13.549985886 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:13.766356945 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:13.886481047 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:15.752895117 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:15.752969980 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:15.752974987 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:15.752989054 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:15.753024101 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:15.753035069 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:15.824465990 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:15.945884943 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:23.724827051 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:23.844490051 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:23.844569921 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:23.854021072 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:23.973639965 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:24.417881012 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:24.417985916 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:24.428796053 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:24.548770905 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:25.173932076 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:25.173952103 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:25.173964024 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:25.174012899 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:25.174012899 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:25.187297106 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:25.308039904 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:32.105750084 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:32.105839014 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:32.115463018 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:32.235858917 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:35.117659092 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:56:35.117944956 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:56:36.025927067 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:36.145622015 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:36.145708084 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:36.146244049 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:36.269144058 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:39.020808935 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:39.020950079 CET	49738	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:39.021935940 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:39.025063992 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:39.025141954 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:39.025155067 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:39.025192022 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:39.025319099 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:39.025351048 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:39.031136036 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:39.142585993 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:39.142736912 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:39.143090963 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:39.151604891 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:39.267256021 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:44.557528973 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:44.557609081 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:44.557810068 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:44.557843924 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:44.557862997 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:44.557878971 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:44.557889938 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:44.557924032 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:44.562587976 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:44.682270050 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:45.346956968 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:45.347084045 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:45.353332996 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:45.560658932 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:51.162482977 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:51.162559986 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:51.163135052 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:51.282705069 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.492686987 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.492769003 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.492849112 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.492863894 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.492893934 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.492932081 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.493133068 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.493164062 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.493175983 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.493192911 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.493309021 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.501602888 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.501682997 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.503957033 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.504050016 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.504110098 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.504165888 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.512636900 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.512691021 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.512746096 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.512839079 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.521295071 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.521336079 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.521435022 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.606168985 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.606218100 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.612521887 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.612535000 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.612586021 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.685079098 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.685168028 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.685204029 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.685265064 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.689121008 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.689191103 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.689197063 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.689263105 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.697089911 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.697225094 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.700011015 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.700067043 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.700092077 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.700164080 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.708070040 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.708164930 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.708169937 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.708256960 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.716226101 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.716309071 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.716336966 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.716481924 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.724047899 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.724132061 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.724164009 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.724268913 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.732043982 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.732152939 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.732162952 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.732206106 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.740061998 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.740159988 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.740201950 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.740257978 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.748019934 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.748159885 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.748198986 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.748246908 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.756040096 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.756249905 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.756263018 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.756320000 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.761600971 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.761676073 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.761761904 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.761930943 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.767251015 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.767390013 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.798424006 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.798489094 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.798506975 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.798547029 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.801105976 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.801160097 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.801245928 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.801367044 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.806725025 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.806772947 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.877273083 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.877327919 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.877372980 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.877372980 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.879930973 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.880027056 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.880153894 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.885495901 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.885565996 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.887512922 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.887583971 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.887633085 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.887698889 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.893148899 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.893202066 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.893235922 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.893274069 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.898771048 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.898833036 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.899028063 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.899085999 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.904316902 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.904462099 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.904568911 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.909924030 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.910027981 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.910085917 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.915586948 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.915755987 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.915822983 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.921039104 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.921166897 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.921282053 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.926654100 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.926754951 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.926834106 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.932308912 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.932395935 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.932492971 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.936944962 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.937051058 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.937133074 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.941679955 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.941793919 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.941901922 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.946368933 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.946501970 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.946587086 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.951196909 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.951324940 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.951380968 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.955751896 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.955903053 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.955975056 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.960436106 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.960556030 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.960613012 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.965656042 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.965729952 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.965801001 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.965847015 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.969917059 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.969984055 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.970000029 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.970046043 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.974570990 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.974639893 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.974678993 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.974740982 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.979262114 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.979362011 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.979475021 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.979646921 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.984070063 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.984117985 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.984226942 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.988564014 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.988636971 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.988663912 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.988724947 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.998203039 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.998297930 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:52.998337984 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:52.998418093 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.000540972 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.000626087 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.001394987 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.001497984 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.001523018 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.001569033 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.006109953 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.006216049 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.006297112 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.069289923 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.069364071 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.069497108 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.070844889 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.071480036 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.071583986 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.071618080 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.071770906 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.074908018 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.074999094 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.075032949 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.076297998 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.078305960 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.078377962 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.078443050 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.081516981 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.081743956 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.082246065 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.084759951 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.084849119 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.084948063 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.085489988 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.088145971 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.088279009 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.088290930 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.088371038 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.091110945 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.091186047 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.091204882 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.092289925 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.094338894 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.094455957 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.094784021 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.097489119 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.097565889 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.097651005 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.100131035 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.100363016 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.100434065 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.103085995 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.103207111 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.103208065 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.103686094 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.106101990 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.106262922 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.106349945 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.109128952 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.109260082 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.109325886 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.109627008 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.112190962 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.112299919 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.112322092 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.113217115 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.115175009 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.115278959 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.115355015 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.116208076 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.117935896 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.118029118 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.118079901 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.118120909 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.120660067 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.120795965 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.121015072 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.121104956 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.123327971 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.123389006 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.123425961 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.123518944 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.126074076 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.126177073 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.126343012 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.127752066 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.127856016 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.127892017 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.128146887 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.129507065 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.129606962 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.129719019 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.131273031 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.131334066 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.131397963 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.131604910 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.132998943 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.133126020 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.133294106 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.133332968 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.134728909 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.134794950 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.134851933 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.134919882 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.136573076 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.136677027 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.136712074 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.136775017 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.138434887 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.138505936 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.138617039 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.140074968 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.140221119 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.140269995 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.140398026 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.141715050 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.141971111 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.142031908 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.143563986 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.143650055 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.144117117 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.145385981 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.145440102 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.145495892 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.145601034 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.146923065 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.147012949 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.147340059 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.147340059 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.148617029 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.148665905 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.149856091 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.149897099 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.150353909 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.150450945 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.150475025 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.150554895 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.152148962 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.152231932 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.152312994 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:56:53.153883934 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.153969049 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:56:53.154078960 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.216892958 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.216950893 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.216958046 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.217061996 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.217061996 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.217221022 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.217228889 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.217494965 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.224874973 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.225014925 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.225205898 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.225435972 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.233800888 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.233844995 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.233894110 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.233942986 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.242491961 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.242547989 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.242605925 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.242656946 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.251163006 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.251224995 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.251243114 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.251300097 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.329651117 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.329693079 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.329853058 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.336982012 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.338205099 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.412269115 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.412370920 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.412477970 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.412477970 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.416392088 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.416662931 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.417908907 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.417995930 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.418009043 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.418548107 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.426357031 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.426404953 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.426491976 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.434636116 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.434817076 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.435086012 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.442955017 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.443057060 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.443377018 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.451304913 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.451406956 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.451518059 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.459656954 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.459805965 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.459817886 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.460000992 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.468091965 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.468194962 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.468338013 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.476409912 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.476563931 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.476717949 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.482085943 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.482219934 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.482297897 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.487771034 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.487932920 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.488223076 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.493289948 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.493412018 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.493546963 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.521862030 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.521878004 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.521995068 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.523360014 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.523489952 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.523612976 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.523612976 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.528827906 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.528878927 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.529006958 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.529006958 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.606504917 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.606635094 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.606827021 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.609179020 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.609478951 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.610234022 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.610331059 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.610516071 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.615926027 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.616024017 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.616422892 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.622020006 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.622087002 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.622199059 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.627285957 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.627331972 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.627407074 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.632811069 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.632941961 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.633752108 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.637435913 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.637523890 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.637756109 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.642062902 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.642189026 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.642440081 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.646600008 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.646682024 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.646689892 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.646748066 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.651103020 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.651247025 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.651338100 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.655704975 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.655793905 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.656194925 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.660264015 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.660408020 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.660738945 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.664591074 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.664716959 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.665004969 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.668988943 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.669030905 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.669121981 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.673310041 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.673420906 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.673490047 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.677676916 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.677798986 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.678203106 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.682024002 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.682142973 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.683346987 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.686393976 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.686494112 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.687340975 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.690743923 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.690860987 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.691329002 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.695091009 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.695193052 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.695414066 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.699450016 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.699580908 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.699803114 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.703886986 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.704041004 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.704062939 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.704102039 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.708153963 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.708271980 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.708419085 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.727011919 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.727154970 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.727341890 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.729198933 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.729304075 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.729321957 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.729362965 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.733733892 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.734045029 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.799216986 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.799320936 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.799490929 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.800846100 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.800952911 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.800987005 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.801129103 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.804018974 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.804229975 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.804642916 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.807135105 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.807238102 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.807470083 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.810277939 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.810395002 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.810584068 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.813332081 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.813430071 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.813435078 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.813839912 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.816401005 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.816504955 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.816617012 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.819396019 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.819458961 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.819550037 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.822396994 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.822527885 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.822644949 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.825205088 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.825349092 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.825365067 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.825440884 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.828035116 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.828185081 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.828327894 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.830746889 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.830930948 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.831003904 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.833472967 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.833568096 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.833744049 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.833987951 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.836215019 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.836333036 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.836565971 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.838897943 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.839040041 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.839333057 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.841526031 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.841626883 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.841705084 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.841877937 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.844192982 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.844299078 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.844422102 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.846868038 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.846961975 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.847107887 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.849533081 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.849667072 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.849677086 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.849733114 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.852232933 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.852319002 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.852440119 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.855217934 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.855288982 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.855309010 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.855333090 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.856707096 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.856796026 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.856811047 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.856878996 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.858464003 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.858532906 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.858613968 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.858999014 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.860322952 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.860399008 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.860515118 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.860590935 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.861999989 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.862071991 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.862214088 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.862286091 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.863755941 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.863890886 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.863909006 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.863997936 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.865547895 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.865652084 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.865667105 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.865822077 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.867302895 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.867419958 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.867634058 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.867634058 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.869174957 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.869261980 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.869395018 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.869492054 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.870836973 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.870920897 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.870994091 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.872590065 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.872699022 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.872735977 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.872770071 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.874381065 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.874432087 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.874506950 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.874711037 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.876233101 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.876409054 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.876677990 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.877361059 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.877897024 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.877986908 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.878002882 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.878278971 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.905131102 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.905247927 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.905251026 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.905410051 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.906019926 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.906116962 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.906143904 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.906286001 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:17.907807112 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.907929897 CET	8817	49745	94.232.46.11	192.168.2.4
Dec 17, 2024 17:57:17.908020020 CET	49745	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:57:29.482824087 CET	49813	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:29.603378057 CET	8817	49813	94.232.40.41	192.168.2.4
Dec 17, 2024 17:57:29.606033087 CET	49813	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:29.608772993 CET	49813	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:29.728387117 CET	8817	49813	94.232.40.41	192.168.2.4
Dec 17, 2024 17:57:31.478239059 CET	8817	49813	94.232.40.41	192.168.2.4
Dec 17, 2024 17:57:31.478331089 CET	49813	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:31.478894949 CET	49813	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:31.480083942 CET	49813	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:31.598598003 CET	8817	49813	94.232.40.41	192.168.2.4
Dec 17, 2024 17:57:31.599893093 CET	8817	49813	94.232.40.41	192.168.2.4
Dec 17, 2024 17:57:40.803729057 CET	8817	49813	94.232.40.41	192.168.2.4
Dec 17, 2024 17:57:40.803924084 CET	49813	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:57.166527033 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:57.286201000 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:57:57.286283970 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:57.286619902 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:57:57.406363964 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:01.301387072 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:01.301409960 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:01.301423073 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:01.301459074 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:58:01.301501989 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:58:01.307861090 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:58:01.427820921 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:01.721941948 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:01.722022057 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:58:01.722939968 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:58:01.844367981 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:02.872107029 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:58:02.872307062 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:58:02.999038935 CET	8817	49743	94.232.46.11	192.168.2.4
Dec 17, 2024 17:58:02.999110937 CET	49743	8817	192.168.2.4	94.232.46.11
Dec 17, 2024 17:58:02.999566078 CET	8817	49731	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:02.999717951 CET	49731	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:58:09.160522938 CET	8817	49876	94.232.40.41	192.168.2.4
Dec 17, 2024 17:58:09.163168907 CET	49876	8817	192.168.2.4	94.232.40.41
Dec 17, 2024 17:58:10.337786913 CET	8817	49738	94.232.46.11	192.168.2.4
Dec 17, 2024 17:58:10.337867022 CET	49738	8817	192.168.2.4	94.232.46.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 17:56:12.926729918 CET	59470	53	192.168.2.4	1.1.1.1
Dec 17, 2024 17:56:13.408344030 CET	53	59470	1.1.1.1	192.168.2.4
Dec 17, 2024 17:56:23.329881907 CET	50841	53	192.168.2.4	1.1.1.1
Dec 17, 2024 17:56:23.720669985 CET	53	50841	1.1.1.1	192.168.2.4
Dec 17, 2024 17:56:35.120892048 CET	58730	53	192.168.2.4	1.1.1.1
Dec 17, 2024 17:56:36.024980068 CET	53	58730	1.1.1.1	192.168.2.4
Dec 17, 2024 17:57:56.344049931 CET	51621	53	192.168.2.4	1.1.1.1
Dec 17, 2024 17:57:57.165288925 CET	53	51621	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 17:56:12.926729918 CET	192.168.2.4	1.1.1.1	0x4260	Standard query (0)	cronoze.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 17:56:23.329881907 CET	192.168.2.4	1.1.1.1	0x9c5f	Standard query (0)	muuxxu.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 17:56:35.120892048 CET	192.168.2.4	1.1.1.1	0x5c84	Standard query (0)	muuxxu.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 17:57:56.344049931 CET	192.168.2.4	1.1.1.1	0xa1ff	Standard query (0)	cronoze.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 17:56:13.408344030 CET	1.1.1.1	192.168.2.4	0x4260	No error (0)	cronoze.com	94.232.40.41	A (IP address)	IN (0x0001)	false
Dec 17, 2024 17:56:23.720669985 CET	1.1.1.1	192.168.2.4	0x9c5f	No error (0)	muuxxu.com	94.232.46.11	A (IP address)	IN (0x0001)	false
Dec 17, 2024 17:56:36.024980068 CET	1.1.1.1	192.168.2.4	0x5c84	No error (0)	muuxxu.com	94.232.46.11	A (IP address)	IN (0x0001)	false
Dec 17, 2024 17:57:57.165288925 CET	1.1.1.1	192.168.2.4	0xa1ff	No error (0)	cronoze.com	94.232.40.41	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:56:05
Start date:	17/12/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\appgpuset.dll.dll"
Imagebase:	0x7ff6e3340000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:56:05
Start date:	17/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:56:05
Start date:	17/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1
Imagebase:	0x7ff7b46d0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:56:05
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,DllMain
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:56:05
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",#1
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:56:06
Start date:	17/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7544 -s 488
Imagebase:	0x7ff782850000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:56:06
Start date:	17/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7560 -s 500
Imagebase:	0x7ff782850000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:56:08
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFunc
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 0000000A.00000002.2962176181.000001E0D3354000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 0000000A.00000002.2962176181.000001E0D32AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 0000000A.00000002.2962681517.000001E0D33F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	11:56:11
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\appgpuset.dll.dll,GfeXcodeFuncEx
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:56:11
Start date:	17/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7848 -s 492
Imagebase:	0x7ff782850000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:56:14
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",DllMain
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:56:14
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeFunc
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 0000000F.00000003.2414624070.000001FE3A46B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 0000000F.00000002.2962539764.000001FE3A5AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 0000000F.00000002.2962539764.000001FE3A53C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 0000000F.00000003.2414485576.000001FE3A46B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_BruteRatel_1, Description: Yara detected BruteRatel, Source: 0000000F.00000002.2962097879.000001FE3A43C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeFuncEx
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NvOptimusEnablementCuda
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_Shutdown
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_ReleaseFeature
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_Init
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_GetScratchBufferSize
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_GetParameters
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_EvaluateFeature
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",NVSDK_NGX_CUDA_CreateFeature
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeMontage
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeImageEx
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:56:15
Start date:	17/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\appgpuset.dll.dll",GfeXcodeImage
Imagebase:	0x7ff7a1420000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:56:18
Start date:	17/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 8036 -s 488
Imagebase:	0x7ff782850000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:56:52
Start date:	17/12/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.7%
Total number of Nodes:	264
Total number of Limit Nodes:	8

Executed Functions

Function 00000001800026C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 269
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180002CB0: GetModuleFileNameW.KERNEL32 ref: 0000000180002CFC

GetModuleFileNameW.KERNEL32 ref: 000000018000276F
SHGetSpecialFolderPathW.SHELL32 ref: 0000000180002786
lstrcatW.KERNEL32 ref: 000000018000279A
lstrcatW.KERNEL32 ref: 00000001800027AE
lstrcatW.KERNEL32 ref: 00000001800027C2
lstrcatW.KERNEL32 ref: 00000001800027D6
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0000000180002B4F

Strings

GfeXcodeFunc, xrefs: 0000000180002A43
\NTUSER.DAT.Not, xrefs: 000000018000278C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: lstrcat$FileModuleName$FolderIos_base_dtorPathSpecialstd::ios_base::_
String ID: GfeXcodeFunc$\NTUSER.DAT.Not
API String ID: 2606783807-3673055099
Opcode ID: f4fb330f2fce6a57cdb251511d5a633e98aa520d2ba9185056906fd6c2a3254f
Instruction ID: 5b91f0b68c497ecbefdd096ad22c36a01d1dfa7b74f7b8fae1d4cb91b2026b10
Opcode Fuzzy Hash: f4fb330f2fce6a57cdb251511d5a633e98aa520d2ba9185056906fd6c2a3254f
Instruction Fuzzy Hash: 0EE15B32224B8989EBA1DF24D8943DD3761F7897C8F809126F64D47AA9DF74C64DC740

Function 000001E39FB40B00 Relevance: 4.1, APIs: 3, Instructions: 371
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001E39FB40C5E
VirtualAlloc.KERNELBASE ref: 000001E39FB40CCC

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7479d515978b8398c8f18a7fbb8c6ce0b9f2a044b6e8d29228c90f9ede51720f
Instruction ID: d03f58698cf5876a861dbf7134dbb03b1309629b8e3cd6cb6ed4dc1e74f96972
Opcode Fuzzy Hash: 7479d515978b8398c8f18a7fbb8c6ce0b9f2a044b6e8d29228c90f9ede51720f
Instruction Fuzzy Hash: 6AE10D30218B899FE794DF18C098B6AB7E0FB9C359F50496DE489C72A1D774D9C1CB06

Non-executed Functions

Function 00000001800330A8 Relevance: 29.1, APIs: 19, Instructions: 555
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00000001800341D7

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_malloc_crt.LIBCMT ref: 00000001800341FE

Part of subcall function 0000000180031B68: malloc.LIBCMT ref: 0000000180031B93
Part of subcall function 0000000180031B68: Sleep.KERNEL32(?,?,00000000,00000001800302E4,?,?,00000000,00000001800301E3,?,?,00000000,0000000180038B02,?,?,00000000,0000000180038A6E), ref: 0000000180031BA6

_invoke_watson.LIBCMT ref: 0000000180034821
_invoke_watson.LIBCMT ref: 0000000180034837
_invoke_watson.LIBCMT ref: 000000018003484D
_invoke_watson.LIBCMT ref: 0000000180034863
_invoke_watson.LIBCMT ref: 0000000180034879
_invoke_watson.LIBCMT ref: 000000018003488F
_invoke_watson.LIBCMT ref: 00000001800348A5
_invoke_watson.LIBCMT ref: 00000001800348BB
_invoke_watson.LIBCMT ref: 00000001800348D1
_invoke_watson.LIBCMT ref: 00000001800348E7
_invoke_watson.LIBCMT ref: 00000001800348FD
_invoke_watson.LIBCMT ref: 0000000180034913
_invoke_watson.LIBCMT ref: 0000000180034929
_invoke_watson.LIBCMT ref: 000000018003493F
_invoke_watson.LIBCMT ref: 0000000180034955
_invoke_watson.LIBCMT ref: 000000018003496B
_invoke_watson.LIBCMT ref: 0000000180034981

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _invoke_watson$Locale$SleepUpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crtmalloc
String ID:
API String ID: 3294838543-0
Opcode ID: 521078f5cd82ac0f084921f5033d007348db3b2902225dc428b05784ca17b11c
Instruction ID: 084eb429915106ff2183acdcc5e5956807c1a06688872eada26f31bf39ac8827
Opcode Fuzzy Hash: 521078f5cd82ac0f084921f5033d007348db3b2902225dc428b05784ca17b11c
Instruction Fuzzy Hash: C8220332320A4882EBA7DA65E51A3EF2391F7497C4F45D126EF4E8E695DF38D6098300

Function 00000001800176E4 Relevance: 22.1, APIs: 10, Strings: 2, Instructions: 1114COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000F2A8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2C9
Part of subcall function 000000018000F2A8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2EE

_Mpunct.LIBCPMT ref: 00000001800178AF
_Mpunct.LIBCPMT ref: 0000000180017E71
_Mpunct.LIBCPMT ref: 0000000180017E94
_Mpunct.LIBCPMT ref: 0000000180017F99
_Mpunct.LIBCPMT ref: 0000000180017FFE
_Mpunct.LIBCPMT ref: 0000000180018024
_Mpunct.LIBCPMT ref: 000000018001812B
_Mpunct.LIBCPMT ref: 0000000180018191
_Mpunct.LIBCPMT ref: 00000001800181D6
_Mpunct.LIBCPMT ref: 000000018001821B

Strings

0123456789-, xrefs: 000000018001783F, 00000001800179A1, 0000000180017BCB, 0000000180017DB4
, xrefs: 000000018001850A

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID: $0123456789-
API String ID: 491317670-700845222
Opcode ID: bfea4566b3dd4f2453845a7a2c0565e6247bc10b50b38d8d916d4313fb2cf9fb
Instruction ID: a70e222771d2648924d77d9fb61618b5019d1f7d64ecee5f6b6d25d0e3028cf4
Opcode Fuzzy Hash: bfea4566b3dd4f2453845a7a2c0565e6247bc10b50b38d8d916d4313fb2cf9fb
Instruction Fuzzy Hash: 99A26D32704A8885EBA68B65D0503ED27B1FB49BC8F54D016EE4E1BB96DF34CB99D340

Function 0000000180016744 Relevance: 22.1, APIs: 10, Strings: 2, Instructions: 1110COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000F048: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F069
Part of subcall function 000000018000F048: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F08E

_Mpunct.LIBCPMT ref: 000000018001690F
_Mpunct.LIBCPMT ref: 0000000180016ED1
_Mpunct.LIBCPMT ref: 0000000180016EF4
_Mpunct.LIBCPMT ref: 0000000180016FF9
_Mpunct.LIBCPMT ref: 000000018001705E
_Mpunct.LIBCPMT ref: 0000000180017084
_Mpunct.LIBCPMT ref: 000000018001718B
_Mpunct.LIBCPMT ref: 00000001800171F1
_Mpunct.LIBCPMT ref: 0000000180017236
_Mpunct.LIBCPMT ref: 000000018001727B

Strings

0123456789-, xrefs: 000000018001689F, 0000000180016A01, 0000000180016C2B, 0000000180016E14
, xrefs: 000000018001756A

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID: $0123456789-
API String ID: 491317670-700845222
Opcode ID: 7023ceb1d819ec1a1cf44c7629e55f05b0496f09250da5da42953131b9d5b64b
Instruction ID: 80943f5e6f8277e2c6515c65fe0f4c286d5afc9ab992b988177440c4078c9487
Opcode Fuzzy Hash: 7023ceb1d819ec1a1cf44c7629e55f05b0496f09250da5da42953131b9d5b64b
Instruction Fuzzy Hash: 3FA26F32B04A8885EBA68B65D4503ED27B1FB49BC8F54D416FE4E17BA5DF34CA99C300

Function 0000000180024F60 Relevance: 22.1, APIs: 10, Strings: 2, Instructions: 1051COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180023DE4: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E05
Part of subcall function 0000000180023DE4: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E2A

_Mpunct.LIBCPMT ref: 0000000180025125
_Mpunct.LIBCPMT ref: 0000000180025675
_Mpunct.LIBCPMT ref: 0000000180025692
_Mpunct.LIBCPMT ref: 0000000180025784
_Mpunct.LIBCPMT ref: 00000001800257BB
_Mpunct.LIBCPMT ref: 00000001800257DF
_Mpunct.LIBCPMT ref: 00000001800258D3
_Mpunct.LIBCPMT ref: 0000000180025908
_Mpunct.LIBCPMT ref: 0000000180025948
_Mpunct.LIBCPMT ref: 0000000180025988

Strings

, xrefs: 0000000180025C35
0123456789-, xrefs: 00000001800250C1, 0000000180025202, 000000018002540A, 00000001800255C0

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID: $0123456789-
API String ID: 491317670-700845222
Opcode ID: 5b1f11ae308e5f978eadb6c2e653d3aa161437b62689c1e79878b92cd71a40da
Instruction ID: 357b8073b20dd1810e5d3b735acf5af2621e0edfda92cd437dcbf710b5a8daa8
Opcode Fuzzy Hash: 5b1f11ae308e5f978eadb6c2e653d3aa161437b62689c1e79878b92cd71a40da
Instruction Fuzzy Hash: 10A2C032604A8889FBA7CB65C4503EC27A1F749BC9F94C516EE8A1B7D6CF79C649C304

Function 000001E39FB54B74 Relevance: 10.2, APIs: 2, Strings: 3, Instructions: 1427COMMON

Download Yara Rule

APIs

Part of subcall function 000001E39FB5099C: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB509BD
Part of subcall function 000001E39FB5099C: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB509E2

_Mpunct.LIBCPMT ref: 000001E39FB54C12
localeconv.LIBCMT ref: 000001E39FB552AB

Strings

$, xrefs: 000001E39FB551C2
$, xrefs: 000001E39FB55419
$, xrefs: 000001E39FB54F8E

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: $$$$$
API String ID: 3643605086-798797307
Opcode ID: de7f32cb9cfaedb0ef4f0bd285982f3d11804978a18d4d72b42dcd5140998823
Instruction ID: 6a8335bab50c393fcc326d0d23e9c5685a0bbcdb53868082062725f49c10c782
Opcode Fuzzy Hash: de7f32cb9cfaedb0ef4f0bd285982f3d11804978a18d4d72b42dcd5140998823
Instruction Fuzzy Hash: 5BA2B530218A858FEB68DF18C0587BD77E1FF5930DF644159E8AAC7293D7A8DE828741

Function 000001E39FB557C0 Relevance: 10.2, APIs: 2, Strings: 3, Instructions: 1427COMMON

Download Yara Rule

APIs

Part of subcall function 000001E39FB50ACC: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50AED
Part of subcall function 000001E39FB50ACC: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50B12

_Mpunct.LIBCPMT ref: 000001E39FB5585E
localeconv.LIBCMT ref: 000001E39FB55EF7

Strings

$, xrefs: 000001E39FB55BDA
$, xrefs: 000001E39FB55E0E
$, xrefs: 000001E39FB56065

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: $$$$$
API String ID: 3643605086-798797307
Opcode ID: 739dda484fa1ff785b454b709008984a0ecd5e28b60eb90b212d17772f0f97fb
Instruction ID: 9582ffe3ae076cc810f0758bf895f7f0d726f26a7b38ded4000e8fd34709ff2b
Opcode Fuzzy Hash: 739dda484fa1ff785b454b709008984a0ecd5e28b60eb90b212d17772f0f97fb
Instruction Fuzzy Hash: 64A2B430218A868FEB64DF18C0587BD77E1FF5930DF645158E8A6C7293DBA8DE828741

Function 000001E39FB4A77C Relevance: 10.1, APIs: 2, Strings: 3, Instructions: 1364COMMON

Download Yara Rule

APIs

Part of subcall function 000001E39FB49304: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB49325
Part of subcall function 000001E39FB49304: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4934A

_Mpunct.LIBCPMT ref: 000001E39FB4A816
localeconv.LIBCMT ref: 000001E39FB4AE3B

Strings

$, xrefs: 000001E39FB4AF8A
$, xrefs: 000001E39FB4AB50
$, xrefs: 000001E39FB4AD6B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: $$$$$
API String ID: 3643605086-798797307
Opcode ID: 46d5899b347bd0327edc0bc1417850ad2dee7be2ed0c972db27f3b5199f6fb28
Instruction ID: 141643453c610bd484251f6fe7fbfc1a3cf02563037877ab8e0c3958ddfd1e49
Opcode Fuzzy Hash: 46d5899b347bd0327edc0bc1417850ad2dee7be2ed0c972db27f3b5199f6fb28
Instruction Fuzzy Hash: 1BA27030218DC98FEB59DF18C2987BD7BE5FF59318F645188D8A6C7293C7A0D9828741

Function 000001E39FB53524 Relevance: 10.1, APIs: 2, Strings: 3, Instructions: 1307COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E39FB535E1

Part of subcall function 000001E39FB54B74: _Mpunct.LIBCPMT ref: 000001E39FB54C12

Strings

$, xrefs: 000001E39FB53A55
$, xrefs: 000001E39FB53CAC
$, xrefs: 000001E39FB5381A

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: Mpunct
String ID: $$$$$
API String ID: 4240859931-798797307
Opcode ID: dea8d81eb90b03ea093bd0c9c32d4d62896bdf0c9c8810b07f5e772d70f40c4e
Instruction ID: 08c9b308af38ffd69162ba0d1b1c7eb29a039ac045f3c413c71dd55e4285b8b8
Opcode Fuzzy Hash: dea8d81eb90b03ea093bd0c9c32d4d62896bdf0c9c8810b07f5e772d70f40c4e
Instruction Fuzzy Hash: 0E92C730218A858FEB68DF18C0597BD77E2FF55308F68515DE8A6C7383D7A8D9828781

Function 000001E39FB5404C Relevance: 10.1, APIs: 2, Strings: 3, Instructions: 1307COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E39FB54109

Part of subcall function 000001E39FB557C0: _Mpunct.LIBCPMT ref: 000001E39FB5585E

Strings

$, xrefs: 000001E39FB547D4
$, xrefs: 000001E39FB5457D
$, xrefs: 000001E39FB54342

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: Mpunct
String ID: $$$$$
API String ID: 4240859931-798797307
Opcode ID: a45883884af2f9092d6930d5bc0ae63167e6dbfecd7940f0f8a18dacc5b11785
Instruction ID: de93e2d37bf169eb27bd8a44d6bed00c53eeaded341f6bc917ef1e98269d7581
Opcode Fuzzy Hash: a45883884af2f9092d6930d5bc0ae63167e6dbfecd7940f0f8a18dacc5b11785
Instruction Fuzzy Hash: 5992C33021CA86CFEB689F18D0697BD73E1FF55308F745158E8A6C7193CBA8D9828781

Function 000001E39FB49D40 Relevance: 10.0, APIs: 2, Strings: 3, Instructions: 1240COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000001E39FB49DFC

Part of subcall function 000001E39FB4A77C: _Mpunct.LIBCPMT ref: 000001E39FB4A816

Strings

$, xrefs: 000001E39FB49FFF
$, xrefs: 000001E39FB4A428
$, xrefs: 000001E39FB4A216

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: Mpunct
String ID: $$$$$
API String ID: 4240859931-798797307
Opcode ID: 250d299e7546f7b33e44016f3427d9e28b995195a33efc58c9659dec02ea6d6c
Instruction ID: 42b96dfc823a4ecfd68ba5b99b5e1ebfcc6db1bc847207affe0ddd9ad945480b
Opcode Fuzzy Hash: 250d299e7546f7b33e44016f3427d9e28b995195a33efc58c9659dec02ea6d6c
Instruction Fuzzy Hash: AC92B030618D898FEB699F18C2997FC77E5FB56318F644188D8AAC71C3C7A0DA868741

Function 000000018001B924 Relevance: 6.5, APIs: 4, Instructions: 543COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000000018001BA07
_Mpunct.LIBCPMT ref: 000000018001BB21
_Mpunct.LIBCPMT ref: 000000018001BBAA

Part of subcall function 000000018000F2A8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2C9
Part of subcall function 000000018000F2A8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2EE

_Mpunct.LIBCPMT ref: 000000018001BB3A

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID:
API String ID: 491317670-0
Opcode ID: 32a054681ada761a3f21b934110cbacde2a58451cc4452ceb2e2b32a685144d7
Instruction ID: ae333f1357bb5ac04765cce638402cad7685101a5c7d4aa2e7d208c612dcf27a
Opcode Fuzzy Hash: 32a054681ada761a3f21b934110cbacde2a58451cc4452ceb2e2b32a685144d7
Instruction Fuzzy Hash: 1F32B032604E9885EBA68F25D8453ED63A4F75CBC8F548111FB8957B99EF38CA89C340

Function 000000018001B138 Relevance: 6.5, APIs: 4, Instructions: 543COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000000018001B21B
_Mpunct.LIBCPMT ref: 000000018001B335
_Mpunct.LIBCPMT ref: 000000018001B3BE

Part of subcall function 000000018000F048: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F069
Part of subcall function 000000018000F048: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F08E

_Mpunct.LIBCPMT ref: 000000018001B34E

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID:
API String ID: 491317670-0
Opcode ID: d8653a78ccc0500016ee3a39bc8ed8050953f96735a7a63760c9342397005fa0
Instruction ID: 4647e442d3bcfc851c9f4701ce4f14d67acf718bc96bb144a9f397481643842c
Opcode Fuzzy Hash: d8653a78ccc0500016ee3a39bc8ed8050953f96735a7a63760c9342397005fa0
Instruction Fuzzy Hash: 9C32B132604E9886EBA29F25D8453ED63A5F758BC8F54C111FF8957B99EF38C689C300

Function 0000000180026890 Relevance: 6.5, APIs: 4, Instructions: 524COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000000018002696A
_Mpunct.LIBCPMT ref: 0000000180026AA6
_Mpunct.LIBCPMT ref: 0000000180026B14

Part of subcall function 0000000180023DE4: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E05
Part of subcall function 0000000180023DE4: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E2A

_Mpunct.LIBCPMT ref: 0000000180026AC2

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct$LockitLockit::_std::_
String ID:
API String ID: 491317670-0
Opcode ID: 72a7ac2e2c1f111e1b61ae734374779d00f08ed685c08311d7ac3453d226d6ed
Instruction ID: 2589bcd918802237b5c990292f2751727b1abcad383ca43231b0e5c6f6b0472f
Opcode Fuzzy Hash: 72a7ac2e2c1f111e1b61ae734374779d00f08ed685c08311d7ac3453d226d6ed
Instruction Fuzzy Hash: 93324E72A04BC885EB678F25C4503ED6761F399BC8F54C112EA8D57BAADF39C689C340

Function 00000001800147EC Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 962COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000FAF8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB19
Part of subcall function 000000018000FAF8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB3E

_Mpunct.LIBCPMT ref: 000000018001488A
localeconv.LIBCMT ref: 0000000180014F23

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 00000001800148DA, 0000000180014C1B, 0000000180014E4D, 0000000180015096, 00000001800153AC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 3643605086-3606100449
Opcode ID: 94432bfd2f8d95df277d2e9dbc6edac5d8f0baf28bc49a8a7a32c7f5d36230e7
Instruction ID: 5ab51ccc94a7dab44ec95765bb0b019680b649c223dae5af60e6b35ee96dccf9
Opcode Fuzzy Hash: 94432bfd2f8d95df277d2e9dbc6edac5d8f0baf28bc49a8a7a32c7f5d36230e7
Instruction Fuzzy Hash: C8925E37204A88C5EBA68B65C1503FD37A1FB49BC4F54C016EE9A1BBA5DF35CA5AC310

Function 0000000180013BA0 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 962COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000F9C8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F9E9
Part of subcall function 000000018000F9C8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FA0E

_Mpunct.LIBCPMT ref: 0000000180013C3E
localeconv.LIBCMT ref: 00000001800142D7

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 0000000180013C8E, 0000000180013FCF, 0000000180014201, 000000018001444A, 0000000180014760

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 3643605086-3606100449
Opcode ID: 2b3747df4bcc6815d0ca050ff0a1d26fc9399c5a2f48bb3d04cf2418fda5afce
Instruction ID: 15170c7321f925de93854cd2b60bf2d9794a6949502e19fd89cf563b34aba275
Opcode Fuzzy Hash: 2b3747df4bcc6815d0ca050ff0a1d26fc9399c5a2f48bb3d04cf2418fda5afce
Instruction Fuzzy Hash: 46927E37204A88C5EBA68B66D1503FD27A1FB49BC8F54C415EF5A1B7A1CF35CA9AC310

Function 00000001800097A8 Relevance: 6.2, APIs: 2, Strings: 1, Instructions: 928COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008330: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008351
Part of subcall function 0000000180008330: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008376

_Mpunct.LIBCPMT ref: 0000000180009842
localeconv.LIBCMT ref: 0000000180009E67

Strings

0123456789ABCDEFabcdef-+XxPp, xrefs: 0000000180009892, 0000000180009B91, 0000000180009D26, 0000000180009F44, 000000018000A219

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunctlocaleconv
String ID: 0123456789ABCDEFabcdef-+XxPp
API String ID: 3643605086-3606100449
Opcode ID: ee78207987aaf8e6898c223f5fdc8bfa83aea163ec8c7af802b6eb0c56abaefe
Instruction ID: 0951dfdd3adb040bfd2425e3f0e5ac157d4fc1802d06d2afbb1654cb7f49c3dd
Opcode Fuzzy Hash: ee78207987aaf8e6898c223f5fdc8bfa83aea163ec8c7af802b6eb0c56abaefe
Instruction Fuzzy Hash: A782B4323096888AFBA6CBA581503FD3BA1F74ABC4F54C115EF9907796CF25CA5AC310

Function 0000000180013078 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 870COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0000000180013135

Part of subcall function 00000001800147EC: _Mpunct.LIBCPMT ref: 000000018001488A

Strings

0123456789-+Ee, xrefs: 0000000180013192, 0000000180013383, 00000001800135BC, 0000000180013805, 0000000180013B1B

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct
String ID: 0123456789-+Ee
API String ID: 4240859931-1347306980
Opcode ID: d972bc5eca4d0b82fe2e94bffa6b7d9434b9e5222b7b794ba326fb571b0aa537
Instruction ID: 7fa30803b5596d2040c40fa2d6deab6b9b1eebdfa1222772e05d0cd440f79c75
Opcode Fuzzy Hash: d972bc5eca4d0b82fe2e94bffa6b7d9434b9e5222b7b794ba326fb571b0aa537
Instruction Fuzzy Hash: E882A032208A8886FBA68B65C1523FD37A1FB49BC4F54C416EF4A17B95DF39CA59C310

Function 0000000180012550 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 870COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 000000018001260D

Part of subcall function 0000000180013BA0: _Mpunct.LIBCPMT ref: 0000000180013C3E

Strings

0123456789-+Ee, xrefs: 000000018001266A, 000000018001285B, 0000000180012A94, 0000000180012CDD, 0000000180012FF3

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct
String ID: 0123456789-+Ee
API String ID: 4240859931-1347306980
Opcode ID: 821b9d4d01ecd75d4b1e2aa44c8194800fa5c52a50f71f3b929308d42d9b6223
Instruction ID: 541b46e9ef04b4a6691a8844132f360519d1f98d966391b6e758a932985ee6d9
Opcode Fuzzy Hash: 821b9d4d01ecd75d4b1e2aa44c8194800fa5c52a50f71f3b929308d42d9b6223
Instruction Fuzzy Hash: CF829036204A888AFBA68B65C1503FD37A1FB49BC4F54D416EF4A17795EF34CA69C310

Function 0000000180032E14 Relevance: 6.1, APIs: 4, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180032E3E

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_malloc_crt.LIBCMT ref: 0000000180032E7E
_invoke_watson.LIBCMT ref: 0000000180032F3C

Part of subcall function 0000000180035CD8: _call_reportfault.LIBCMT ref: 0000000180035D00

_invoke_watson.LIBCMT ref: 0000000180032F52

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID:
API String ID: 1584724053-0
Opcode ID: bb9541adda1de7d3445963b5d25e419d471c8ff25f1e67a4739099756cf48ec5
Instruction ID: 3aca14fc27a6a15d1b1d6d791e791982332b7847b4ff029bd85a204ab66ebf99
Opcode Fuzzy Hash: bb9541adda1de7d3445963b5d25e419d471c8ff25f1e67a4739099756cf48ec5
Instruction Fuzzy Hash: A331C53232078885EB97DB26D5093DE7795E789BC4F19C135BE8E4BB9ACE38C1068304

Function 0000000180008D6C Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 834COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0000000180008E28

Part of subcall function 00000001800097A8: _Mpunct.LIBCPMT ref: 0000000180009842

Strings

0123456789-+Ee, xrefs: 0000000180008E7D, 000000018000903F, 00000001800091D0, 00000001800093E2, 00000001800096B6

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct
String ID: 0123456789-+Ee
API String ID: 4240859931-1347306980
Opcode ID: e67974f2d9ac711acb042ba2c3b51c72e12c7e8c571ddf96fbd68d540ecca808
Instruction ID: e252262f3d62f599d6f49dd2fa522cb368fb81fbd5ecc78d30e2ce65ba09eaa7
Opcode Fuzzy Hash: e67974f2d9ac711acb042ba2c3b51c72e12c7e8c571ddf96fbd68d540ecca808
Instruction Fuzzy Hash: 9372A23260A68899FB96CBA681503EC3BA1BB49BC8F54C155EF99077D6CF35C65EC300

Function 00000001800158A0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 467COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000F9C8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F9E9
Part of subcall function 000000018000F9C8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FA0E

_Mpunct.LIBCPMT ref: 00000001800158FB

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 0000000180015936, 0000000180015C83

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2786813426-2799312399
Opcode ID: 310c16e434c6fb425f377aa5a3344d56e60155a5009237bc210dd0dc5f72e661
Instruction ID: 5fe4dd189a2d79ce61165057c9ebb2e090cd9d14d433b9fec00325c66f72dead
Opcode Fuzzy Hash: 310c16e434c6fb425f377aa5a3344d56e60155a5009237bc210dd0dc5f72e661
Instruction Fuzzy Hash: F0129C36704A88C9FBA28F65D0507ED27A1EB49BC9F54C112EE8A1F789DF35CA49C350

Function 0000000180015EA0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 467COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000FAF8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB19
Part of subcall function 000000018000FAF8: std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB3E

_Mpunct.LIBCPMT ref: 0000000180015EFB

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 0000000180015F36, 0000000180016283

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2786813426-2799312399
Opcode ID: 7f9bde8d58b3e2620bf608a5cc9520c0ecd61f189b4a8a455c5414453c571840
Instruction ID: 027a829814d0a7af50161521d001647e6a208036f76e6a0cfd0a3acd19813199
Opcode Fuzzy Hash: 7f9bde8d58b3e2620bf608a5cc9520c0ecd61f189b4a8a455c5414453c571840
Instruction Fuzzy Hash: 3312C036B04A8885FBA3CB65C4507ED37A1E749BC8F58C016EE4A1B7A5CF35CA49C340

Function 000000018000A314 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 451COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008330: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008351
Part of subcall function 0000000180008330: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008376

_Mpunct.LIBCPMT ref: 000000018000A36E

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 000000018000A3A5, 000000018000A6A9

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2786813426-2799312399
Opcode ID: cc0dd99451e0eb2a4836ac02799361a5a9bcabcee1e262923024bb7c99d54d77
Instruction ID: f7f63c79d1b94fbb45dab63fbf242b30916648d9a31090d02f6495e4854cce8f
Opcode Fuzzy Hash: cc0dd99451e0eb2a4836ac02799361a5a9bcabcee1e262923024bb7c99d54d77
Instruction Fuzzy Hash: B9129036708A8889FB92CA75C4503EC3BB1A74ABD8F58C115EE491B796CF75CA4EC350

Function 000001E39FB7407C Relevance: 3.9, APIs: 2, Instructions: 885COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E39FB751AB

Part of subcall function 000001E39FB70320: _getptd.LIBCMT ref: 000001E39FB70336
Part of subcall function 000001E39FB70320: __updatetlocinfo.LIBCMT ref: 000001E39FB7036B
Part of subcall function 000001E39FB70320: __updatetmbcinfo.LIBCMT ref: 000001E39FB70392

_malloc_crt.LIBCMT ref: 000001E39FB751D2

Part of subcall function 000001E39FB72B3C: malloc.LIBCMT ref: 000001E39FB72B67

Part of subcall function 000001E39FB76920: _errno.LIBCMT ref: 000001E39FB76938
Part of subcall function 000001E39FB76920: _invalid_parameter_noinfo.LIBCMT ref: 000001E39FB76944

Part of subcall function 000001E39FB76920: _errno.LIBCMT ref: 000001E39FB76971

Part of subcall function 000001E39FB7F1EC: _errno.LIBCMT ref: 000001E39FB7F208
Part of subcall function 000001E39FB7F1EC: _invalid_parameter_noinfo.LIBCMT ref: 000001E39FB7F214

Part of subcall function 000001E39FB7F1EC: _errno.LIBCMT ref: 000001E39FB7F247

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crtmalloc
String ID:
API String ID: 2296220707-0
Opcode ID: 6aa674c8055749afedaf64fe2c3a3141dc6f8a211f07435de9dbe9f590e5f553
Instruction ID: 7686390de4736e1b065d485e4503a80e1d91995cee9af44c362cf0bd25e76edf
Opcode Fuzzy Hash: 6aa674c8055749afedaf64fe2c3a3141dc6f8a211f07435de9dbe9f590e5f553
Instruction Fuzzy Hash: 9742E230624E484BEB28EE7DD8493FA73D6FB54309F40462DD8AAC3AC7DFB596858540

Function 000001E39FB56874 Relevance: 2.2, APIs: 1, Instructions: 691COMMON

Download Yara Rule

APIs

Part of subcall function 000001E39FB5099C: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB509BD
Part of subcall function 000001E39FB5099C: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB509E2

_Mpunct.LIBCPMT ref: 000001E39FB568CF

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID:
API String ID: 2786813426-0
Opcode ID: 7da99b54e66c58221cba23ee18baf8fd8b5afb48f2245d11b60346141f264282
Instruction ID: 33745ee106a37e179e0ada2e8f8c9c3dec201b8d6370205bb91a16516345f41e
Opcode Fuzzy Hash: 7da99b54e66c58221cba23ee18baf8fd8b5afb48f2245d11b60346141f264282
Instruction Fuzzy Hash: BA32B330618A898FEB68DF18C0957BD73E2FF5930CF544168D85ACB187DBA8D986C781

Function 000001E39FB56E74 Relevance: 2.2, APIs: 1, Instructions: 691COMMON

Download Yara Rule

APIs

Part of subcall function 000001E39FB50ACC: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50AED
Part of subcall function 000001E39FB50ACC: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50B12

_Mpunct.LIBCPMT ref: 000001E39FB56ECF

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID:
API String ID: 2786813426-0
Opcode ID: 338b4745d7817e22ed531aa30d34ef30cb1126a406b7a7250f786f6465d72d79
Instruction ID: c40f82fc5c864e4e2660ed0c74d3f14229bb583b3b23288607df26166737a904
Opcode Fuzzy Hash: 338b4745d7817e22ed531aa30d34ef30cb1126a406b7a7250f786f6465d72d79
Instruction Fuzzy Hash: 0532A231718A8D8FEB68DF18C0887BD77E1EF55308F644198D86ACB187DB68D9868781

Function 000001E39FB4B2E8 Relevance: 2.2, APIs: 1, Instructions: 662COMMON

Download Yara Rule

APIs

Part of subcall function 000001E39FB49304: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB49325
Part of subcall function 000001E39FB49304: std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4934A

_Mpunct.LIBCPMT ref: 000001E39FB4B342

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Mpunct
String ID:
API String ID: 2786813426-0
Opcode ID: 55fa26b6ddb77e03625ea25e3373fd4eec46ccdb51fc570c3a42f5167ddaa1fd
Instruction ID: 9d843e3e98bce5f25ea301afbf5670ee87d6489689e42828d46ea3f3205b5b5a
Opcode Fuzzy Hash: 55fa26b6ddb77e03625ea25e3373fd4eec46ccdb51fc570c3a42f5167ddaa1fd
Instruction Fuzzy Hash: 8B22E230618EC88FEB65DF2CC1A87FC77E1EB15308F648198D966CB197C7A0D9868781

Function 0000000180019020 Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0000000180019172

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct
String ID:
API String ID: 4240859931-0
Opcode ID: 63fef931675e363a9749f96429758758dd3006f32cce81dee63d7a14f1cdfd87
Instruction ID: b4b31d92be3c4c8e502b6ea2e0a282e668397faed0ae34e767a83c581478e39b
Opcode Fuzzy Hash: 63fef931675e363a9749f96429758758dd3006f32cce81dee63d7a14f1cdfd87
Instruction Fuzzy Hash: FBC1A232B06A9899FB52CFB5C4013EC63B1BB5DB88F448111EE4967A99DF39C64EC340

Function 00000001800193F0 Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

_Mpunct.LIBCPMT ref: 0000000180019542

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Mpunct
String ID:
API String ID: 4240859931-0
Opcode ID: 9787ca75ca63df748a1499e8dd1c5abcefd6f6751ff6d03e7f7fc609e9ac6cfc
Instruction ID: 7c40f0623f709e12c7f828199f14d4f1bd29be792234f51f62a64cc8c6a646a4
Opcode Fuzzy Hash: 9787ca75ca63df748a1499e8dd1c5abcefd6f6751ff6d03e7f7fc609e9ac6cfc
Instruction Fuzzy Hash: B2C1A332B06E9889FB52CFB5D4017EC63B1BB59788F448511EE4967A89EF38C64EC340

Function 00000001800353EC Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,?,?,00000001800423DB,?,?,00000140,0000000180042AAB), ref: 000000018003541D

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: ef170b939dcdfe0a6fa8f39585badaf32e39fbe27d88ffb3e5b79058c9fef6a5
Instruction ID: a17f45a68611e7ce09ab532a4d12380a5d0071377e1487d1a7a9af1b51f9b2a3
Opcode Fuzzy Hash: ef170b939dcdfe0a6fa8f39585badaf32e39fbe27d88ffb3e5b79058c9fef6a5
Instruction Fuzzy Hash: 5EE0EC35A05A0C81F7C74B12FCD57C623A0A75D3C6FE19601E44C56A70CE7883DD8B00

Function 0000000180032DD8 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180032DE3

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8ebd1b43ab214313b2ad0a09dfd0eba3f354677c67a457a5e5e63f9d14e391ab
Instruction ID: 12656fcb5de8b69835b2dd3a9c331cf0c0323df84e8e99bcec695bc93526836d
Opcode Fuzzy Hash: 8ebd1b43ab214313b2ad0a09dfd0eba3f354677c67a457a5e5e63f9d14e391ab
Instruction Fuzzy Hash: 3DC09B33758D0CC2FB6D1BF274953751111D31DB94F0954349D17053508D2C81DD570C

Function 000000018001F28C Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: 11ca8ba6c9e4bc976ad0728efb636439ff8e0f3983e089c52a7ed5c8f874d3e2
Instruction ID: 84605ef311baa56bc5b68e2491e6a8dcf644c937c9e5222fdf1f18ce1bf163ab
Opcode Fuzzy Hash: 11ca8ba6c9e4bc976ad0728efb636439ff8e0f3983e089c52a7ed5c8f874d3e2
Instruction Fuzzy Hash: 0A427A72604A8886FBA68F25D5503BD3361FB89BC8F54D602EF8A17B95DF38C659C300

Function 000000018001FA9C Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID:
API String ID: 3382485803-0
Opcode ID: de02513275ad1c1a37e0096a818261c58a998aecf4f08ba4a5899afd53db8295
Instruction ID: 7802ca9db5044afc23cb1f38c8e105cc531337a4395501fdb7ec6a4e23d2f7b6
Opcode Fuzzy Hash: de02513275ad1c1a37e0096a818261c58a998aecf4f08ba4a5899afd53db8295
Instruction Fuzzy Hash: 3D427C32604B4886FBA68B25D5803BD7361FB89BC8F54C512EF8A17B96DF39C659C300

Function 00000001800279B8 Relevance: .6, Instructions: 572COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: LockitLockit::_std::_$Stollx
String ID:
API String ID: 3628700584-0
Opcode ID: eb53157097b9bda4a8a3cf500f3039b16533609824c5f9a5ce3e351e3c28d2aa
Instruction ID: 42b5d6b38fa8120ab5fcb54182bbeb98c0f4066ebeec1de4c937208e3a875605
Opcode Fuzzy Hash: eb53157097b9bda4a8a3cf500f3039b16533609824c5f9a5ce3e351e3c28d2aa
Instruction Fuzzy Hash: B8428D72704A8885EBA78B29C5403AD3762FB89BC8F14C616EF9D17796DF39C659C300

Function 000001E39FB6FF14 Relevance: 24.2, APIs: 16, Instructions: 157
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_callnewh.LIBCMT ref: 000001E39FB6FF22
malloc.LIBCMT ref: 000001E39FB6FF2E

Part of subcall function 000001E39FB6EA4C: _FF_MSGBANNER.LIBCMT ref: 000001E39FB6EA7C
Part of subcall function 000001E39FB6EA4C: _NMSG_WRITE.LIBCMT ref: 000001E39FB6EA86
Part of subcall function 000001E39FB6EA4C: _callnewh.LIBCMT ref: 000001E39FB6EABA
Part of subcall function 000001E39FB6EA4C: _errno.LIBCMT ref: 000001E39FB6EAC5
Part of subcall function 000001E39FB6EA4C: _errno.LIBCMT ref: 000001E39FB6EAD0

_CxxThrowException.LIBCMT ref: 000001E39FB6FF77
_heap_init.LIBCMT ref: 000001E39FB6FF92
_mtinit.LIBCMT ref: 000001E39FB6FFA2
_RTC_Initialize.LIBCMT ref: 000001E39FB6FFB2
__crtGetEnvironmentStringsA.LIBCMT ref: 000001E39FB6FFC4

Part of subcall function 000001E39FB7A8C4: _malloc_crt.LIBCMT ref: 000001E39FB7A944
Part of subcall function 000001E39FB7A8C4: free.LIBCMT ref: 000001E39FB7A97C

_ioinit.LIBCMT ref: 000001E39FB6FFD0

Part of subcall function 000001E39FB773B0: _lock.LIBCMT ref: 000001E39FB773DA
Part of subcall function 000001E39FB773B0: _calloc_crt.LIBCMT ref: 000001E39FB773EE

_setenvp.LIBCMT ref: 000001E39FB6FFE9
_cinit.LIBCMT ref: 000001E39FB6FFF4
_ioterm.LIBCMT ref: 000001E39FB70008

Part of subcall function 000001E39FB776E0: free.LIBCMT ref: 000001E39FB77731

_ioterm.LIBCMT ref: 000001E39FB70040
_calloc_crt.LIBCMT ref: 000001E39FB70082

Part of subcall function 000001E39FB72ABC: _calloc_impl.LIBCMT ref: 000001E39FB72AEA

_initptd.LIBCMT ref: 000001E39FB700AA
free.LIBCMT ref: 000001E39FB700BE

Part of subcall function 000001E39FB6E5C8: _errno.LIBCMT ref: 000001E39FB6E5E8

_freeptd.LIBCMT ref: 000001E39FB700CF

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: _errnofree$_callnewh_calloc_crt_ioterm$EnvironmentExceptionInitializeStringsThrow__crt_calloc_impl_cinit_freeptd_heap_init_initptd_ioinit_lock_malloc_crt_mtinit_setenvpmalloc
String ID:
API String ID: 712202392-0
Opcode ID: f606bec95c8351cef9193d2c7a4d89ca438d0247e1a5451a6bfea034d3d10262
Instruction ID: 4f5254941b4eb924aab53668fd11d4534132341f86dc32b0cc4e72741cd0525c
Opcode Fuzzy Hash: f606bec95c8351cef9193d2c7a4d89ca438d0247e1a5451a6bfea034d3d10262
Instruction Fuzzy Hash: CD516B306146894AFF94BF7CC45D3FD2294AB54368F200566AD39C3AD7EBA497C08212

Function 00000001800368B0 Relevance: 18.1, APIs: 12, Instructions: 73
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DecodePointer.KERNEL32(?,?,?,000000018002F067), ref: 00000001800368C1
free.LIBCMT ref: 00000001800368DE

Part of subcall function 000000018002D5F4: HeapFree.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D60A
Part of subcall function 000000018002D5F4: _errno.LIBCMT ref: 000000018002D614
Part of subcall function 000000018002D5F4: GetLastError.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D61C

free.LIBCMT ref: 00000001800368F3
free.LIBCMT ref: 0000000180036914
free.LIBCMT ref: 0000000180036929
free.LIBCMT ref: 000000018003693D
free.LIBCMT ref: 0000000180036949
free.LIBCMT ref: 0000000180036974
EncodePointer.KERNEL32(?,?,?,000000018002F067), ref: 000000018003697C
free.LIBCMT ref: 0000000180036995
free.LIBCMT ref: 00000001800369AE
free.LIBCMT ref: 00000001800369DF

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: c236f47fa00f1eb095f464021b61fc5b1928e1c18c896dc44bc4746b0c097f4e
Instruction ID: e2653a9f16c68cd9db8ac6c19f3406fb9b710f8bb8de90df47967776b1696018
Opcode Fuzzy Hash: c236f47fa00f1eb095f464021b61fc5b1928e1c18c896dc44bc4746b0c097f4e
Instruction Fuzzy Hash: 6B314E31601A4C89FED7DB11E9613E563A0BB4D7D4F19C226BA190AAE5DFBCC68D8301

Function 00000001800012F0 Relevance: 15.1, APIs: 10, Instructions: 85
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000132B

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000018000136C

Part of subcall function 000000018000775C: setlocale.LIBCMT ref: 0000000180007770
Part of subcall function 000000018000775C: setlocale.LIBCMT ref: 0000000180007799

_Getcvt.LIBCPMT ref: 0000000180001376

Part of subcall function 00000001800073D0: ___lc_codepage_func.LIBCMT ref: 00000001800073F4
Part of subcall function 00000001800073D0: ___mb_cur_max_func.LIBCMT ref: 00000001800073FB
Part of subcall function 00000001800073D0: ___lc_locale_name_func.LIBCMT ref: 0000000180007403

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 000000018000139E

Part of subcall function 00000001800077C8: setlocale.LIBCMT ref: 00000001800077E2

free.LIBCMT ref: 00000001800013AC

Part of subcall function 000000018002D5F4: HeapFree.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D60A
Part of subcall function 000000018002D5F4: _errno.LIBCMT ref: 000000018002D614
Part of subcall function 000000018002D5F4: GetLastError.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D61C

free.LIBCMT ref: 00000001800013BE
free.LIBCMT ref: 00000001800013D0
free.LIBCMT ref: 00000001800013E2
free.LIBCMT ref: 00000001800013F4
free.LIBCMT ref: 0000000180001406

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: free$setlocalestd::_$Locinfo::_$ErrorFreeGetcvtHeapLastLocinfo_ctorLocinfo_dtorLockitLockit::____lc_codepage_func___lc_locale_name_func___mb_cur_max_func_errno_lock
String ID:
API String ID: 3682056076-0
Opcode ID: ca3fb0b8572f38f04c8e7f887ed93a46820372b37fb06955fdddff351c3b93c0
Instruction ID: 0d852a346218120d3da4cb41429ba606f2c3b38bf25389faa73f1b0c9af31080
Opcode Fuzzy Hash: ca3fb0b8572f38f04c8e7f887ed93a46820372b37fb06955fdddff351c3b93c0
Instruction Fuzzy Hash: 87416B32B45B8889EB52DBB4D4503DC33B9AB687C8F05811AAA4927A9ADE70C659C340

Function 000001E39FB77884 Relevance: 12.6, APIs: 10, Instructions: 116
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.LIBCMT ref: 000001E39FB778B2

Part of subcall function 000001E39FB6E5C8: _errno.LIBCMT ref: 000001E39FB6E5E8

free.LIBCMT ref: 000001E39FB778C7
free.LIBCMT ref: 000001E39FB778E8
free.LIBCMT ref: 000001E39FB778FD
free.LIBCMT ref: 000001E39FB77911
free.LIBCMT ref: 000001E39FB7791D
free.LIBCMT ref: 000001E39FB77948
free.LIBCMT ref: 000001E39FB77969
free.LIBCMT ref: 000001E39FB77982
free.LIBCMT ref: 000001E39FB779B3

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: c236f47fa00f1eb095f464021b61fc5b1928e1c18c896dc44bc4746b0c097f4e
Instruction ID: b915559a959b5047a644cc0511ab01dda603ed02896a71c447938a60e036e729
Opcode Fuzzy Hash: c236f47fa00f1eb095f464021b61fc5b1928e1c18c896dc44bc4746b0c097f4e
Instruction Fuzzy Hash: 01416031214A4A4FFB94FF58D8AC7B932E2F759319F54001CD825D3692DBAC9984CB12

Function 000000018000E7F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E819

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E83E
ctype.LIBCPMT ref: 000000018000E8C1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000E8D8
_CxxThrowException.LIBCMT ref: 000000018000E8E9
std::_Facet_Register.LIBCPMT ref: 000000018000E907

Strings

bad cast, xrefs: 000000018000E8CC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3320480354-3145022300
Opcode ID: 997303cdb5246af4f3804dbc33bfa6d28888dcc0a64c4145d567fdc2599bd8a0
Instruction ID: 7396700a3e2aa9f6dcc0ca259bbfacf4549d370ee844549db4e676bec1950651
Opcode Fuzzy Hash: 997303cdb5246af4f3804dbc33bfa6d28888dcc0a64c4145d567fdc2599bd8a0
Instruction Fuzzy Hash: 35315E31604A8881FA97DB15E4503D97761F798BE0F58C322FA6D176E9DF38C68AC700

Function 000000018000F048 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F069

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F08E
moneypunct.LIBCPMT ref: 000000018000F111
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F128
_CxxThrowException.LIBCMT ref: 000000018000F139
std::_Facet_Register.LIBCPMT ref: 000000018000F157

Strings

bad cast, xrefs: 000000018000F11C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 2f04781c0b5e18591815ebcc6c292dda38492b9e83a825390bd61a302c4df626
Instruction ID: 2e1ae5781fe8c05b86cdc7ffb40e0608430781eac327408133958ab252574f1b
Opcode Fuzzy Hash: 2f04781c0b5e18591815ebcc6c292dda38492b9e83a825390bd61a302c4df626
Instruction Fuzzy Hash: 07314332604A4881EAA6DB15E4503E97760F798BE4F648322F66D03BE6DE38C68DD700

Function 000000018000F898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F8B9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F8DE
messages.LIBCPMT ref: 000000018000F961
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F978
_CxxThrowException.LIBCMT ref: 000000018000F989
std::_Facet_Register.LIBCPMT ref: 000000018000F9A7

Strings

bad cast, xrefs: 000000018000F96C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: ba301de617691a25de1568d6629764ce47dc5661472e619ef08b9ca5d15eff40
Instruction ID: bf50277651feb23a4f13a6c5a880b1d27c86798fa76ed2e6007adde15329282e
Opcode Fuzzy Hash: ba301de617691a25de1568d6629764ce47dc5661472e619ef08b9ca5d15eff40
Instruction Fuzzy Hash: C1314F72604A4891FAA2DB15E4407E97760F79CBE0F148322FA6D13BE5DF38C68AD700

Function 00000001800080D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800080F1

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008116
messages.LIBCPMT ref: 0000000180008199
std::bad_exception::bad_exception.LIBCMT ref: 00000001800081B0
_CxxThrowException.LIBCMT ref: 00000001800081C1
std::_Facet_Register.LIBCPMT ref: 00000001800081DF

Strings

bad cast, xrefs: 00000001800081A4

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: de1c21e832a76d84b7319f342fcfc80a87732f041ca1253d4a316bfc9e9b560d
Instruction ID: 747a8e2e6dad2d90b1f0716f744283a3e44b8922fd48889ad8a5bc8a8dfd0f0f
Opcode Fuzzy Hash: de1c21e832a76d84b7319f342fcfc80a87732f041ca1253d4a316bfc9e9b560d
Instruction Fuzzy Hash: 5D314F31604B4891FA93DB15E8503D973A5FB98BE4F588322FA9D076E5DE38C68E9700

Function 0000000180023924 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023945

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018002396A
collate.LIBCPMT ref: 00000001800239ED
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023A04
_CxxThrowException.LIBCMT ref: 0000000180023A15
std::_Facet_Register.LIBCPMT ref: 0000000180023A33

Strings

bad cast, xrefs: 00000001800239F8

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3240839640-3145022300
Opcode ID: 34fdc018d8a8ec6bee2b747dce8489b826a34589efca71191b1f9c2b58655a0b
Instruction ID: 6f35ace6046a98efa2fc2a7e222986f193aa6cacab9ff511322773bfe6909e8d
Opcode Fuzzy Hash: 34fdc018d8a8ec6bee2b747dce8489b826a34589efca71191b1f9c2b58655a0b
Instruction Fuzzy Hash: 34318F72605A4C81FAD7DB15E4413D96360F39CBE0F548226FA9D036E5DE78CA8DC700

Function 000000018000E928 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E949

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E96E
messages.LIBCPMT ref: 000000018000E9F1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EA08
_CxxThrowException.LIBCMT ref: 000000018000EA19
std::_Facet_Register.LIBCPMT ref: 000000018000EA37

Strings

bad cast, xrefs: 000000018000E9FC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 6dc5dc1771d10e344de0ccb396d5e2778d4d018ff2c769379d7feb57f0715546
Instruction ID: d7988e17b3725b2409f932854fd4a3b422a4396c3d031bda681015576420d7f9
Opcode Fuzzy Hash: 6dc5dc1771d10e344de0ccb396d5e2778d4d018ff2c769379d7feb57f0715546
Instruction Fuzzy Hash: DE314F32604A8881FAD6DB15E4403D97761F79DBE0F548222F65D636E5DE38C78DC700

Function 000000018000F178 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F199

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F1BE
moneypunct.LIBCPMT ref: 000000018000F241
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F258
_CxxThrowException.LIBCMT ref: 000000018000F269
std::_Facet_Register.LIBCPMT ref: 000000018000F287

Strings

bad cast, xrefs: 000000018000F24C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: c1ad271fe33d91cd47d2852839b2ce4b5c05dbc669564f68ca22ba5cf5126d8f
Instruction ID: 05c0de9255826c6bef9e5404167eb3cddf1f87d963d99c9ec1c58014a44890e4
Opcode Fuzzy Hash: c1ad271fe33d91cd47d2852839b2ce4b5c05dbc669564f68ca22ba5cf5126d8f
Instruction Fuzzy Hash: 44314176604A4881EAA6DB15E4503E97760F79C7E0F548322FA6D03BE9DE38C78EC700

Function 000000018000F9C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F9E9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FA0E
numpunct.LIBCPMT ref: 000000018000FA91
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FAA8
_CxxThrowException.LIBCMT ref: 000000018000FAB9
std::_Facet_Register.LIBCPMT ref: 000000018000FAD7

Strings

bad cast, xrefs: 000000018000FA9C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4068408745-3145022300
Opcode ID: 03e76c395403f9925dd663e28b75ce9b1ad016ac71419344fc38d9e9773d2bc8
Instruction ID: ece7884c02b4ebca02d2dba318e864f23f9d4b6102c45f6ad76164ea4142065f
Opcode Fuzzy Hash: 03e76c395403f9925dd663e28b75ce9b1ad016ac71419344fc38d9e9773d2bc8
Instruction Fuzzy Hash: 1B315272704B4881EAA3DB15E4403E97760E79DBE4F548221FA5D17BE9DE38C68AC700

Function 0000000180008200 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008221

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008246
messages.LIBCPMT ref: 00000001800082C9
std::bad_exception::bad_exception.LIBCMT ref: 00000001800082E0
_CxxThrowException.LIBCMT ref: 00000001800082F1
std::_Facet_Register.LIBCPMT ref: 000000018000830F

Strings

bad cast, xrefs: 00000001800082D4

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: d2e83e9231d16ea01c07958aeaaaa4caef9aee7f5abb66e199b44a73ff621b09
Instruction ID: fc80639a25eda0d0840aad3c647064db7dd1c62e6b2bd08ed960b1421dfd7e0d
Opcode Fuzzy Hash: d2e83e9231d16ea01c07958aeaaaa4caef9aee7f5abb66e199b44a73ff621b09
Instruction Fuzzy Hash: 81313D31605B4881EA92DB15E4443D977A1FB98BE0F548221FA9D176E9DF38C68E9700

Function 0000000180023A54 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023A75

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023A9A
messages.LIBCPMT ref: 0000000180023B1D
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023B34
_CxxThrowException.LIBCMT ref: 0000000180023B45
std::_Facet_Register.LIBCPMT ref: 0000000180023B63

Strings

bad cast, xrefs: 0000000180023B28

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 64fc0b7241fd2fa6ecba5e4239454da0e7d9bf1393a0a330c2f65e3e5c872203
Instruction ID: 24dc92240a733358afca9a5473095d117544f2bced7408c023fd1db7623d7554
Opcode Fuzzy Hash: 64fc0b7241fd2fa6ecba5e4239454da0e7d9bf1393a0a330c2f65e3e5c872203
Instruction Fuzzy Hash: 6D316F71604A4881EA97DB15E8513DA6760F79CBE0F548322FB9D136E6DF38CA8DC700

Function 000000018000EA58 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EA79

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EA9E
messages.LIBCPMT ref: 000000018000EB21
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EB38
_CxxThrowException.LIBCMT ref: 000000018000EB49
std::_Facet_Register.LIBCPMT ref: 000000018000EB67

Strings

bad cast, xrefs: 000000018000EB2C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: fa39000a9970348669bddc9ddd868ce9499a2a0f09ae09316945077eb49df745
Instruction ID: 256997454fb0768d937e5236695cd4a42c3911470dfc27f4f3246bfe781b264e
Opcode Fuzzy Hash: fa39000a9970348669bddc9ddd868ce9499a2a0f09ae09316945077eb49df745
Instruction Fuzzy Hash: 52315E72704B8881FA96DB15E8403DA7361F79DBE0F588222BA5E176E5DF38D68DC700

Function 000000018000F2A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2C9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F2EE
moneypunct.LIBCPMT ref: 000000018000F371
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F388
_CxxThrowException.LIBCMT ref: 000000018000F399
std::_Facet_Register.LIBCPMT ref: 000000018000F3B7

Strings

bad cast, xrefs: 000000018000F37C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 0e73463bbbdd58031d34cd0dacd00404d5dd0a9fded515b625f2b8c72c3f4f6e
Instruction ID: 109307e02aa07442a5533241676dd05e444ebde23d5f59b864ab3c21283e98e5
Opcode Fuzzy Hash: 0e73463bbbdd58031d34cd0dacd00404d5dd0a9fded515b625f2b8c72c3f4f6e
Instruction Fuzzy Hash: 9E313072604A4882EAA6DB15E4503E97361E798BE0F588221FA6D437E5DF78C78E9700

Function 000000018000FAF8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB19

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FB3E
numpunct.LIBCPMT ref: 000000018000FBC1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FBD8
_CxxThrowException.LIBCMT ref: 000000018000FBE9
std::_Facet_Register.LIBCPMT ref: 000000018000FC07

Strings

bad cast, xrefs: 000000018000FBCC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4068408745-3145022300
Opcode ID: f1f315d357278705815692d30c91284999734579805cd6aac418ab0c5791075c
Instruction ID: a5587e62e306e01d309a23b52e80ead7e7268470319b1834d7f7869813062665
Opcode Fuzzy Hash: f1f315d357278705815692d30c91284999734579805cd6aac418ab0c5791075c
Instruction Fuzzy Hash: 54313D71604A4881EAA7DB15E4507E97361E79CBE0F548222FA5E13BE9DF38C68ED700

Function 0000000180008330 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008351

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180008376
numpunct.LIBCPMT ref: 00000001800083F9
std::bad_exception::bad_exception.LIBCMT ref: 0000000180008410
_CxxThrowException.LIBCMT ref: 0000000180008421
std::_Facet_Register.LIBCPMT ref: 000000018000843F

Strings

bad cast, xrefs: 0000000180008404

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 4068408745-3145022300
Opcode ID: b99809600cb807d6792835c2380899c2947ebd0d65ddbedb7e4521f86c2dc54b
Instruction ID: 5f48a92dd4c4338798bd1fa2af2806e56aa42fdb72c7ea48e45cf4e83205126c
Opcode Fuzzy Hash: b99809600cb807d6792835c2380899c2947ebd0d65ddbedb7e4521f86c2dc54b
Instruction Fuzzy Hash: 3E314F31605A4881FA97DB15E4503DA77A1FB98BE0F548321FA9D036E5DE38C78ED700

Function 0000000180023B84 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023BA5

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023BCA
messages.LIBCPMT ref: 0000000180023C4D
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023C64
_CxxThrowException.LIBCMT ref: 0000000180023C75
std::_Facet_Register.LIBCPMT ref: 0000000180023C93

Strings

bad cast, xrefs: 0000000180023C58

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 2e6a52849d769a2e1413fd232250c65d1901f3564be83fb5643226a8b7ee650c
Instruction ID: 8ded690d922abd832e9d273035f0c347a84f20339b8b3f02e343dfb5c422cbb4
Opcode Fuzzy Hash: 2e6a52849d769a2e1413fd232250c65d1901f3564be83fb5643226a8b7ee650c
Instruction Fuzzy Hash: 84315E72604A4C81FAA7DB15E4513E96760F79CBE0F64C322BA5D176E5DE38CA8EC700

Function 000000018000EB88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EBA9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EBCE
messages.LIBCPMT ref: 000000018000EC51
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EC68
_CxxThrowException.LIBCMT ref: 000000018000EC79
std::_Facet_Register.LIBCPMT ref: 000000018000EC97

Strings

bad cast, xrefs: 000000018000EC5C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: c0a4adc6c9eb2be6ab9aca49803a2461e551489b6d1e2fac807d288f8c8a4382
Instruction ID: b2b594c90fe963b09e6cff62a57c5274ba6f46d917d7b3e8eb7efe257ebbc62c
Opcode Fuzzy Hash: c0a4adc6c9eb2be6ab9aca49803a2461e551489b6d1e2fac807d288f8c8a4382
Instruction Fuzzy Hash: 06316132604A8C81FA97DB15E4407D97761F799BE0F54C222FA5D236E5DE39C68EC700

Function 000000018000F3D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F3F9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F41E
moneypunct.LIBCPMT ref: 000000018000F4A1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F4B8
_CxxThrowException.LIBCMT ref: 000000018000F4C9
std::_Facet_Register.LIBCPMT ref: 000000018000F4E7

Strings

bad cast, xrefs: 000000018000F4AC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 9a263112a183061fb21462d9867a638ce62413c5ba775c98e0fc9ca059aadcfa
Instruction ID: 0429968c920f662819e1cb35532bae73eeb9a1535b330badf44fc322d12eeabc
Opcode Fuzzy Hash: 9a263112a183061fb21462d9867a638ce62413c5ba775c98e0fc9ca059aadcfa
Instruction Fuzzy Hash: 93316132604A4881EAA2DB15E4503EA7760F79CBE4F548322FA5D037E5DF78C68EC700

Function 000000018000E468 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E489

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E4AE
codecvt.LIBCPMT ref: 000000018000E531
std::bad_exception::bad_exception.LIBCMT ref: 000000018000E548
_CxxThrowException.LIBCMT ref: 000000018000E559
std::_Facet_Register.LIBCPMT ref: 000000018000E577

Strings

bad cast, xrefs: 000000018000E53C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcodecvtstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 2666907392-3145022300
Opcode ID: 8bf4df6cf43bf922fa39b87c50c5163b31fb7ab6ed35ac58d1c89d7f1da5f821
Instruction ID: e17c34a64e892375947f478ee5778eb12655eca52efa774ef1c8d2b73f90135f
Opcode Fuzzy Hash: 8bf4df6cf43bf922fa39b87c50c5163b31fb7ab6ed35ac58d1c89d7f1da5f821
Instruction Fuzzy Hash: 9E316F71604E8881EA97DB15E8403D97761F79DBE4F548322FA9D136E5DE38CA8EC700

Function 0000000180023CB4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023CD5

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023CFA
messages.LIBCPMT ref: 0000000180023D7D
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023D94
_CxxThrowException.LIBCMT ref: 0000000180023DA5
std::_Facet_Register.LIBCPMT ref: 0000000180023DC3

Strings

bad cast, xrefs: 0000000180023D88

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 9610e6b592e85278086d84bd98d7bd1b9d2e3fea67ca7d993f2e511d6aafebe0
Instruction ID: 42da7f15c0a14e143d39768027cbac4f10d9d296bb43efe929394bade188cc91
Opcode Fuzzy Hash: 9610e6b592e85278086d84bd98d7bd1b9d2e3fea67ca7d993f2e511d6aafebe0
Instruction Fuzzy Hash: 05315071604A4881EAA3DB19F4413D96761F79CBE0F548322FA6D476E9DF38CA8EC700

Function 000000018000ECB8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000ECD9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000ECFE
messages.LIBCPMT ref: 000000018000ED81
std::bad_exception::bad_exception.LIBCMT ref: 000000018000ED98
_CxxThrowException.LIBCMT ref: 000000018000EDA9
std::_Facet_Register.LIBCPMT ref: 000000018000EDC7

Strings

bad cast, xrefs: 000000018000ED8C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 84dfab6d8172c11f77b414dd97d6e914d8b7a96cc48963b32e03c45dc50c657e
Instruction ID: 2c6c7a7b1d17f320c1792f218ce074bad44cb980c5a52b758e2d6f8c93f6019b
Opcode Fuzzy Hash: 84dfab6d8172c11f77b414dd97d6e914d8b7a96cc48963b32e03c45dc50c657e
Instruction Fuzzy Hash: 7D316F72604A8881EA97DB15E8503D97761F798BE0F68C322FA5D176E5DF38C68DC700

Function 000000018000F508 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F529

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F54E
messages.LIBCPMT ref: 000000018000F5D1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F5E8
_CxxThrowException.LIBCMT ref: 000000018000F5F9
std::_Facet_Register.LIBCPMT ref: 000000018000F617

Strings

bad cast, xrefs: 000000018000F5DC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 576065deb2ea874c3d036d3935cf1e4fa8ca15b2c119d416514965b14070bf2d
Instruction ID: afb1d25f7f6a659e3ccf1534ae0290ba0e63db629d8d0aed09161fb4d3141880
Opcode Fuzzy Hash: 576065deb2ea874c3d036d3935cf1e4fa8ca15b2c119d416514965b14070bf2d
Instruction Fuzzy Hash: FC315272604B4881EAA6DB15E8403E97760F75CBE0F548222FA5D037E5DF39C68DD700

Function 000000018000E598 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E5B9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E5DE
collate.LIBCPMT ref: 000000018000E661
std::bad_exception::bad_exception.LIBCMT ref: 000000018000E678
_CxxThrowException.LIBCMT ref: 000000018000E689
std::_Facet_Register.LIBCPMT ref: 000000018000E6A7

Strings

bad cast, xrefs: 000000018000E66C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3240839640-3145022300
Opcode ID: 029a85cc6c44bb4d66bb86a0cf056ae3c6a81e8a915a0f6ae689bc45c224e08a
Instruction ID: 1a7f724a00d2f7b0fab48cb1980e5d225c899bdba8727d32d58a9660333b923c
Opcode Fuzzy Hash: 029a85cc6c44bb4d66bb86a0cf056ae3c6a81e8a915a0f6ae689bc45c224e08a
Instruction Fuzzy Hash: FF315E72605A8881FA97DB15E4403D97361F7A9BE0F188322FA6D636E5DF39C68D8700

Function 0000000180023DE4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E05

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023E2A
moneypunct.LIBCPMT ref: 0000000180023EAD
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023EC4
_CxxThrowException.LIBCMT ref: 0000000180023ED5
std::_Facet_Register.LIBCPMT ref: 0000000180023EF3

Strings

bad cast, xrefs: 0000000180023EB8

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: 57679f9ba60fcc5ce75ffc9d603da348049f1029f5d85e32f99d7f7ab94a2bcf
Instruction ID: 78d12ddad9cf2f961cbe0ee8d63102c276d5e5dadf0dca8cca31639c76c0ce51
Opcode Fuzzy Hash: 57679f9ba60fcc5ce75ffc9d603da348049f1029f5d85e32f99d7f7ab94a2bcf
Instruction Fuzzy Hash: 38316C72604A4981EE93DB19E4513D96760F79CBE0F558322BA6D076E5DF38CA8EC700

Function 000000018000EDE8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EE09

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EE2E
messages.LIBCPMT ref: 000000018000EEB1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EEC8
_CxxThrowException.LIBCMT ref: 000000018000EED9
std::_Facet_Register.LIBCPMT ref: 000000018000EEF7

Strings

bad cast, xrefs: 000000018000EEBC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: aa378d7cb7001d472e738dd575348e3f23e2d6fe110772f068ee53f9b38dc5f8
Instruction ID: d7191621a7ac0d800c40fe039645664729bb7d202f0113ab797f1482ed654799
Opcode Fuzzy Hash: aa378d7cb7001d472e738dd575348e3f23e2d6fe110772f068ee53f9b38dc5f8
Instruction Fuzzy Hash: D2314132604B8C81EA96DB15E8403D97761F79DBE4F54C222F66D236E6DE78CA8DC700

Function 000000018000F638 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F659

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F67E
messages.LIBCPMT ref: 000000018000F701
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F718
_CxxThrowException.LIBCMT ref: 000000018000F729
std::_Facet_Register.LIBCPMT ref: 000000018000F747

Strings

bad cast, xrefs: 000000018000F70C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 26f739fb2207adfad20dbe0ff4bbae510614515fb7231ebce967c9c2ccd2148c
Instruction ID: fe53bd809141ad4a8fb52fc0f94da26a0e072fde6bf583902698de3aa87a9790
Opcode Fuzzy Hash: 26f739fb2207adfad20dbe0ff4bbae510614515fb7231ebce967c9c2ccd2148c
Instruction Fuzzy Hash: 1A314172604A4C91EAA7DB15E4503E97760F7987E0F548222F6AD13BE9DF39C68DC700

Function 0000000180007E70 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180007E91

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180007EB6
messages.LIBCPMT ref: 0000000180007F39
std::bad_exception::bad_exception.LIBCMT ref: 0000000180007F50
_CxxThrowException.LIBCMT ref: 0000000180007F61
std::_Facet_Register.LIBCPMT ref: 0000000180007F7F

Strings

bad cast, xrefs: 0000000180007F44

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 9d7bf26d82fda06f46ee10fef8c2a572636e6cb711f1b89eab47540aa2773390
Instruction ID: a39a07d489fe1709e7dffcf99ff87109f50278d4c8fcc2f6723dd5a18d2b7123
Opcode Fuzzy Hash: 9d7bf26d82fda06f46ee10fef8c2a572636e6cb711f1b89eab47540aa2773390
Instruction Fuzzy Hash: 1E313E31704B4981EA93DB15E4403E97361E7AC7E0F58C321FA5D176E6DE38CA8E8700

Function 000000018000E6C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E6E9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000E70E
collate.LIBCPMT ref: 000000018000E791
std::bad_exception::bad_exception.LIBCMT ref: 000000018000E7A8
_CxxThrowException.LIBCMT ref: 000000018000E7B9
std::_Facet_Register.LIBCPMT ref: 000000018000E7D7

Strings

bad cast, xrefs: 000000018000E79C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3240839640-3145022300
Opcode ID: 15430af32cf9b8e486ed60e673d5b8c96ce199ac25e89687e12c1e0a6129dbb2
Instruction ID: 5a58921b38e1c11c7ee0b369c090a126d18666bc4abbd8cc74174dfd54e2cf80
Opcode Fuzzy Hash: 15430af32cf9b8e486ed60e673d5b8c96ce199ac25e89687e12c1e0a6129dbb2
Instruction Fuzzy Hash: 75314172608A8881FA96DB25E8403D97761F79DBE0F548322F66D136E5DF38C68EC700

Function 0000000180023F14 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023F35

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180023F5A
moneypunct.LIBCPMT ref: 0000000180023FDD
std::bad_exception::bad_exception.LIBCMT ref: 0000000180023FF4
_CxxThrowException.LIBCMT ref: 0000000180024005
std::_Facet_Register.LIBCPMT ref: 0000000180024023

Strings

bad cast, xrefs: 0000000180023FE8

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3809448442-3145022300
Opcode ID: ddc611d81091a771564436c8181557d018e8c1498031d48b19b0e2b44c0de1fc
Instruction ID: c3f08917b5860eaf3f746bb0bdc4995f0c3271c5a214842932c013d6c33afdca
Opcode Fuzzy Hash: ddc611d81091a771564436c8181557d018e8c1498031d48b19b0e2b44c0de1fc
Instruction Fuzzy Hash: 33316E72A04A4C81FAD7DB15E5813D96361F79CBE0F188222FA5D076E5DE38CA8EC700

Function 000000018000EF18 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EF39

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000EF5E
messages.LIBCPMT ref: 000000018000EFE1
std::bad_exception::bad_exception.LIBCMT ref: 000000018000EFF8
_CxxThrowException.LIBCMT ref: 000000018000F009
std::_Facet_Register.LIBCPMT ref: 000000018000F027

Strings

bad cast, xrefs: 000000018000EFEC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 7b90b618fe9233f497b3e0b7bd34d426c4bb03d469434e90aa1f8f461423cc16
Instruction ID: 614366ad9a5ff6ac8348753e983fcd7fba9fd89e4481af51ce485f1e66cfaf53
Opcode Fuzzy Hash: 7b90b618fe9233f497b3e0b7bd34d426c4bb03d469434e90aa1f8f461423cc16
Instruction Fuzzy Hash: 31316172604B4D81FA96DB15E4403E97761E79CBE0F64C222BA5D177E6DE38CA8DC700

Function 000000018000F768 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F789

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000F7AE
messages.LIBCPMT ref: 000000018000F831
std::bad_exception::bad_exception.LIBCMT ref: 000000018000F848
_CxxThrowException.LIBCMT ref: 000000018000F859
std::_Facet_Register.LIBCPMT ref: 000000018000F877

Strings

bad cast, xrefs: 000000018000F83C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 620047600-3145022300
Opcode ID: 10861fd70df80fbe258d715848b4cc285575eb1398c9eca244f814f54e188fda
Instruction ID: e62912da7a3f1217ce2cd131540612a25ba01e78ddaa4f611fc9381f458fc566
Opcode Fuzzy Hash: 10861fd70df80fbe258d715848b4cc285575eb1398c9eca244f814f54e188fda
Instruction Fuzzy Hash: 78313F32604B4881EAA6DB15E4403E97760F798BE4F64C322BA5D037E9DF38C68ED700

Function 0000000180007FA0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180007FC1

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180007FE6
ctype.LIBCPMT ref: 0000000180008069
std::bad_exception::bad_exception.LIBCMT ref: 0000000180008080
_CxxThrowException.LIBCMT ref: 0000000180008091
std::_Facet_Register.LIBCPMT ref: 00000001800080AF

Strings

bad cast, xrefs: 0000000180008074

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID: bad cast
API String ID: 3320480354-3145022300
Opcode ID: 43311a8cd0d47b4e5385f9dc31fb32a05d0fe4ad0ecca51f2bef93aa2bd29225
Instruction ID: fec9e7a6d46bfa7b577852024225b762ed1cc773752eb01346846e8d91bbd71e
Opcode Fuzzy Hash: 43311a8cd0d47b4e5385f9dc31fb32a05d0fe4ad0ecca51f2bef93aa2bd29225
Instruction Fuzzy Hash: 74313D31604A4C81EA97DB15E8503D977A1FB98BE0F148322FAAD036E5DF78C68E9700

Function 0000000180006940 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180006961

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180006986
std::bad_exception::bad_exception.LIBCMT ref: 0000000180006A21
_CxxThrowException.LIBCMT ref: 0000000180006A32
std::_Facet_Register.LIBCPMT ref: 0000000180006A50

Strings

ios_base::badbit set, xrefs: 0000000180006940
bad cast, xrefs: 0000000180006A15

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast$ios_base::badbit set
API String ID: 1776536810-182444483
Opcode ID: 8350d050f5a0f01878a3f2d3d7fa6fc40c68057f815e104cabb17d988fe9a483
Instruction ID: 02ad155c9015395c238964cca4a8f2f47d031e4f92e59427d6e1992964da67f8
Opcode Fuzzy Hash: 8350d050f5a0f01878a3f2d3d7fa6fc40c68057f815e104cabb17d988fe9a483
Instruction Fuzzy Hash: 3D314C32600A4881EA97DB15E5403D97361E798BE0F589222FA6E577F9DE38C68AC700

Function 000000018003BAE0 Relevance: 12.2, APIs: 8, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 000000018003BB09

Part of subcall function 0000000180031B68: malloc.LIBCMT ref: 0000000180031B93
Part of subcall function 0000000180031B68: Sleep.KERNEL32(?,?,00000000,00000001800302E4,?,?,00000000,00000001800301E3,?,?,00000000,0000000180038B02,?,?,00000000,0000000180038A6E), ref: 0000000180031BA6

free.LIBCMT ref: 000000018003BC0A
free.LIBCMT ref: 000000018003BC26

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: free$Sleep_malloc_crtmalloc
String ID:
API String ID: 2523592665-0
Opcode ID: 3fbd0b3e35addabc098f64ab091990d7b6a2871f8ac9e4cce4e35d3e8861d74a
Instruction ID: fc16e1660138297f9bb3e8678e6c16cd315b57137c63fc5872edf9e7c8194a9d
Opcode Fuzzy Hash: 3fbd0b3e35addabc098f64ab091990d7b6a2871f8ac9e4cce4e35d3e8861d74a
Instruction Fuzzy Hash: 30619F32301B4892EBA3DB16E94139A73A0F78CBD8F058125AF4D47B51DF78C66AC740

Function 0000000180005730 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 0000000180005A4B
_CxxThrowException.LIBCMT ref: 0000000180005A66
std::exception::exception.LIBCMT ref: 0000000180005AC9
_CxxThrowException.LIBCMT ref: 0000000180005AE4

Part of subcall function 0000000180006440: std::_Xbad_alloc.LIBCPMT ref: 00000001800064CD

Strings

string too long, xrefs: 00000001800059B0, 00000001800059BD, 00000001800059D4, 00000001800059E1
bad conversion, xrefs: 0000000180005A36, 0000000180005AB4

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ExceptionThrowstd::exception::exception$Xbad_allocstd::_
String ID: bad conversion$string too long
API String ID: 1519488521-500853860
Opcode ID: 9110206936fc4ea39a0f310876ecb5f4ea0c8709850686dfa8f543131f57e917
Instruction ID: 3cc6c4512f05efe767561da1de7a9aa72e313d0346ffbdd664ceec63a1708898
Opcode Fuzzy Hash: 9110206936fc4ea39a0f310876ecb5f4ea0c8709850686dfa8f543131f57e917
Instruction Fuzzy Hash: 3DD17B32704B84C9FB42CFA4E4503ED37B5E7497A8F948626EAA927AD5DF34C649C340

Function 000001E39FB85B3C Relevance: 10.7, APIs: 7, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001E39FB85B67
_errno.LIBCMT ref: 000001E39FB85B5C

Part of subcall function 000001E39FB702B0: _getptd_noexit.LIBCMT ref: 000001E39FB702B4

_errno.LIBCMT ref: 000001E39FB85C0A
_invalid_parameter_noinfo.LIBCMT ref: 000001E39FB85C15

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 7afc2762c95521575d3116b194f351630dcc251883b617eb56e717d3dcf592c2
Instruction ID: f399f74c4248b85b244e698a60136d38c396fa69857f9b4b51a8f630b3034cf8
Opcode Fuzzy Hash: 7afc2762c95521575d3116b194f351630dcc251883b617eb56e717d3dcf592c2
Instruction Fuzzy Hash: FF510C35514B994BEB64AF19C0493F972F0FB94329F94025AACE6C75C3E7A4CAC18A81

Function 000001E39FB7F528 Relevance: 10.6, APIs: 7, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001E39FB7F54E
_errno.LIBCMT ref: 000001E39FB7F543

Part of subcall function 000001E39FB702B0: _getptd_noexit.LIBCMT ref: 000001E39FB702B4

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E39FB7F5CD
_errno.LIBCMT ref: 000001E39FB7F5DE
_invalid_parameter_noinfo.LIBCMT ref: 000001E39FB7F5E9

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: a56ef14d950493e927c3ef52fe0069bfafb8291851f1440a19a1a290c08364fa
Instruction ID: d73bc2b8be7a9270ac2229c49487146caee2409468e8f693611cc68f67f4974f
Opcode Fuzzy Hash: a56ef14d950493e927c3ef52fe0069bfafb8291851f1440a19a1a290c08364fa
Instruction Fuzzy Hash: 97415A30424A8A4BEB54AF1CC4483FE72D0FB50329F94021E9DB5C76D6D7A4CAC1C6C5

Function 000001E39FB422C4 Relevance: 10.6, APIs: 7, Instructions: 134COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB422FF

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

Part of subcall function 000001E39FB483A4: ___lc_codepage_func.LIBCMT ref: 000001E39FB483C8
Part of subcall function 000001E39FB483A4: ___mb_cur_max_func.LIBCMT ref: 000001E39FB483CF
Part of subcall function 000001E39FB483A4: ___lc_locale_name_func.LIBCMT ref: 000001E39FB483D7

free.LIBCMT ref: 000001E39FB42380

Part of subcall function 000001E39FB6E5C8: _errno.LIBCMT ref: 000001E39FB6E5E8

free.LIBCMT ref: 000001E39FB42392
free.LIBCMT ref: 000001E39FB423A4
free.LIBCMT ref: 000001E39FB423B6
free.LIBCMT ref: 000001E39FB423C8
free.LIBCMT ref: 000001E39FB423DA

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: free$LockitLockit::____lc_codepage_func___lc_locale_name_func___mb_cur_max_func_errno_lockstd::_
String ID:
API String ID: 1142821818-0
Opcode ID: 1911704955e5e0ea99b43964440b80dd6f33ce142868086bf586ad4af8219b32
Instruction ID: 7aa57df645d43831bb86c58097c450d9fda360e60856037c90fe0820382cff57
Opcode Fuzzy Hash: 1911704955e5e0ea99b43964440b80dd6f33ce142868086bf586ad4af8219b32
Instruction Fuzzy Hash: 9E415B70908E8D8FEF55EF98D0646EDB7B1FF58314F00028E9819E7157DB7096858781

Function 0000000180044B68 Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180044B93
_errno.LIBCMT ref: 0000000180044B88

Part of subcall function 000000018002F2DC: _getptd_noexit.LIBCMT ref: 000000018002F2E0

_errno.LIBCMT ref: 0000000180044C36
_invalid_parameter_noinfo.LIBCMT ref: 0000000180044C41

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 7b47a042eea3f3de49294c888d2e7f7195dfd9dc128bccc2e4caf73cebc8c57f
Instruction ID: f2ef72c2d081a62da6ba206108f7190fcdc76fe894ca0d405d2fc84784ff5a10
Opcode Fuzzy Hash: 7b47a042eea3f3de49294c888d2e7f7195dfd9dc128bccc2e4caf73cebc8c57f
Instruction Fuzzy Hash: 50411677A01A9D81EBE69B1191C03F972A0F7487DDF9AC116FA845B6C4DF38C7498308

Function 000000018003E554 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018003E57A
_errno.LIBCMT ref: 000000018003E56F

Part of subcall function 000000018002F2DC: _getptd_noexit.LIBCMT ref: 000000018002F2E0

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000000018003E5F9
_errno.LIBCMT ref: 000000018003E60A
_invalid_parameter_noinfo.LIBCMT ref: 000000018003E615

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 1996f2f9ceac77ac49b72366ba56ab82fbc49c57b1b3130c14664040d3ec86e6
Instruction ID: 8ce04cb9124dd54c6d4ddcc2c6da84841e497bcc28cebf8c8d46b4611f73f4df
Opcode Fuzzy Hash: 1996f2f9ceac77ac49b72366ba56ab82fbc49c57b1b3130c14664040d3ec86e6
Instruction Fuzzy Hash: 28415B72A106E881EBE3AB1180513FE33E0E359BE4F96C225B794076C5EF28CB59C700

Function 0000000180024044 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180024065

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018002408A
std::bad_exception::bad_exception.LIBCMT ref: 0000000180024124
_CxxThrowException.LIBCMT ref: 0000000180024135
std::_Facet_Register.LIBCPMT ref: 0000000180024153

Strings

bad cast, xrefs: 0000000180024118

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: a9291c87b619f3b996d60f5c6d623e361a3f3665819b2df7064c52e3dbe42ad7
Instruction ID: 91e638e8e58f5590816a3cc392cfc10599bec749f4e2be6b6ca140d2a25e3853
Opcode Fuzzy Hash: a9291c87b619f3b996d60f5c6d623e361a3f3665819b2df7064c52e3dbe42ad7
Instruction Fuzzy Hash: 8C314172604A4981EA97DB15E4903D97760F79CBE0F548322BA6D0B7E9DE38C6CDC700

Function 0000000180024174 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180024195

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800241BA
std::bad_exception::bad_exception.LIBCMT ref: 0000000180024254
_CxxThrowException.LIBCMT ref: 0000000180024265
std::_Facet_Register.LIBCPMT ref: 0000000180024283

Strings

bad cast, xrefs: 0000000180024248

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 12eb798131b44ed89ccc95a849e9259a6caec3e02f1d91c0b99d509edef29d89
Instruction ID: 90848ef588fa6780bc4661c9358ff58c986763a4f68afd91812fa81bb0acabc5
Opcode Fuzzy Hash: 12eb798131b44ed89ccc95a849e9259a6caec3e02f1d91c0b99d509edef29d89
Instruction Fuzzy Hash: 23315232604A4881EA97DB26E4403D967A1F798BE0F549322FA5D576E5DF38CA8DC700

Function 000000018000FC28 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FC49

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FC6E
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FD08
_CxxThrowException.LIBCMT ref: 000000018000FD19
std::_Facet_Register.LIBCPMT ref: 000000018000FD37

Strings

bad cast, xrefs: 000000018000FCFC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 695fa22a1d6d23245e75d15cd8436973dff841ec1e986202785ff3774109f988
Instruction ID: 09fe364ddf780e93d9049d4f58e0a1b9e30b89f7d2aa5cb162c798bc91164caf
Opcode Fuzzy Hash: 695fa22a1d6d23245e75d15cd8436973dff841ec1e986202785ff3774109f988
Instruction Fuzzy Hash: 69317032604A4D81FAA3DB15E4417E97361F7987E0F148222BA5D07BE9DF38CA8AC700

Function 000000018000FD58 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FD79

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FD9E
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FE38
_CxxThrowException.LIBCMT ref: 000000018000FE49
std::_Facet_Register.LIBCPMT ref: 000000018000FE67

Strings

bad cast, xrefs: 000000018000FE2C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: c31faf9a16ab594d7b7d60b82c7fa3f9691752c0b0427a899f9a3bc7088db9e4
Instruction ID: 30961d9cbeee99d4b4c8c09e2762ce4d9037323df64a8bf6b53e01d37467889e
Opcode Fuzzy Hash: c31faf9a16ab594d7b7d60b82c7fa3f9691752c0b0427a899f9a3bc7088db9e4
Instruction Fuzzy Hash: 5C315232604A4C85EAA2DB15E8403E97761F75CBE4F548222F65D477E6DF38C68DC700

Function 000000018000FE88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FEA9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FECE
std::bad_exception::bad_exception.LIBCMT ref: 000000018000FF68
_CxxThrowException.LIBCMT ref: 000000018000FF79
std::_Facet_Register.LIBCPMT ref: 000000018000FF97

Strings

bad cast, xrefs: 000000018000FF5C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 17fb9323fbc971b4fa346c04e9c882f087ef0fb30719fe252382272d9991794a
Instruction ID: 9582de70e770e37efabb6f113b678346e0295d584a42193a0e1ebcab5a9be77e
Opcode Fuzzy Hash: 17fb9323fbc971b4fa346c04e9c882f087ef0fb30719fe252382272d9991794a
Instruction Fuzzy Hash: A6315032604B4981EAA6DB15E4403E97760F799BE4F648231B66D077E5DE78C78EC700

Function 000000018000FFB8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FFD9

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000FFFE
std::bad_exception::bad_exception.LIBCMT ref: 0000000180010098
_CxxThrowException.LIBCMT ref: 00000001800100A9
std::_Facet_Register.LIBCPMT ref: 00000001800100C7

Strings

bad cast, xrefs: 000000018001008C

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: f2e4760a716c2795633db2f004ed8ff4989bb75003c081aa226cd9fb3309a49b
Instruction ID: bb2cd3e7e7aa969297df1caed63585c35752593d0d986f492354a86db0af1576
Opcode Fuzzy Hash: f2e4760a716c2795633db2f004ed8ff4989bb75003c081aa226cd9fb3309a49b
Instruction Fuzzy Hash: 2E315032604E4881FB93DB15E8403D96361F79CBE0F288322B69D176E5DE79DA8EC700

Function 0000000180007180 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800071A1

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800071C6
std::bad_exception::bad_exception.LIBCMT ref: 0000000180007261
_CxxThrowException.LIBCMT ref: 0000000180007272
std::_Facet_Register.LIBCPMT ref: 0000000180007290

Strings

bad cast, xrefs: 0000000180007255

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 1776536810-3145022300
Opcode ID: 2c248766304681b0c2bab5ac96b723214e976363793dd3940de8d17814ddb4c4
Instruction ID: d5f3d85ad48d5269fabfe6c01bbad63a5faf147fba86dc7cd225a5bba448d346
Opcode Fuzzy Hash: 2c248766304681b0c2bab5ac96b723214e976363793dd3940de8d17814ddb4c4
Instruction Fuzzy Hash: 16315071700A4881FA97DB15E4403D97761F7A8BE0F58C321FA5D036E6DE38C68AC740

Function 000000018004772C Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180047760

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_errno.LIBCMT ref: 000000018004777B
_invalid_parameter_noinfo.LIBCMT ref: 0000000180047786

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: ec2a6dd435b50d5e993b3328a406cbf0fc12b9938289ae1a38fd3c4af6446b14
Instruction ID: 4b6da2c887b896db48c8bf2af78125f2489fc4292198535c1cc227c838a58a5b
Opcode Fuzzy Hash: ec2a6dd435b50d5e993b3328a406cbf0fc12b9938289ae1a38fd3c4af6446b14
Instruction Fuzzy Hash: 2B31CC72704B888AE6A39B5190847EDB7A4F348BE4F668125FE5803B96CF74CA49C704

Function 00000001800023F0 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 0000000180002442
_CxxThrowException.LIBCMT ref: 000000018000247E
_CxxThrowException.LIBCMT ref: 00000001800024A6
_CxxThrowException.LIBCMT ref: 00000001800024CE

Strings

ios_base::badbit set, xrefs: 000000018000244F
ios_base::failbit set, xrefs: 0000000180002484
ios_base::eofbit set, xrefs: 00000001800024AC

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: a68a3c255015a623e0952fdafce5552ec4697e039a4adfb181130a635e184be4
Instruction ID: b3155ec887754ec426d41302e82ca1272bd2955ff3b21f2f7d625a5ccb09a45c
Opcode Fuzzy Hash: a68a3c255015a623e0952fdafce5552ec4697e039a4adfb181130a635e184be4
Instruction Fuzzy Hash: 51213071A11F59D8FB96DB64E8817EC3375B718388F908126F94922AA9EF35C74EC340

Function 0000000180001180 Relevance: 10.5, APIs: 7, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 000000018000118D

Part of subcall function 00000001800077C8: setlocale.LIBCMT ref: 00000001800077E2

free.LIBCMT ref: 000000018000119B

Part of subcall function 000000018002D5F4: HeapFree.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D60A
Part of subcall function 000000018002D5F4: _errno.LIBCMT ref: 000000018002D614
Part of subcall function 000000018002D5F4: GetLastError.KERNEL32(?,?,00000000,0000000180038A82,?,?,00000000,000000018002F2E5,?,?,?,?,000000018002DB16,?,?,00000000), ref: 000000018002D61C

free.LIBCMT ref: 00000001800011AF
free.LIBCMT ref: 00000001800011C1
free.LIBCMT ref: 00000001800011D3
free.LIBCMT ref: 00000001800011E5
free.LIBCMT ref: 00000001800011F7

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_errnosetlocalestd::_
String ID:
API String ID: 1855319098-0
Opcode ID: 2f9469f7e86d9ed662453ed7390a40d8cb98c28b94d45fdd9a0046f49d435607
Instruction ID: b48272a0fe48caf80c68cbfff6fe37b1983f1ac57bfd09bfec3c9c3905106cea
Opcode Fuzzy Hash: 2f9469f7e86d9ed662453ed7390a40d8cb98c28b94d45fdd9a0046f49d435607
Instruction Fuzzy Hash: 85010831202A9888EF9FDF65D5917EC73A4EF59FC8F188116BA4906A86CE64CD94C740

Function 00000001800312AC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800312CD
_getptd.LIBCMT ref: 00000001800312DB
_getptd.LIBCMT ref: 00000001800312ED

Strings

csm, xrefs: 00000001800312C3
RCC, xrefs: 00000001800312B3
MOC, xrefs: 00000001800312BB

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 79c6bdfdf6facc246eee842b2de7a644aa034f1ac0e2309a20206dc5bd345c8d
Instruction ID: cee1693f68b0781dadb7962070319637af549046bf3e62ebc375f9a8a227fa41
Opcode Fuzzy Hash: 79c6bdfdf6facc246eee842b2de7a644aa034f1ac0e2309a20206dc5bd345c8d
Instruction Fuzzy Hash: 6DF0303550814CCAE6DB2B5484053FF2790EB9DB87F8BC1A2A30082382CFBC47989B57

Function 0000000180006DB0 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 263COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 00000001800070C2
_CxxThrowException.LIBCMT ref: 00000001800070FB
_CxxThrowException.LIBCMT ref: 0000000180007133

Part of subcall function 0000000180006940: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180006961
Part of subcall function 0000000180006940: std::_Lockit::_Lockit.LIBCPMT ref: 0000000180006986

Strings

ios_base::badbit set, xrefs: 0000000180007094
ios_base::failbit set, xrefs: 00000001800070D2
ios_base::eofbit set, xrefs: 0000000180007101

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ExceptionThrow$LockitLockit::_std::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1691487403-1866435925
Opcode ID: 47dc98a40835983bb1699ece49d8b1051e63deae5354a9febec2b4376c92975c
Instruction ID: 7e3792396ecdcc1fac19a2e98736fc1bb3e923ca5e2df652966d8dc16d1af633
Opcode Fuzzy Hash: 47dc98a40835983bb1699ece49d8b1051e63deae5354a9febec2b4376c92975c
Instruction Fuzzy Hash: 61C16372600B49C5EBA6CF19E0903A977A1F788BD4F50C122EB4D437A5DF7AC64AC740

Function 0000000180006A80 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 0000000180006CF2
_CxxThrowException.LIBCMT ref: 0000000180006D2B
_CxxThrowException.LIBCMT ref: 0000000180006D63

Strings

ios_base::badbit set, xrefs: 0000000180006CC4
ios_base::failbit set, xrefs: 0000000180006D02
ios_base::eofbit set, xrefs: 0000000180006D31

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 929456a826c5cb86168c23e50031e89aca919ba6b7336e00f1ffe86e266b3d15
Instruction ID: 236ed865422d3fdca970c5237e1e28b9fcf6c9cb8c767a6c1dee54dc2b89609d
Opcode Fuzzy Hash: 929456a826c5cb86168c23e50031e89aca919ba6b7336e00f1ffe86e266b3d15
Instruction Fuzzy Hash: 9EA15672605B4885EBA6CF19D0903AD77A1F788BC4F50C112EA8D437B5DF3AC68AC700

Function 000001E39FB4F56C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F58D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F5B2
collate.LIBCPMT ref: 000001E39FB4F635
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4F64C
_CxxThrowException.LIBCMT ref: 000001E39FB4F65D
std::_Facet_Register.LIBCPMT ref: 000001E39FB4F67B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: aa24ee5a496f3eccf8c40c5a857f936f456db878295ea4d5143e493ac5b1c9e7
Instruction ID: 6b75c45fadb46f62b5a2c2839d638d6969a26c4fa10f0ce22a7e9fb9276a1fe8
Opcode Fuzzy Hash: aa24ee5a496f3eccf8c40c5a857f936f456db878295ea4d5143e493ac5b1c9e7
Instruction Fuzzy Hash: EC41A431619E494FEB55EF18D9886FE73E0FB68314F10065A9926C31A3DB70DA81CB81

Function 000001E39FB64C88 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64CA9

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64CCE
messages.LIBCPMT ref: 000001E39FB64D51
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB64D68
_CxxThrowException.LIBCMT ref: 000001E39FB64D79
std::_Facet_Register.LIBCPMT ref: 000001E39FB64D97

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 33120029e13e597c9436f25d0a0d0519267f463dbb34c2f4dbf7f077c465b499
Instruction ID: 03fb72fdb8679da8aeddb0e89a2196fcfc8d19f5f414eac3a25a1082471f3786
Opcode Fuzzy Hash: 33120029e13e597c9436f25d0a0d0519267f463dbb34c2f4dbf7f077c465b499
Instruction Fuzzy Hash: 69415531A08E488FEB55EF18D488ABA73E1FB64314F20055D946AD31A3DB74DD85CB81

Function 000001E39FB4FC8C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FCAD

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FCD2
messages.LIBCPMT ref: 000001E39FB4FD55
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4FD6C
_CxxThrowException.LIBCMT ref: 000001E39FB4FD7D
std::_Facet_Register.LIBCPMT ref: 000001E39FB4FD9B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 233253f149e279e38e89f3a7e76266979d4b0c745f74142b2642ab861ab978b6
Instruction ID: ed720d6b06c0ea15485b47e3aa613a3d885bf4a840587afb11cbc7f211ba889d
Opcode Fuzzy Hash: 233253f149e279e38e89f3a7e76266979d4b0c745f74142b2642ab861ab978b6
Instruction Fuzzy Hash: 1841B631618E494FE755EF28D5886FE73E1FB58318F10055AA966C31E3DB70DA81CB81

Function 000001E39FB504DC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB504FD

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50522
messages.LIBCPMT ref: 000001E39FB505A5
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB505BC
_CxxThrowException.LIBCMT ref: 000001E39FB505CD
std::_Facet_Register.LIBCPMT ref: 000001E39FB505EB

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: abaa451bbf9128479b128ef22488faa88a4a7ca70dc8d8c9ec040cfc4538b7c0
Instruction ID: dfd497ea404db02382022ea99fc5cd0890767c830c26c62c705f916731a17f4b
Opcode Fuzzy Hash: abaa451bbf9128479b128ef22488faa88a4a7ca70dc8d8c9ec040cfc4538b7c0
Instruction Fuzzy Hash: CF419831118E498FE755EF18E4D86FE77E0FB59354F10096AA825C31A3DBB4DA81CB41

Function 000001E39FB4F43C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F45D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F482
codecvt.LIBCPMT ref: 000001E39FB4F505
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4F51C
_CxxThrowException.LIBCMT ref: 000001E39FB4F52D
std::_Facet_Register.LIBCPMT ref: 000001E39FB4F54B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcodecvtstd::bad_exception::bad_exception
String ID:
API String ID: 2666907392-0
Opcode ID: 45efec231ae2297d7a2142dcd9c2eae13585b2050d5428d033f28a6bf587b034
Instruction ID: 8fa350d4d6f850f43225a882199761c0c78c48f4cd93f3e60de17e86c67a387b
Opcode Fuzzy Hash: 45efec231ae2297d7a2142dcd9c2eae13585b2050d5428d033f28a6bf587b034
Instruction Fuzzy Hash: D141D630218E484FE755EF18D5886FE37E1FBA8318F10051A992AC31A7CF70DA81CB80

Function 000001E39FB503AC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB503CD

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB503F2
moneypunct.LIBCPMT ref: 000001E39FB50475
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB5048C
_CxxThrowException.LIBCMT ref: 000001E39FB5049D
std::_Facet_Register.LIBCPMT ref: 000001E39FB504BB

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: c66e09ab170a22db7c72c6839654604274626d1e646d604170c6a8578907e1a2
Instruction ID: 8d92772c703eb21ee82fb721010b99374d222877c0888f3cc187754031d877b5
Opcode Fuzzy Hash: c66e09ab170a22db7c72c6839654604274626d1e646d604170c6a8578907e1a2
Instruction Fuzzy Hash: 7F41B430108E498FE765EF18D4986FE73E0FBA9354F10062AA829C31A3DB74DA81C781

Function 000001E39FB49304 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB49325

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4934A
numpunct.LIBCPMT ref: 000001E39FB493CD
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB493E4
_CxxThrowException.LIBCMT ref: 000001E39FB493F5
std::_Facet_Register.LIBCPMT ref: 000001E39FB49413

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: 6f03905d0beafbc56963ed536e36f45f80a76ca8702b5fb871efbe115acaf3e9
Instruction ID: 5c481a102ad5167494aa9ad03451b7b44dc8bf56698a580399b4c07cbb4eb414
Opcode Fuzzy Hash: 6f03905d0beafbc56963ed536e36f45f80a76ca8702b5fb871efbe115acaf3e9
Instruction Fuzzy Hash: CA419331118E488FE755EF19D4896FA77E1FB68318F10056AA46AC32A7DB70D981CB81

Function 000001E39FB64B58 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64B79

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64B9E
messages.LIBCPMT ref: 000001E39FB64C21
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB64C38
_CxxThrowException.LIBCMT ref: 000001E39FB64C49
std::_Facet_Register.LIBCPMT ref: 000001E39FB64C67

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 1d91a49bc77edb7e22aa6e9a78d7975369a76cca3a033d80bf35b0100c632c7d
Instruction ID: fce56004331be8219f61b477ca3c41796ddf6493d1e7633aa3aba27dbfa8a082
Opcode Fuzzy Hash: 1d91a49bc77edb7e22aa6e9a78d7975369a76cca3a033d80bf35b0100c632c7d
Instruction Fuzzy Hash: 68419631508E488FEB55FF18D489AFA77E1FB98314F20051E946AD32A3DB74D985CB81

Function 000001E39FB4FB5C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FB7D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FBA2
messages.LIBCPMT ref: 000001E39FB4FC25
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4FC3C
_CxxThrowException.LIBCMT ref: 000001E39FB4FC4D
std::_Facet_Register.LIBCPMT ref: 000001E39FB4FC6B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 9179dece544dd2d7b58664dfb820dd996a6c2b9e8f7944b505e616ecfab862ae
Instruction ID: 37cfe5db0a393a29a98d65383b79f61112f4049c172d04380a2113eb4ab0f8fa
Opcode Fuzzy Hash: 9179dece544dd2d7b58664dfb820dd996a6c2b9e8f7944b505e616ecfab862ae
Instruction Fuzzy Hash: 4641B631218E498FE755EF58E5986FE73E1FBA8314F10051AD966C32A3DB70D981CB81

Function 000001E39FB50ACC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50AED

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50B12
numpunct.LIBCPMT ref: 000001E39FB50B95
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB50BAC
_CxxThrowException.LIBCMT ref: 000001E39FB50BBD
std::_Facet_Register.LIBCPMT ref: 000001E39FB50BDB

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: 822ec391d6621952e5469a8a2b9ff91c3985372570a95cd92eaf18f1c434b61d
Instruction ID: 1d9f9b8ed229bfef515bc95cc634f6d904976e45d9d70b39aad6f19a08abec00
Opcode Fuzzy Hash: 822ec391d6621952e5469a8a2b9ff91c3985372570a95cd92eaf18f1c434b61d
Instruction Fuzzy Hash: D841C930208E494FE755EF18D4886FE73E0FB69358F10065AD466C31A3DBB4DA81CB80

Function 000001E39FB64A28 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64A49

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64A6E
messages.LIBCPMT ref: 000001E39FB64AF1
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB64B08
_CxxThrowException.LIBCMT ref: 000001E39FB64B19
std::_Facet_Register.LIBCPMT ref: 000001E39FB64B37

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 8101ceada97120b4e31297d4cb69fbff05a20529c4fc301d5dc3a6eecf40290d
Instruction ID: 7e985cdb6d9096693c3be7670a33a3273b1509b39c731fe84081f7e459878e2c
Opcode Fuzzy Hash: 8101ceada97120b4e31297d4cb69fbff05a20529c4fc301d5dc3a6eecf40290d
Instruction Fuzzy Hash: CC416331518E489FEB55EF18D488AFE73E1FB68318F20061D946AD31A3DBB4D985CB81

Function 000001E39FB4FA2C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FA4D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FA72
messages.LIBCPMT ref: 000001E39FB4FAF5
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4FB0C
_CxxThrowException.LIBCMT ref: 000001E39FB4FB1D
std::_Facet_Register.LIBCPMT ref: 000001E39FB4FB3B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 8ce21f825e0c86f2d4b8cb028bd5239e6d8b4f4478972e71b897618c04ae54ad
Instruction ID: 7cb61257ae020968346207dc018194d30bf2618407c5b9a7dc0595234c081523
Opcode Fuzzy Hash: 8ce21f825e0c86f2d4b8cb028bd5239e6d8b4f4478972e71b897618c04ae54ad
Instruction Fuzzy Hash: AA41D230618E584FE755EF18D5986FE73E1FBA8314F100A1AE565C32A3DB70DA85CB81

Function 000001E39FB5027C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB5029D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB502C2
moneypunct.LIBCPMT ref: 000001E39FB50345
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB5035C
_CxxThrowException.LIBCMT ref: 000001E39FB5036D
std::_Facet_Register.LIBCPMT ref: 000001E39FB5038B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 576ca43a9229fa76d4c30edbc1c9635a8bd1653c60898644c64f54b1b7beac0d
Instruction ID: 60bcaff240025589fc368f8b6034a8c1750faaba7ba1d9ee847deae9dbeaeea0
Opcode Fuzzy Hash: 576ca43a9229fa76d4c30edbc1c9635a8bd1653c60898644c64f54b1b7beac0d
Instruction Fuzzy Hash: BF41D830208E898FE755EF28D4896FE77E0FB99344F10061A9465C31A3DBB4DA81CB81

Function 000001E39FB5099C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB509BD

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB509E2
numpunct.LIBCPMT ref: 000001E39FB50A65
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB50A7C
_CxxThrowException.LIBCMT ref: 000001E39FB50A8D
std::_Facet_Register.LIBCPMT ref: 000001E39FB50AAB

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: 9cf474680b64cc0a42dfb88614e6b436c95b169935a0ccc469abbe6bd9e922ca
Instruction ID: 84a950a77dc3acce2c223f4ccf21cc5e575f3c8eac2348b3161cb817e7dcea46
Opcode Fuzzy Hash: 9cf474680b64cc0a42dfb88614e6b436c95b169935a0ccc469abbe6bd9e922ca
Instruction Fuzzy Hash: 2741C531118E498FF755EF58D4886FE73E0FBA5354F10052A9469C31A3DB74DA81CB81

Function 000001E39FB491D4 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB491F5

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4921A
messages.LIBCPMT ref: 000001E39FB4929D
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB492B4
_CxxThrowException.LIBCMT ref: 000001E39FB492C5
std::_Facet_Register.LIBCPMT ref: 000001E39FB492E3

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: d65d886f5a4a5fbf692825c0abf740438a2889b3773da977cec666f68a3605b7
Instruction ID: 88ed75c666a0624b103385fd49b604bfefdc8ad9a387555dbf0cffb9e10be8a5
Opcode Fuzzy Hash: d65d886f5a4a5fbf692825c0abf740438a2889b3773da977cec666f68a3605b7
Instruction Fuzzy Hash: F4419331508E484FF795EF19D5886FA73E0FBA8314F10065A946AC32A3DB70DA85CB81

Function 000001E39FB5014C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB5016D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50192
moneypunct.LIBCPMT ref: 000001E39FB50215
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB5022C
_CxxThrowException.LIBCMT ref: 000001E39FB5023D
std::_Facet_Register.LIBCPMT ref: 000001E39FB5025B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 23175eb6af71c341a43572a7cfc5c5faaad3fe0d8949ac351d6b072308f46143
Instruction ID: 09d5fb89ba5c1957724a0442e2def77ea0a3441fe151728d2eee41d6ca846c62
Opcode Fuzzy Hash: 23175eb6af71c341a43572a7cfc5c5faaad3fe0d8949ac351d6b072308f46143
Instruction Fuzzy Hash: BD41A731108E498FEB55EF18D4986FE77E0FB65354F10051AA425C31A3DB74DE85C781

Function 000001E39FB490A4 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB490C5

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB490EA
messages.LIBCPMT ref: 000001E39FB4916D
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB49184
_CxxThrowException.LIBCMT ref: 000001E39FB49195
std::_Facet_Register.LIBCPMT ref: 000001E39FB491B3

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 44f74ad60790d5f728fb9db277d581671f1682aeeeb9c216a3193cbb7b7aedb3
Instruction ID: 2f4f85535e99eff777ab35f17edfbba1d35f6b1d708935b2f8d7757e758389d1
Opcode Fuzzy Hash: 44f74ad60790d5f728fb9db277d581671f1682aeeeb9c216a3193cbb7b7aedb3
Instruction Fuzzy Hash: F2419131508E488FE755EF19D58C6BA73E1FBA8354F10066AE46AC32A3DF70D985CB81

Function 000001E39FB648F8 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64919

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB6493E
collate.LIBCPMT ref: 000001E39FB649C1
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB649D8
_CxxThrowException.LIBCMT ref: 000001E39FB649E9
std::_Facet_Register.LIBCPMT ref: 000001E39FB64A07

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: 0233418cfae809917d103e780ede1da457fc54a499b3717859009be7294f54f8
Instruction ID: 8ae7b9e211ca994a62b9e679a124c1059e8898c4cd18fe5a6130dfb604a54984
Opcode Fuzzy Hash: 0233418cfae809917d103e780ede1da457fc54a499b3717859009be7294f54f8
Instruction Fuzzy Hash: 4B418531508E588FEB55FF18D489ABA73E1FB58318F20055DA42AD31A3DB74D985CB81

Function 000001E39FB4F8FC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F91D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F942
messages.LIBCPMT ref: 000001E39FB4F9C5
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4F9DC
_CxxThrowException.LIBCMT ref: 000001E39FB4F9ED
std::_Facet_Register.LIBCPMT ref: 000001E39FB4FA0B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: ad3d27e93c69ba864e2bfe9fd3f3486237bb31b56115dd73a035953c61f75546
Instruction ID: 21d4bc584f89117935251587b78843121754b45833a910c93cc556f298585bc4
Opcode Fuzzy Hash: ad3d27e93c69ba864e2bfe9fd3f3486237bb31b56115dd73a035953c61f75546
Instruction Fuzzy Hash: BE41B631618E894FE755EF18D988AFE73E1FBA8314F10051AA565C31A7DB70DE81CB41

Function 000001E39FB5001C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB5003D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50062
moneypunct.LIBCPMT ref: 000001E39FB500E5
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB500FC
_CxxThrowException.LIBCMT ref: 000001E39FB5010D
std::_Facet_Register.LIBCPMT ref: 000001E39FB5012B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: be434e7532a21790c41d01ca9e6344b4bc2dcf28563e8adecb1c6891a9f02ef6
Instruction ID: e464f6cabd17260bc8b3b9e3497a246a29981762b787fda0fbfc91543d8cc6ce
Opcode Fuzzy Hash: be434e7532a21790c41d01ca9e6344b4bc2dcf28563e8adecb1c6891a9f02ef6
Instruction Fuzzy Hash: 9941A731208E8A4FE755EF18D488AFE73E0FB99354F14062AA465C31A7DBB4DA85C781

Function 000001E39FB5086C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB5088D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB508B2
messages.LIBCPMT ref: 000001E39FB50935
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB5094C
_CxxThrowException.LIBCMT ref: 000001E39FB5095D
std::_Facet_Register.LIBCPMT ref: 000001E39FB5097B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: e8914c13f1a63b2bd7b0f8b8eb872b1415bdfa408ac95b106aef2af262e1ca3a
Instruction ID: 18f9b2cd2361a8e349ee6244b0b5cf168201c93e7191547fefbf623875d94dc3
Opcode Fuzzy Hash: e8914c13f1a63b2bd7b0f8b8eb872b1415bdfa408ac95b106aef2af262e1ca3a
Instruction Fuzzy Hash: F641A431518E498FF755EF28D488AFE73E0FBA9354F10051A9429C31A7DB74DA81CB81

Function 000001E39FB4F7CC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F7ED

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F812
ctype.LIBCPMT ref: 000001E39FB4F895
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4F8AC
_CxxThrowException.LIBCMT ref: 000001E39FB4F8BD
std::_Facet_Register.LIBCPMT ref: 000001E39FB4F8DB

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID:
API String ID: 3320480354-0
Opcode ID: 9acc7d8935e0b6991aa026bbf44fd62e2f07b53be7d58e42d1e7b8c701af2e2c
Instruction ID: 4b5c9ee0de520c07e430705d51abfb7dfa85d0992c6f7d9e67cb29dc32ffda7b
Opcode Fuzzy Hash: 9acc7d8935e0b6991aa026bbf44fd62e2f07b53be7d58e42d1e7b8c701af2e2c
Instruction Fuzzy Hash: 0741B231218E498FE755EF18D488AFE73E1FBA8314F10061A9965C71A3DB70D981DB81

Function 000001E39FB5073C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB5075D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50782
messages.LIBCPMT ref: 000001E39FB50805
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB5081C
_CxxThrowException.LIBCMT ref: 000001E39FB5082D
std::_Facet_Register.LIBCPMT ref: 000001E39FB5084B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 7cc497a77380ee9ed3c2c928d128c4cad0fcd30d51c5d3f05070fedc9749b0bd
Instruction ID: cac9fbe5e44d92b188d065fb064877e8c32f1627e1a84e76e01765bf6f6f88fe
Opcode Fuzzy Hash: 7cc497a77380ee9ed3c2c928d128c4cad0fcd30d51c5d3f05070fedc9749b0bd
Instruction Fuzzy Hash: 1C41A431109E498FE755EF28D488AFE73E1FBA9354F10061A9465C71A3DBB4DA81CB81

Function 000001E39FB48F74 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB48F95

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB48FBA
ctype.LIBCPMT ref: 000001E39FB4903D
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB49054
_CxxThrowException.LIBCMT ref: 000001E39FB49065
std::_Facet_Register.LIBCPMT ref: 000001E39FB49083

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID:
API String ID: 3320480354-0
Opcode ID: ac8da4e68497b6e33ad6b294c9a5cc016db34243099c128dedc5113e624588cf
Instruction ID: 629e25346322085885bb7d7250529a9dadc88a69c0d07480673098815a690076
Opcode Fuzzy Hash: ac8da4e68497b6e33ad6b294c9a5cc016db34243099c128dedc5113e624588cf
Instruction Fuzzy Hash: 8D41A230108E484FE795EF19D488AFA73E1FBA8354F10461A942AC32A3DF70DE81CB81

Function 000001E39FB4F69C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F6BD

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4F6E2
collate.LIBCPMT ref: 000001E39FB4F765
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4F77C
_CxxThrowException.LIBCMT ref: 000001E39FB4F78D
std::_Facet_Register.LIBCPMT ref: 000001E39FB4F7AB

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: 3a4a181e59c721172dc463b7b24d81f07618d15fcfc0d0b84ccd0b258a6af7c2
Instruction ID: 212b1fca178c035eddb7eb34524f18a588900653ac786b3c9e5ea3b302fb5995
Opcode Fuzzy Hash: 3a4a181e59c721172dc463b7b24d81f07618d15fcfc0d0b84ccd0b258a6af7c2
Instruction Fuzzy Hash: 2A41C331618E484FE755EF18D5886FE33E1FB68358F10061AE525C31A3CBB4D981C781

Function 000001E39FB64EE8 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64F09

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64F2E
moneypunct.LIBCPMT ref: 000001E39FB64FB1
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB64FC8
_CxxThrowException.LIBCMT ref: 000001E39FB64FD9
std::_Facet_Register.LIBCPMT ref: 000001E39FB64FF7

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 8e53daf0cf3eb3dc316871336ff6c7f8367102b00b81160cfd78f9b718d2d828
Instruction ID: a0b24ca5a094667a04a1e3523d5da2093e68deea90e5cee0a7b84cb3d93d02d8
Opcode Fuzzy Hash: 8e53daf0cf3eb3dc316871336ff6c7f8367102b00b81160cfd78f9b718d2d828
Instruction Fuzzy Hash: 97416131518E488FEB55FF18D488ABA73E1FB68314F20056DA46AD31A3DB74E9C5CB81

Function 000001E39FB4FEEC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FF0D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FF32
messages.LIBCPMT ref: 000001E39FB4FFB5
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4FFCC
_CxxThrowException.LIBCMT ref: 000001E39FB4FFDD
std::_Facet_Register.LIBCPMT ref: 000001E39FB4FFFB

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 2b7e21ad93b706ad8219d7ae988ec98a48c25e03c0470851d55ba27f21d26565
Instruction ID: e6a4ff4659da3f39049c85fea416594766c6bd476ebb7cb8c8ccb4e186b25b7a
Opcode Fuzzy Hash: 2b7e21ad93b706ad8219d7ae988ec98a48c25e03c0470851d55ba27f21d26565
Instruction Fuzzy Hash: E141D630219E494FE755EF18D498AFE73E0FB68304F50062AA525C31A7CBB0DA81C781

Function 000001E39FB5060C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB5062D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50652
messages.LIBCPMT ref: 000001E39FB506D5
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB506EC
_CxxThrowException.LIBCMT ref: 000001E39FB506FD
std::_Facet_Register.LIBCPMT ref: 000001E39FB5071B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: a32bcdbd7a4cb4dfc0fa6fcbf62aecbf5d9f3b997f2cf0a477f8f907014e1f81
Instruction ID: e195fa593b1e4829f996c279b28b13d3a24596df62b41575c95e4910ae7b2dc5
Opcode Fuzzy Hash: a32bcdbd7a4cb4dfc0fa6fcbf62aecbf5d9f3b997f2cf0a477f8f907014e1f81
Instruction Fuzzy Hash: D941A571108E598FE755EF18D8886FE33E0FBA5354F10061AA465C32A3DFB4D981CB81

Function 000001E39FB48E44 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB48E65

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB48E8A
messages.LIBCPMT ref: 000001E39FB48F0D
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB48F24
_CxxThrowException.LIBCMT ref: 000001E39FB48F35
std::_Facet_Register.LIBCPMT ref: 000001E39FB48F53

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 4ced370cee893604592898b3239523f5f93543cc81e6483edbf32b837da03206
Instruction ID: 14e534ae97345b57e4c646f37d26634d3a356594f0d268833fe213f31d4c02d6
Opcode Fuzzy Hash: 4ced370cee893604592898b3239523f5f93543cc81e6483edbf32b837da03206
Instruction Fuzzy Hash: D541A731118E488FE755EF18D4886FE73E1FBA8354F10491A9469C32A3DF70DA95C781

Function 000001E39FB64DB8 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64DD9

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB64DFE
moneypunct.LIBCPMT ref: 000001E39FB64E81
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB64E98
_CxxThrowException.LIBCMT ref: 000001E39FB64EA9
std::_Facet_Register.LIBCPMT ref: 000001E39FB64EC7

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: ae327d2db070439c1c0d49b2585e1c384ae4971f0289f13c9f66755d90c69a8c
Instruction ID: c30875220c29ee5257fed3fbb9452097eaee78b2018893a2cc8e660e0027475a
Opcode Fuzzy Hash: ae327d2db070439c1c0d49b2585e1c384ae4971f0289f13c9f66755d90c69a8c
Instruction Fuzzy Hash: B5414231518E488FEB55FF18D488ABA73E1FB98314F20062DA46AD31A7DB74D985CB81

Function 000001E39FB4FDBC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FDDD

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4FE02
messages.LIBCPMT ref: 000001E39FB4FE85
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB4FE9C
_CxxThrowException.LIBCMT ref: 000001E39FB4FEAD
std::_Facet_Register.LIBCPMT ref: 000001E39FB4FECB

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: ea6ca55c775d0ccc4dd453c7f7005d0493a2785ec4fecb6ec9dba5e7c9d5e10a
Instruction ID: 94ff16f02c051e139423a3a3ebff1176213bda0b8d62996f8cf51a3ed19d5cb1
Opcode Fuzzy Hash: ea6ca55c775d0ccc4dd453c7f7005d0493a2785ec4fecb6ec9dba5e7c9d5e10a
Instruction Fuzzy Hash: 9D41A431658E498FF755EF28D588AFE33E0FBA8315F11061A952AC31A3DB70DA81C781

Function 000000018000702A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 00000001800070C2
_CxxThrowException.LIBCMT ref: 00000001800070FB
_CxxThrowException.LIBCMT ref: 0000000180007133

Strings

ios_base::badbit set, xrefs: 0000000180007094
ios_base::failbit set, xrefs: 00000001800070D2
ios_base::eofbit set, xrefs: 0000000180007101

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: 699b7d2228cff961f95bcc84e6e72b285b1e2d0b36deb1e7e2300fec3cbeab5f
Instruction ID: dfa8a448075bbfc6b28c82488b61fa1b389f2e2b11f37815cd1c202517538396
Opcode Fuzzy Hash: 699b7d2228cff961f95bcc84e6e72b285b1e2d0b36deb1e7e2300fec3cbeab5f
Instruction Fuzzy Hash: 0B315272614A8991EBA2DB18E4913D973A0F79C7C8F508522F68C53AA6DF3DC74EC740

Function 0000000180006C5A Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 0000000180006CF2
_CxxThrowException.LIBCMT ref: 0000000180006D2B
_CxxThrowException.LIBCMT ref: 0000000180006D63

Strings

ios_base::badbit set, xrefs: 0000000180006CC4
ios_base::failbit set, xrefs: 0000000180006D02
ios_base::eofbit set, xrefs: 0000000180006D31

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ExceptionThrow
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 432778473-1866435925
Opcode ID: c1bf02ce45ab6fee79512c4fb28b2e7da53ceb844cf42f62b2c87471bab989a1
Instruction ID: 550f9bc1cb9aa3d44aa237adf6378d9f0374be7e19af6188f2c51a58d4ea2558
Opcode Fuzzy Hash: c1bf02ce45ab6fee79512c4fb28b2e7da53ceb844cf42f62b2c87471bab989a1
Instruction Fuzzy Hash: 5B317C32614A8991EBA2CB14E4913D973A1F7887C4F508522FA8C53AAADF39C64EC740

Function 0000000180003E60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

APIs

fgetwc.LIBCMT ref: 0000000180003F1F

Strings

string too long, xrefs: 00000001800040FE, 000000018000410B

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: fgetwc
String ID: string too long
API String ID: 2948136663-2556327735
Opcode ID: 0cdb356713a80aaaeddf39a95bb224a33fcc27c976fe1ae9947d63c038f79dd6
Instruction ID: 0c42135304bc7002bcbce17c9f89000feb71c0cf079e54a2c2379f72fcdd2e3b
Opcode Fuzzy Hash: 0cdb356713a80aaaeddf39a95bb224a33fcc27c976fe1ae9947d63c038f79dd6
Instruction Fuzzy Hash: 93913873300A89D9EB62CF25C0903EC33A5F358798F918622EB1D47A99DF34CA68C314

Function 0000000180034034 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180034066

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_malloc_crt.LIBCMT ref: 00000001800340B1
_invoke_watson.LIBCMT ref: 0000000180034199

Part of subcall function 0000000180035CD8: _call_reportfault.LIBCMT ref: 0000000180035D00

_invoke_watson.LIBCMT ref: 00000001800341AE

Strings

:, xrefs: 00000001800340CF

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID: :
API String ID: 1584724053-336475711
Opcode ID: 604a302fabdb042f4ebc9b27cedb385bdeaebfe8a2c90ea295b00d5b5a1e0000
Instruction ID: 6d0e94c2461dd84b0edd1b1838a9f5cfcbcc86ad0ff0a6976e9d1f2ec4836e13
Opcode Fuzzy Hash: 604a302fabdb042f4ebc9b27cedb385bdeaebfe8a2c90ea295b00d5b5a1e0000
Instruction Fuzzy Hash: 5C41D032320B4881EB46DF26A8053DE63A5FB88BC4F4AD025EF5D4B785DE38D616C304

Function 0000000180033EB4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 0000000180033F31
_invoke_watson.LIBCMT ref: 0000000180034019

Part of subcall function 0000000180035CD8: _call_reportfault.LIBCMT ref: 0000000180035D00

_invoke_watson.LIBCMT ref: 000000018003402E
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180033EE6

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

Strings

:, xrefs: 0000000180033F4F

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID: :
API String ID: 1584724053-336475711
Opcode ID: f6eab2cf8d0451a383fcd1094c8bc586515c01fa06371aa533fca521f759249e
Instruction ID: 3ed635f29bcd3bbc21113fbea3335e451753d90b531e1a175994c922d52f3f57
Opcode Fuzzy Hash: f6eab2cf8d0451a383fcd1094c8bc586515c01fa06371aa533fca521f759249e
Instruction Fuzzy Hash: 8441E03232074881EB46EF26A4453DE63A5FB49BC4F4AD025EF5D47785DE38D61AC304

Function 00000001800311AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32 ref: 0000000180031203
_getptd.LIBCMT ref: 00000001800311B7

Part of subcall function 00000001800389F4: _getptd_noexit.LIBCMT ref: 00000001800389FA
Part of subcall function 00000001800389F4: _amsg_exit.LIBCMT ref: 0000000180038A0A

_getptd.LIBCMT ref: 0000000180031269
_getptd.LIBCMT ref: 0000000180031275

Strings

csm, xrefs: 0000000180031237

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _getptd$ExceptionRaise_amsg_exit_getptd_noexit
String ID: csm
API String ID: 2951875022-1018135373
Opcode ID: 19bc60ab7c8d46f879a577fdbd2134b4bea23403eb8b854014e227e093e25ad5
Instruction ID: cbf58d6bb5dae3ded25f47af1c64b690f48564a0522dc2334fd63855ea109656
Opcode Fuzzy Hash: 19bc60ab7c8d46f879a577fdbd2134b4bea23403eb8b854014e227e093e25ad5
Instruction Fuzzy Hash: D52101362046888AE6B2DF56E0407EFB760F78DBA5F058216EF9943795CF38D689C701

Function 000001E39FB50D2C Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50D4D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50D72
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB50E0C
_CxxThrowException.LIBCMT ref: 000001E39FB50E1D
std::_Facet_Register.LIBCPMT ref: 000001E39FB50E3B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 8fdf513530068a902d25d78bae91176465b11ab45bf8a46f09239c48ad2af317
Instruction ID: 066659ff72527b190b3ea12591f8c059da91e0914fd80a70ce5709b6b9fc73f8
Opcode Fuzzy Hash: 8fdf513530068a902d25d78bae91176465b11ab45bf8a46f09239c48ad2af317
Instruction Fuzzy Hash: 1441A731608E594FE755EF18D4887FE73E1FB98354F10055A9865C31A3DB74D981CB41

Function 000001E39FB50BFC Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50C1D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50C42
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB50CDC
_CxxThrowException.LIBCMT ref: 000001E39FB50CED
std::_Facet_Register.LIBCPMT ref: 000001E39FB50D0B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: e1f4d6eaef8a7574c47d1234b56451b731f0bac4a986ee248217b9bbbeb82756
Instruction ID: fb390bcd6b5cccd4f59652fffd70662a9b72cc2d248158d6c167b5f57f734596
Opcode Fuzzy Hash: e1f4d6eaef8a7574c47d1234b56451b731f0bac4a986ee248217b9bbbeb82756
Instruction Fuzzy Hash: BE41C571508E498FE755EF28D8886FE73E1FB95354F10051AA865C31A3DFB4E981CB81

Function 000001E39FB65148 Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB65169

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB6518E
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB65228
_CxxThrowException.LIBCMT ref: 000001E39FB65239
std::_Facet_Register.LIBCPMT ref: 000001E39FB65257

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 974ede7f30293504cfca69c6e9eedf048e91d7ff5cdced49d59fdf073cd3f58c
Instruction ID: 40a4493277b76942653cbd5c430ae7a8174a167b87841faeba1116688d62ab96
Opcode Fuzzy Hash: 974ede7f30293504cfca69c6e9eedf048e91d7ff5cdced49d59fdf073cd3f58c
Instruction Fuzzy Hash: 40416331508E484FEB55FF18D888ABA73E1FB98328F100619946AC31A7DB74DA95CB81

Function 000001E39FB65018 Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB65039

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB6505E
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB650F8
_CxxThrowException.LIBCMT ref: 000001E39FB65109
std::_Facet_Register.LIBCPMT ref: 000001E39FB65127

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 92af57e8867080ea5019b2b12003b9e7e07e7fa36929844691497215ad5e35da
Instruction ID: ef2db95ce6396f88b8276bafb156d39a246156966771662f223401fc56fa964b
Opcode Fuzzy Hash: 92af57e8867080ea5019b2b12003b9e7e07e7fa36929844691497215ad5e35da
Instruction Fuzzy Hash: 8241A231508E484FEB55FF28D488AFA33E1FBA8314F10061E946AD31A7DB74D991CB81

Function 000001E39FB50F8C Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50FAD

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50FD2
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB5106C
_CxxThrowException.LIBCMT ref: 000001E39FB5107D
std::_Facet_Register.LIBCPMT ref: 000001E39FB5109B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 754921af7cdef96820ff9b3d4eef77f5c75193bf26e44bc3b8e02521ab34382a
Instruction ID: 027c690f756b8b72f65032718121600cfec8351170ef2603ffab105e0cce40f2
Opcode Fuzzy Hash: 754921af7cdef96820ff9b3d4eef77f5c75193bf26e44bc3b8e02521ab34382a
Instruction Fuzzy Hash: 6341B831518E888FE755EF18D488AFE73E0FB98354F14061A9465C31A3DBB4DE85CB81

Function 000001E39FB50E5C Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50E7D

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB50EA2
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB50F3C
_CxxThrowException.LIBCMT ref: 000001E39FB50F4D
std::_Facet_Register.LIBCPMT ref: 000001E39FB50F6B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: f2baaf6b52b28d77f9878d948b49f01641329e4817bae3496f349ebe052f967c
Instruction ID: cb8faeb9d58df3a2ca45bdac6f298f91b35136f64c3f22fc852a3694e5a387cc
Opcode Fuzzy Hash: f2baaf6b52b28d77f9878d948b49f01641329e4817bae3496f349ebe052f967c
Instruction Fuzzy Hash: BE41A431508E498FE755EF18D4986FE73E0FB68354F10061A942AC31A3DBB4DA85CB81

Function 000001E39FB47914 Relevance: 7.6, APIs: 5, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB47935

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4795A
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB479F5
_CxxThrowException.LIBCMT ref: 000001E39FB47A06
std::_Facet_Register.LIBCPMT ref: 000001E39FB47A24

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 91580c9e29cc5cfd3624ebbbe716160b4e59b82f650692f386e3f440ca4f80b6
Instruction ID: 066529f1701fda9c5a9a3133be4511f32e7658a90e1882f2b6fb7568c01f89c2
Opcode Fuzzy Hash: 91580c9e29cc5cfd3624ebbbe716160b4e59b82f650692f386e3f440ca4f80b6
Instruction Fuzzy Hash: 66419331118E594FEB55EF18D4886EA73E1FBA8314F20056A9876C32A3DB70DA85CB81

Function 000001E39FB48154 Relevance: 7.6, APIs: 5, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB48175

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB4819A
std::bad_exception::bad_exception.LIBCMT ref: 000001E39FB48235
_CxxThrowException.LIBCMT ref: 000001E39FB48246
std::_Facet_Register.LIBCPMT ref: 000001E39FB48264

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 92015b14bd73c83c1c959776a5be445e619632d57b53d4474fcc8a1895014d5d
Instruction ID: 007433972f7aeb2c92f04f755fe022dbb08a8216d0d336d652341b5812f9f1e1
Opcode Fuzzy Hash: 92015b14bd73c83c1c959776a5be445e619632d57b53d4474fcc8a1895014d5d
Instruction Fuzzy Hash: 0241A230108E488FE755EF18D5987FA73E1FBA8354F10056AA46AC32A3CF70DA91CB81

Function 0000000180038C3C Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180038C9E
_isleadbyte_l.LIBCMT ref: 0000000180038CCE
MultiByteToWideChar.KERNEL32 ref: 0000000180038D0D
MultiByteToWideChar.KERNEL32 ref: 0000000180038D5B
_errno.LIBCMT ref: 0000000180038D65

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: ce750271998e25300b2e646f02fc7aaebec70d68116cdf7c58e233941e4e38ee
Instruction ID: 54a50374dbd1f0619f5f0edc3d7c0374764c2683045a736cdbb11a7d2bf11c8c
Opcode Fuzzy Hash: ce750271998e25300b2e646f02fc7aaebec70d68116cdf7c58e233941e4e38ee
Instruction Fuzzy Hash: D841E53221578486E7A38F15E1403AAB7A1FF99FC0F199165FB8857BD9CF38C6458700

Function 000000018002FC18 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018002FC25

Part of subcall function 00000001800389F4: _getptd_noexit.LIBCMT ref: 00000001800389FA
Part of subcall function 00000001800389F4: _amsg_exit.LIBCMT ref: 0000000180038A0A

_inconsistency.LIBCMT ref: 000000018002FC33

Part of subcall function 000000018003A450: DecodePointer.KERNEL32(?,?,?,?,000000018003A3FD,?,?,?,000000018002F87E), ref: 000000018003A45B

_getptd.LIBCMT ref: 000000018002FC38
_inconsistency.LIBCMT ref: 000000018002FC54
_getptd.LIBCMT ref: 000000018002FC64

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _getptd$_inconsistency$DecodePointer_amsg_exit_getptd_noexit
String ID:
API String ID: 3669027769-0
Opcode ID: d84545b744132abf258f2739307021ab7867776e2950de2c885c0764620f8872
Instruction ID: 484109b601cdb60bdd28eb5de1a6cf464c0836e84c8d7e2c0ed591a5095a7b89
Opcode Fuzzy Hash: d84545b744132abf258f2739307021ab7867776e2950de2c885c0764620f8872
Instruction Fuzzy Hash: E5F0FE322086CCC1EAE7AB55D2413FD5350AB8DBC4F1DC171BB840738B9E20C6989315

Function 00000001800039C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

string too long, xrefs: 0000000180003C53, 0000000180003C60

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID:
String ID: string too long
API String ID: 0-2556327735
Opcode ID: d80f9fc73ac2c0aa56d40fc8d5a718c0a56552a0bad6d3397c00ff315f2492a8
Instruction ID: 4d068781c1a08710b22694d90911747276d76f42a382d111b7b34a5d35fe3e91
Opcode Fuzzy Hash: d80f9fc73ac2c0aa56d40fc8d5a718c0a56552a0bad6d3397c00ff315f2492a8
Instruction Fuzzy Hash: CC919D72300B8899EB56CF66C0417EC33A5F319B98F818922EB5D67B99DF34CA59C310

Function 000000018002EF40 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 000000018002EF4E
malloc.LIBCMT ref: 000000018002EF5A

Part of subcall function 000000018002DA78: _FF_MSGBANNER.LIBCMT ref: 000000018002DAA8
Part of subcall function 000000018002DA78: _NMSG_WRITE.LIBCMT ref: 000000018002DAB2
Part of subcall function 000000018002DA78: HeapAlloc.KERNEL32(?,?,00000000,000000018002CDB6,?,?,00000001,000000018002CCA4,?,?,?,0000000180007B34), ref: 000000018002DACD
Part of subcall function 000000018002DA78: _callnewh.LIBCMT ref: 000000018002DAE6
Part of subcall function 000000018002DA78: _errno.LIBCMT ref: 000000018002DAF1
Part of subcall function 000000018002DA78: _errno.LIBCMT ref: 000000018002DAFC

_CxxThrowException.LIBCMT ref: 000000018002EFA3

Part of subcall function 000000018002F788: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180007B51), ref: 000000018002F7F6
Part of subcall function 000000018002F788: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180007B51), ref: 000000018002F835

Strings

bad allocation, xrefs: 000000018002EF6A

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1214304046-2104205924
Opcode ID: ea0ac8f3bb7f8806d4b7c1c7e9112d85322d3ada4e2ebcc9dbd9df240d32668a
Instruction ID: 7e3c26b24389a4ff061514f1b58813529ad7faafdd41edf364d414c0c6e08585
Opcode Fuzzy Hash: ea0ac8f3bb7f8806d4b7c1c7e9112d85322d3ada4e2ebcc9dbd9df240d32668a
Instruction Fuzzy Hash: F1F09AB1605B8E80EEA79B50A0417E95394E78D3C8F448025FA8D0B7A6EE39C34DCB00

Function 000001E39FB494F8 Relevance: 6.5, APIs: 4, Instructions: 479stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 000001E39FB495A0
localeconv.LIBCMT ref: 000001E39FB495B3
strcspn.LIBCMT ref: 000001E39FB495C9
_Mpunct.LIBCPMT ref: 000001E39FB4969B

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: bcc6cb22bcc6662c5148917bc3b0070cd7f36023e4dfb007b0116752ec6da29b
Instruction ID: fd7a271d018cbbf6584a454247b939d2ca4e03d4d350a4b5df03c7329dfc95fd
Opcode Fuzzy Hash: bcc6cb22bcc6662c5148917bc3b0070cd7f36023e4dfb007b0116752ec6da29b
Instruction Fuzzy Hash: 0DF1C030A18E9C8FEB55EF68C5496EDB3F1EF58304F500159E89AD3283DB709A85CB81

Function 000001E39FB46704 Relevance: 6.5, APIs: 4, Instructions: 461COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 000001E39FB46A1F
_CxxThrowException.LIBCMT ref: 000001E39FB46A3A
std::exception::exception.LIBCMT ref: 000001E39FB46A9D
_CxxThrowException.LIBCMT ref: 000001E39FB46AB8

Part of subcall function 000001E39FB47414: std::_Xbad_alloc.LIBCPMT ref: 000001E39FB474A1

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: ExceptionThrowstd::exception::exception$Xbad_allocstd::_
String ID:
API String ID: 1519488521-0
Opcode ID: 6a8671919e32ba125cade8bebbf54ead894d3c5916fed936291344f9fc298fe1
Instruction ID: b0af9b7da6fe8cd695d8f594c103c7623814a5dd9083d3628827ca82cdc1db58
Opcode Fuzzy Hash: 6a8671919e32ba125cade8bebbf54ead894d3c5916fed936291344f9fc298fe1
Instruction Fuzzy Hash: 96E18F30518E9C8FEB54EF68C5986FDB7F1FB29308F50052AD416D3192DBB09A89CB81

Function 0000000180010C38 Relevance: 6.3, APIs: 4, Instructions: 332stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 0000000180010CE1
localeconv.LIBCMT ref: 0000000180010CF3
strcspn.LIBCMT ref: 0000000180010D07
_Mpunct.LIBCPMT ref: 0000000180010DD8

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: 58ecd130f00b09f8bef17f7d97753f2651f40aaaca60dedd1df9ae10203089cb
Instruction ID: 98907bd55804cf440550a9984b5626c23124420e0867e0600be7f70ad20b48f8
Opcode Fuzzy Hash: 58ecd130f00b09f8bef17f7d97753f2651f40aaaca60dedd1df9ae10203089cb
Instruction Fuzzy Hash: DFE18E32B04E8889EB529F65C4413ED63B1FB4CB88F658115EE8D57B99DF78C64AC340

Function 00000001800107A4 Relevance: 6.3, APIs: 4, Instructions: 331stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 000000018001084D
localeconv.LIBCMT ref: 000000018001085F
strcspn.LIBCMT ref: 0000000180010873
_Mpunct.LIBCPMT ref: 0000000180010944

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: 224329cea580c2bc9a473805bd80dcfbc8fe358384d0317fe36835c614ca270f
Instruction ID: 0755191b1818215e47aef75f24144b8be0e7d395005ccb8dbfd754ea295aee4c
Opcode Fuzzy Hash: 224329cea580c2bc9a473805bd80dcfbc8fe358384d0317fe36835c614ca270f
Instruction Fuzzy Hash: 44E18E32B04E8889FB529FA5C4513ED63B1FB58B88F648115EE8D57B99DF78C24AC340

Function 000001E39FB44E34 Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

fgetwc.LIBCMT ref: 000001E39FB44EF3

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 3db69b43b33087f9728a2504ea2a3bd94983f958b461452a88f201f86a2a2501
Instruction ID: e40aeca4593e45131ee47029f26474c3bf353cb445dc105424f0591cb0adf88f
Opcode Fuzzy Hash: 3db69b43b33087f9728a2504ea2a3bd94983f958b461452a88f201f86a2a2501
Instruction Fuzzy Hash: 6DB15C30214E4DCFDB58EF28C599AED73E0FB68309F504269E81AD3592DB71EA54CB80

Function 0000000180008524 Relevance: 6.3, APIs: 4, Instructions: 302stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 00000001800085CC
localeconv.LIBCMT ref: 00000001800085DF
strcspn.LIBCMT ref: 00000001800085F5
_Mpunct.LIBCPMT ref: 00000001800086C7

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: fce10359bc36b8c483969d2f07a480db227c72c73635d2d78eb5f884875fabf2
Instruction ID: 7cedfd9f43536d940008849a18cc50f9a484f0cb7e860469d92b1f85863b93e9
Opcode Fuzzy Hash: fce10359bc36b8c483969d2f07a480db227c72c73635d2d78eb5f884875fabf2
Instruction Fuzzy Hash: 9DD15B32B05A8889EB52CBB5D4503DD37B1F749BC8F949115EE8967B8ADF38C24AC740

Function 000001E39FB4DF28 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

_wfsopen.LIBCMT ref: 000001E39FB4DEBD
fclose.LIBCMT ref: 000001E39FB4DECA
_wfsopen.LIBCMT ref: 000001E39FB4DEDF
fseek.LIBCMT ref: 000001E39FB4DEF9

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 060668c88b56fe38f5c44a18ba7740774a474d3c0946bdb231730e3168279bf2
Instruction ID: 9209ac8917bad7b4fba17b221f56e6e18ce9fa4d23bc7605022ecbd39c50b3f3
Opcode Fuzzy Hash: 060668c88b56fe38f5c44a18ba7740774a474d3c0946bdb231730e3168279bf2
Instruction Fuzzy Hash: 3C312530254E8A4EEBE89F1CD98A7B932C1F79C308F14446C9CAAC32C3D760DD828740

Function 000001E39FB48294 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000001E39FB482D3

Part of subcall function 000001E39FB48BAC: _lock.LIBCMT ref: 000001E39FB48BBE

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 000001E39FB48310
free.LIBCMT ref: 000001E39FB48337
malloc.LIBCMT ref: 000001E39FB48356

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_LockitLockit::__lockfreemallocstd::_std::locale::_
String ID:
API String ID: 2732429687-0
Opcode ID: 9338e4efca5c51ffab6ba31e7edec2782b071aaf483cef073fc2194b9753611b
Instruction ID: 865de24c9cb61eab737bdd2b49481bf1141aa816ca59a99222df1660f05a04fc
Opcode Fuzzy Hash: 9338e4efca5c51ffab6ba31e7edec2782b071aaf483cef073fc2194b9753611b
Instruction Fuzzy Hash: 2F31B430518E988FEB94EF1CD4987A9B7E0FB59314F14455EE859C32A6DBB0DD80CB81

Function 0000000180032F58 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180032F82

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_malloc_crt.LIBCMT ref: 0000000180032FC5
_invoke_watson.LIBCMT ref: 000000018003308A

Part of subcall function 0000000180035CD8: _call_reportfault.LIBCMT ref: 0000000180035D00

_invoke_watson.LIBCMT ref: 00000001800330A0

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Locale_invoke_watson$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_call_reportfault_getptd_malloc_crt
String ID:
API String ID: 1584724053-0
Opcode ID: 3daca0f6dc92f9794fddbcc1cdaa0d0f178e51dead4e14673644e8c31eb13f91
Instruction ID: 60c5c1db5c3b6a439df75705f13e8ee1368a37c7c8ec72173617ca3056aafd03
Opcode Fuzzy Hash: 3daca0f6dc92f9794fddbcc1cdaa0d0f178e51dead4e14673644e8c31eb13f91
Instruction Fuzzy Hash: F231C57271064886EB57DB26941539E67A1E789FC4F05C135EF5D0BB9ACF38D2068304

Function 000000018000CF54 Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

_wfsopen.LIBCMT ref: 000000018000CEE9
fclose.LIBCMT ref: 000000018000CEF6
_wfsopen.LIBCMT ref: 000000018000CF0B
fseek.LIBCMT ref: 000000018000CF25

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 060668c88b56fe38f5c44a18ba7740774a474d3c0946bdb231730e3168279bf2
Instruction ID: ca7f0c424757e16301a012df31de7f28ede8ce03464d2c668ee3546fdfd8efa6
Opcode Fuzzy Hash: 060668c88b56fe38f5c44a18ba7740774a474d3c0946bdb231730e3168279bf2
Instruction Fuzzy Hash: 6921E5327216C885FBE6CB1AD441BE67691A78CBC4F19C134BE0943B95DE35C60A8341

Function 0000000180048310 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180048334

Part of subcall function 000000018002F34C: _getptd.LIBCMT ref: 000000018002F362
Part of subcall function 000000018002F34C: __updatetlocinfo.LIBCMT ref: 000000018002F397
Part of subcall function 000000018002F34C: __updatetmbcinfo.LIBCMT ref: 000000018002F3BE

_errno.LIBCMT ref: 0000000180048340

Part of subcall function 000000018002F2DC: _getptd_noexit.LIBCMT ref: 000000018002F2E0

_invalid_parameter_noinfo.LIBCMT ref: 000000018004834B
strchr.LIBCMT ref: 0000000180048361

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: eb64e8c74a50022202f8ee626fe7dbe8f97126340f84a3ce38f6fe5f0cae3986
Instruction ID: 9616a423f97e3a452b980222ce2d2f9dcf0e870d32183e3c52a82e7da15984e5
Opcode Fuzzy Hash: eb64e8c74a50022202f8ee626fe7dbe8f97126340f84a3ce38f6fe5f0cae3986
Instruction Fuzzy Hash: D0213872204AAC40F7E75E1194D03FD66C0EB88FDAF1AC824FAC6076C5CD28C749A708

Function 00000001800072C0 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800072FF

Part of subcall function 0000000180007BD8: _lock.LIBCMT ref: 0000000180007BEA

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 000000018000733C
free.LIBCMT ref: 0000000180007363
malloc.LIBCMT ref: 0000000180007382

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_LockitLockit::__lockfreemallocstd::_std::locale::_
String ID:
API String ID: 2732429687-0
Opcode ID: 4c7c4e4cdeb69145b53e9993b344bfcc5c5a1a68407a660adf776166b3026ff4
Instruction ID: 76cda7fa5ebd9028eb80fcaf77cbf10d53a700b3cb3c5ee5f831434e332e8d90
Opcode Fuzzy Hash: 4c7c4e4cdeb69145b53e9993b344bfcc5c5a1a68407a660adf776166b3026ff4
Instruction Fuzzy Hash: 84213B71604A8881EBA2CF11E4403DAB3A0F7597E0F548216EB9D57BA6CF7CC6998740

Function 000001E39FB75008 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E39FB7503A

Part of subcall function 000001E39FB70320: _getptd.LIBCMT ref: 000001E39FB70336
Part of subcall function 000001E39FB70320: __updatetlocinfo.LIBCMT ref: 000001E39FB7036B
Part of subcall function 000001E39FB70320: __updatetmbcinfo.LIBCMT ref: 000001E39FB70392

_malloc_crt.LIBCMT ref: 000001E39FB75085

Strings

:, xrefs: 000001E39FB750A4

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crt
String ID: :
API String ID: 875692556-336475711
Opcode ID: 87dcd81199e5c75fe6f4eb1ed4ca3c3cad752f6282d2ad23c1f32017a9299fd6
Instruction ID: 5e0db3aed240497f1da65bd56456ea7d19094947ef130686c50c22e13a1e1a0a
Opcode Fuzzy Hash: 87dcd81199e5c75fe6f4eb1ed4ca3c3cad752f6282d2ad23c1f32017a9299fd6
Instruction Fuzzy Hash: 3141C131228E4C4FDB58EF2CD8897B973D1FB98315F05426AE85AC3697DF60E9428681

Function 000001E39FB74E88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 000001E39FB74F05
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001E39FB74EBA

Part of subcall function 000001E39FB70320: _getptd.LIBCMT ref: 000001E39FB70336
Part of subcall function 000001E39FB70320: __updatetlocinfo.LIBCMT ref: 000001E39FB7036B
Part of subcall function 000001E39FB70320: __updatetmbcinfo.LIBCMT ref: 000001E39FB70392

Strings

:, xrefs: 000001E39FB74F24

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crt
String ID: :
API String ID: 875692556-336475711
Opcode ID: b6f76ccc677749e7e47c8f1fd9208b4adf8ad809ee0fda7590a67167e05195a0
Instruction ID: f8889d3bca8f788234e9f93935cb0c9a0975b106bd6f6ef6ef121ddcebc7e879
Opcode Fuzzy Hash: b6f76ccc677749e7e47c8f1fd9208b4adf8ad809ee0fda7590a67167e05195a0
Instruction Fuzzy Hash: 75410331228E4C8FDB58EF2CD8896F973D1FB98315F04426AE85AC7697DF60D9428781

Function 00000001800495E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001800496A8

Strings

csm, xrefs: 0000000180049664
csm, xrefs: 000000018004960B

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: ce9d772766a9f3e407c5664677aefc26ffad84ba179c49f55fff2b9c6189d35d
Instruction ID: f7e595c495de74603a87214bb7ed729c6939f290df5d238fa3d8429b20b6b438
Opcode Fuzzy Hash: ce9d772766a9f3e407c5664677aefc26ffad84ba179c49f55fff2b9c6189d35d
Instruction Fuzzy Hash: 6031A773101B48CADBA18F66C0843993BB5F358B9DF8B5225FA4D1BB64CB75C984C788

Function 00000001800496D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 000000018002FC18: _getptd.LIBCMT ref: 000000018002FC25
Part of subcall function 000000018002FC18: _inconsistency.LIBCMT ref: 000000018002FC33
Part of subcall function 000000018002FC18: _getptd.LIBCMT ref: 000000018002FC38
Part of subcall function 000000018002FC18: _inconsistency.LIBCMT ref: 000000018002FC54

_getptd.LIBCMT ref: 000000018004972B
_getptd.LIBCMT ref: 000000018004973E

Part of subcall function 000000018002FCA8: _getptd.LIBCMT ref: 000000018002FCB1

Strings

csm, xrefs: 00000001800496F8

Memory Dump Source

Source File: 00000000.00000002.1812129383.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000000.00000002.1812104507.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812160231.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812182525.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1812215985.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_180000000_loaddll64.jbxd

Similarity

API ID: _getptd$_inconsistency
String ID: csm
API String ID: 1773999731-1018135373
Opcode ID: 242ad1541a1665e7e88aaf19789ec1deda19dbf05a08f0dcd3087e0f0a85a81f
Instruction ID: 6596bc08887fd2df5714e5c2ca6ea54ff60e088d84c846dd7f248314ba4ebb2f
Opcode Fuzzy Hash: 242ad1541a1665e7e88aaf19789ec1deda19dbf05a08f0dcd3087e0f0a85a81f
Instruction Fuzzy Hash: 8D01A736115A4989DBA2AF71D4C17FD2394E7497C9F099171FE4946349DE20C6C9C340

Function 000001E39FB433C4 Relevance: 5.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 000001E39FB43416
_CxxThrowException.LIBCMT ref: 000001E39FB43452
_CxxThrowException.LIBCMT ref: 000001E39FB4347A
_CxxThrowException.LIBCMT ref: 000001E39FB434A2

Memory Dump Source

Source File: 00000000.00000002.1844528245.000001E39FB40000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001E39FB40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1e39fb40000_loaddll64.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 34052b98ec5b6cb08a453d4da99d8fe8dbaf6c7a065dd0f46931283defdf51d4
Instruction ID: 780d2e77849eab1a35ff80e946efaabda5345b073a1a5fabcee824b65ef50f0a
Opcode Fuzzy Hash: 34052b98ec5b6cb08a453d4da99d8fe8dbaf6c7a065dd0f46931283defdf51d4
Instruction Fuzzy Hash: DF216031814F5C8EEF06EF54ED45AEEB3B4FB14308F280216D816D7552EB7497858B80

Analysis Process: rundll32.exePID: 7544, Parent PID: 7484COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	98%
Signature Coverage:	0%
Total number of Nodes:	196
Total number of Limit Nodes:	14

Executed Functions

Function 00007FFDFB4DA250 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 640
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFDFB4DA5C4

Strings

+=, xrefs: 00007FFDFB4DA2F5

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: +=
API String ID: 4275171209-1123256139
Opcode ID: 97e9a56a448ecaa7363e47874dce10fabfe0d6ccf1fb59d6a2af93f8f1d517d2
Instruction ID: df9ecca4cb31788c09a28a1ab4b240c3af0eb4e2a1555947da08d1917fe8af74
Opcode Fuzzy Hash: 97e9a56a448ecaa7363e47874dce10fabfe0d6ccf1fb59d6a2af93f8f1d517d2
Instruction Fuzzy Hash: 80C1BDE37613583AFD1B86A67E16FAD94029B52BF5C5093317D390ABCAF13C68CB8540

Function 00007FFDFB4DA3C0 Relevance: 1.6, APIs: 1, Instructions: 306
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFDFB4DA5C4

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8cb194e6ffdbc4f4ebece6793a7d4bb003f80c8fce03c4cbf3f4b683e7597c4b
Instruction ID: 389feeaa012dc3922a08e29dc5e6084110eacfa6bf5b45f30e8ddc8a16230d29
Opcode Fuzzy Hash: 8cb194e6ffdbc4f4ebece6793a7d4bb003f80c8fce03c4cbf3f4b683e7597c4b
Instruction Fuzzy Hash: A751D2E3B713582AF91B86AA7D16FAD90029B52BF5C5493317D3906BCAF13C68CB8540

Function 00007FFDFB4DA4C0 Relevance: 1.4, APIs: 1, Instructions: 140
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFDFB4DA5C4

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0d2d5d6dfa6f50465e0a3596790292fef24e24249b2b6cf750ec3e9fa2e6afe6
Instruction ID: 6a5f8257ce671462ed7a5e973fb7f74aa322d97e317348862fb750fc507a4fc4
Opcode Fuzzy Hash: 0d2d5d6dfa6f50465e0a3596790292fef24e24249b2b6cf750ec3e9fa2e6afe6
Instruction Fuzzy Hash: 6F2102E3B603183BF91B86BA3D12FBD50029B52BF5C50A3217D3916BC6E13C69CB8640

Function 00000001800026C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 269
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180002CB0: GetModuleFileNameW.KERNEL32 ref: 0000000180002CFC

GetModuleFileNameW.KERNEL32 ref: 000000018000276F
SHGetSpecialFolderPathW.SHELL32 ref: 0000000180002786
lstrcatW.KERNEL32 ref: 000000018000279A
lstrcatW.KERNEL32 ref: 00000001800027AE
lstrcatW.KERNEL32 ref: 00000001800027C2
lstrcatW.KERNEL32 ref: 00000001800027D6
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0000000180002B4F

Strings

\NTUSER.DAT.Not, xrefs: 000000018000278C
GfeXcodeFunc, xrefs: 0000000180002A43

Memory Dump Source

Source File: 00000003.00000002.2111793337.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000003.00000002.2111771674.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2111839127.000000018004A000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2111881134.0000000180060000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.2111934875.00000001800A3000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_180000000_rundll32.jbxd

Similarity

API ID: lstrcat$FileModuleName$FolderIos_base_dtorPathSpecialstd::ios_base::_
String ID: GfeXcodeFunc$\NTUSER.DAT.Not
API String ID: 2606783807-3673055099
Opcode ID: f4fb330f2fce6a57cdb251511d5a633e98aa520d2ba9185056906fd6c2a3254f
Instruction ID: 5b91f0b68c497ecbefdd096ad22c36a01d1dfa7b74f7b8fae1d4cb91b2026b10
Opcode Fuzzy Hash: f4fb330f2fce6a57cdb251511d5a633e98aa520d2ba9185056906fd6c2a3254f
Instruction Fuzzy Hash: 0EE15B32224B8989EBA1DF24D8943DD3761F7897C8F809126F64D47AA9DF74C64DC740

Function 000002B38D090B00 Relevance: 4.1, APIs: 3, Instructions: 371
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000002B38D090C5E
VirtualAlloc.KERNELBASE ref: 000002B38D090CCC

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7479d515978b8398c8f18a7fbb8c6ce0b9f2a044b6e8d29228c90f9ede51720f
Instruction ID: f2d5a00b8b1c250aa3a5811db242fff7769029337c7849836ce96621e71bf447
Opcode Fuzzy Hash: 7479d515978b8398c8f18a7fbb8c6ce0b9f2a044b6e8d29228c90f9ede51720f
Instruction Fuzzy Hash: 6BE11D70218B489FE794EF18C098B6AB7E1FB9C359F50495DF48AC72A1D774D981CB02

Function 00007FFDFB4DA5A0 Relevance: 1.3, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 00007FFDFB4DA5C4

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 17eed5974d73b5d85aa82098f38f35d8dd9d716a6e7e215ce0e9f7d452ed3bce
Instruction ID: 4f29dad2a492d62e1c88ec3c46989233f4dcf519ae0428be478fb385e7a8fcee
Opcode Fuzzy Hash: 17eed5974d73b5d85aa82098f38f35d8dd9d716a6e7e215ce0e9f7d452ed3bce
Instruction Fuzzy Hash: 7EF0A0E3B252543AFA038AA67C01FBE55211742BF4E1493313E3822BC5E43899CB8600

Non-executed Functions

Function 00007FFDFB4D1180 Relevance: 31.9, APIs: 5, Strings: 13, Instructions: 442COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB4C9D50: SHCreateDirectoryExW.SHELL32 ref: 00007FFDFB5EDE55

FreeLibrary.KERNEL32 ref: 00007FFDFB5EF7B9

Strings

app_, xrefs: 00007FFDFB5EFB47
warning: skipping downloaded snippet due to lower version %d.%d.%d < %d.%d.%d, xrefs: 00007FFDFB5EF949
.dll, xrefs: 00007FFDFB5EF74A
app_%07llX, xrefs: 00007FFDFB5EF88F
C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_common.cpp, xrefs: 00007FFDFB5EF95C, 00007FFDFB5EFADB, 00007FFDFB5EFDAF
%u.%u.%u, xrefs: 00007FFDFB5EFC9B
, xrefs: 00007FFDFB5EFB1A
\nvngx_, xrefs: 00007FFDFB5EF70E
%d.%d.%d, xrefs: 00007FFDFB5EF8F1
Fallback snippet '%S' missing or corrupted - last error %S, xrefs: 00007FFDFB5EFD9C
\nvngx_config.txt, xrefs: 00007FFDFB5EF85C
app %llX feature %S snippet: %S, xrefs: 00007FFDFB5EFAC8
NGXSecureLoadFeature, xrefs: 00007FFDFB5EF950, 00007FFDFB5EFACF, 00007FFDFB5EFDA3

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: CreateDirectoryFreeLibrary
String ID: $%d.%d.%d$%u.%u.%u$.dll$C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_common.cpp$Fallback snippet '%S' missing or corrupted - last error %S$NGXSecureLoadFeature$\nvngx_$\nvngx_config.txt$app %llX feature %S snippet: %S$app_$app_%07llX$warning: skipping downloaded snippet due to lower version %d.%d.%d < %d.%d.%d
API String ID: 3196203574-130269148
Opcode ID: e9f055d2c8ab49e8c2135653ee8cf23de3578d4b003e5cf818e5647b115275bf
Instruction ID: c436120d26f5fd57c278918aef9f7da6958578aed7f52492490bb1a40002cc13
Opcode Fuzzy Hash: e9f055d2c8ab49e8c2135653ee8cf23de3578d4b003e5cf818e5647b115275bf
Instruction Fuzzy Hash: 5C227C3270AB8686EB11DF21E860AAA77A5FB44788F544032DA6D07BF9DF3CE545C740

Function 00007FFDFB5E1410 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 170memorylibraryloaderCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1470
VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1480
VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1490
VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E14CA
GetFullPathNameW.KERNEL32 ref: 00007FFDFB5E1510
LocalAlloc.KERNEL32 ref: 00007FFDFB5E152A
GetFullPathNameW.KERNEL32 ref: 00007FFDFB5E1547
GetProcAddress.KERNEL32 ref: 00007FFDFB5E15A2
LocalAlloc.KERNEL32 ref: 00007FFDFB5E1606
LocalFree.KERNEL32 ref: 00007FFDFB5E1679

Part of subcall function 00007FFDFB5E1A50: VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1A9C
Part of subcall function 00007FFDFB5E1A50: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E1AC7

LocalFree.KERNEL32 ref: 00007FFDFB5E169F
LocalFree.KERNEL32 ref: 00007FFDFB5E16A8

Strings

Shell32.dll, xrefs: 00007FFDFB5E1580
SHGetFolderPathW, xrefs: 00007FFDFB5E1598
*, xrefs: 00007FFDFB5E145A
&, xrefs: 00007FFDFB5E1446
$, xrefs: 00007FFDFB5E143B

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Local$ConditionMask$Free$AllocFullInfoNamePathVerifyVersion$AddressProc
String ID: $$&$*$SHGetFolderPathW$Shell32.dll
API String ID: 4287201591-2843092907
Opcode ID: 0d21c32348157cc0ab237aa4f896f8d6952255a1767e61a319935305476e1cf3
Instruction ID: fa9e2a539a4ad51702e1a8ebfb9c8fdfd8fa778eb07076536bc1ad3757c1c925
Opcode Fuzzy Hash: 0d21c32348157cc0ab237aa4f896f8d6952255a1767e61a319935305476e1cf3
Instruction Fuzzy Hash: B971AE65B0A78382EB55CB21A964AB977A1BF45B90F448134C93E47BFDEF3CE4058B40

Function 00007FFDFB4D5890 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 220COMMON

Download Yara Rule

APIs

CreateEventW.KERNEL32 ref: 00007FFDFB5AFB08
GetLastError.KERNEL32 ref: 00007FFDFB5AFB1A

Strings

CNvVideoTranscode::InitializeForTranscode, xrefs: 00007FFDFB5AFB27
%s: Not able to create done event, error - %x, xrefs: 00007FFDFB5AFB20
%s: Not able to create communication event, error - %x, xrefs: 00007FFDFB5AFB78
%s: Not able to create pending event, error - %x, xrefs: 00007FFDFB5AFBDB
%s: Not able to create initialize event, error - %x, xrefs: 00007FFDFB5AFBA8

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: CreateErrorEventLast
String ID: %s: Not able to create communication event, error - %x$%s: Not able to create done event, error - %x$%s: Not able to create initialize event, error - %x$%s: Not able to create pending event, error - %x$CNvVideoTranscode::InitializeForTranscode
API String ID: 545576003-2512211399
Opcode ID: 0d6106a9cdd94714d348079f01c4fa2d53b6e87335efbfb1ddaa6cc34244b657
Instruction ID: da7607da86795df01676b1b70fabaafe0dbc2a08168a6059723cbae2a7f34d52
Opcode Fuzzy Hash: 0d6106a9cdd94714d348079f01c4fa2d53b6e87335efbfb1ddaa6cc34244b657
Instruction Fuzzy Hash: D5B10722B0AB4396EB65CF64E8A0AAC3375FF44748F404135DA6E567E9EE3CE505C344

Function 00007FFDFB4C3260 Relevance: 10.7, APIs: 7, Instructions: 172COMMON

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32 ref: 00007FFDFB6F130B
GetUserDefaultLCID.KERNEL32 ref: 00007FFDFB6F1324
ProcessCodePage.LIBCMT ref: 00007FFDFB6F134E
IsValidCodePage.KERNEL32 ref: 00007FFDFB6F1360
IsValidLocale.KERNEL32 ref: 00007FFDFB6F1376
GetLocaleInfoW.KERNEL32 ref: 00007FFDFB6F13D2
GetLocaleInfoW.KERNEL32 ref: 00007FFDFB6F13EE

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Locale$CodeInfoPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2191266518-0
Opcode ID: 7161c4c073c619cc4f129a55f6de4c8bf5d416bdf22814918288a3d7024a389d
Instruction ID: 12b776627a1abf25d244b6ae3e509cf9b6e743b39c5a4c653dbb8ce52f5f91e4
Opcode Fuzzy Hash: 7161c4c073c619cc4f129a55f6de4c8bf5d416bdf22814918288a3d7024a389d
Instruction Fuzzy Hash: 4C717D22F1A78389FB519F60D860ABD3AA0BF45B88F444135CA2D5B6F9EF3CA445C350

Function 00007FFDFB4CD230 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 00007FFDFB53F972

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 692cdf69a8af2ca06fa06deacd1959d792d6a01867b2755f0af50de4269ff097
Instruction ID: 00a8980064dd59793a605c99b4ad2e9daa75030757e27433c7fcc4d5d569d1f7
Opcode Fuzzy Hash: 692cdf69a8af2ca06fa06deacd1959d792d6a01867b2755f0af50de4269ff097
Instruction Fuzzy Hash: A5C01266F095C783D7216718D8A146A3220FF80709F500030E55E417F9CD1CE5144F40

Function 00007FFDFB4CD290 Relevance: 36.9, APIs: 6, Strings: 15, Instructions: 182libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FFDFB5EFFFC
GetProcAddress.KERNEL32 ref: 00007FFDFB5F0035
GetProcAddress.KERNEL32 ref: 00007FFDFB5F006F
GetProcAddress.KERNEL32 ref: 00007FFDFB5F0082
GetProcAddress.KERNEL32 ref: 00007FFDFB5F0095
GetProcAddress.KERNEL32 ref: 00007FFDFB5F00A8

Strings

NVSDK_NGX_GetGPUArchitecture, xrefs: 00007FFDFB5F0050
NVSDK_NGX_GetSnippetVersion, xrefs: 00007FFDFB5F0078
NGXValidateSnippet, xrefs: 00007FFDFB5F0018, 00007FFDFB5F00E2, 00007FFDFB5F0113, 00007FFDFB5F01A9, 00007FFDFB5F01E4, 00007FFDFB5F0277, 00007FFDFB5F02A7
error: snippet is using newer driver %d.%d > %d.%d, xrefs: 00007FFDFB5F0199
Snippet v%d.%d.%d Embedded app Id %07llX (%llu), xrefs: 00007FFDFB5F0283
NVSDK_NGX_GetAPIVersion, xrefs: 00007FFDFB5F009E
error: snippet is using newer GPU arch %X > %X, xrefs: 00007FFDFB5F0129
error: failed to map functions in snippet %llX %llX %llX %llX %llX, xrefs: 00007FFDFB5F029B
C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_common.cpp, xrefs: 00007FFDFB5F001F, 00007FFDFB5F00F6, 00007FFDFB5F011A, 00007FFDFB5F01BD, 00007FFDFB5F01F8, 00007FFDFB5F0262, 00007FFDFB5F02B3
API 0x%X Snippet 0x%X, xrefs: 00007FFDFB5F00DB
NVSDK_NGX_GetApplicationId, xrefs: 00007FFDFB5F002E
GPU architecture 0x%X Snippet 0x%X, xrefs: 00007FFDFB5F014C
Validating snippet %s, xrefs: 00007FFDFB5F000C
Driver %d.%d Snippet expects at least %d.%d, xrefs: 00007FFDFB5F01D9
NVSDK_NGX_GetDriverVersion, xrefs: 00007FFDFB5F008B

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AddressProc$FileModuleName
String ID: API 0x%X Snippet 0x%X$C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_common.cpp$Driver %d.%d Snippet expects at least %d.%d$GPU architecture 0x%X Snippet 0x%X$NGXValidateSnippet$NVSDK_NGX_GetAPIVersion$NVSDK_NGX_GetApplicationId$NVSDK_NGX_GetDriverVersion$NVSDK_NGX_GetGPUArchitecture$NVSDK_NGX_GetSnippetVersion$Snippet v%d.%d.%d Embedded app Id %07llX (%llu)$Validating snippet %s$error: failed to map functions in snippet %llX %llX %llX %llX %llX$error: snippet is using newer GPU arch %X > %X$error: snippet is using newer driver %d.%d > %d.%d
API String ID: 3859505661-3432153555
Opcode ID: ebab20289175742657cb254453a1aac9461496721fed0af0875b94e90ca3d93f
Instruction ID: 16c3ecb0b7bab6182503903336b40c8ae6cae3dc8c5c7ba119dcf3ec2c3b41c5
Opcode Fuzzy Hash: ebab20289175742657cb254453a1aac9461496721fed0af0875b94e90ca3d93f
Instruction Fuzzy Hash: 24915B71B0AB8796E711CF10E860AAA77A0FB84784F584036E96E47BB8DF3CE5458744

Function 00007FFDFB4C5EC0 Relevance: 31.8, APIs: 7, Strings: 11, Instructions: 305libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDFB5E888E
GetProcAddress.KERNEL32 ref: 00007FFDFB5E88A5
GetProcAddress.KERNEL32 ref: 00007FFDFB5E88BC
GetProcAddress.KERNEL32 ref: 00007FFDFB5E88D3
GetProcAddress.KERNEL32 ref: 00007FFDFB5E88EA
GetProcAddress.KERNEL32 ref: 00007FFDFB5E8901
GetProcAddress.KERNEL32 ref: 00007FFDFB5E8918

Strings

C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_cuda_lib.cpp, xrefs: 00007FFDFB5E89C4
CUDA Error At Line : , xrefs: 00007FFDFB5E89AB
: , xrefs: 00007FFDFB5E89EF
NVSDK_NGX_CUDA_GetParameters, xrefs: 00007FFDFB5E88AB
NVSDK_NGX_CUDA_CreateFeature, xrefs: 00007FFDFB5E88D9
NVSDK_NGX_CUDA_GetScratchBufferSize, xrefs: 00007FFDFB5E88C2
NVSDK_NGX_CUDA_EvaluateFeature, xrefs: 00007FFDFB5E88F0
NVSDK_NGX_CUDA_Init, xrefs: 00007FFDFB5E8884
NVSDK_NGX_CUDA_Shutdown, xrefs: 00007FFDFB5E8894
NVSDK_NGX_CUDA_ReleaseFeature, xrefs: 00007FFDFB5E8907
/nvsdk_ngx.log, xrefs: 00007FFDFB5E87C8

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: : $/nvsdk_ngx.log$C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_cuda_lib.cpp$CUDA Error At Line : $NVSDK_NGX_CUDA_CreateFeature$NVSDK_NGX_CUDA_EvaluateFeature$NVSDK_NGX_CUDA_GetParameters$NVSDK_NGX_CUDA_GetScratchBufferSize$NVSDK_NGX_CUDA_Init$NVSDK_NGX_CUDA_ReleaseFeature$NVSDK_NGX_CUDA_Shutdown
API String ID: 190572456-1838268342
Opcode ID: 80f8c14052652433341928b27793310e1be3c036478b4425c63c4efd2ad57d16
Instruction ID: 2d27e416fee415b6f310d7ca2688e22b7376ebb7db1bdc7ece273db0422ceb6a
Opcode Fuzzy Hash: 80f8c14052652433341928b27793310e1be3c036478b4425c63c4efd2ad57d16
Instruction Fuzzy Hash: DF712624B0EB4381EB159B15B820BBA73A1BF48B84F185135D96D477FEEF2CE4848B44

Function 00007FFDFB5DF440 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 226librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDFB5DF4CA
GetProcAddress.KERNEL32 ref: 00007FFDFB5DF4FA
GetProcAddress.KERNEL32 ref: 00007FFDFB5DF535
LocalAlloc.KERNEL32 ref: 00007FFDFB5DF57A
LocalFree.KERNEL32 ref: 00007FFDFB5DF5AA
LocalAlloc.KERNEL32 ref: 00007FFDFB5DF5DC
LocalAlloc.KERNEL32 ref: 00007FFDFB5DF6C6
LocalFree.KERNEL32 ref: 00007FFDFB5DF79E
LocalFree.KERNEL32 ref: 00007FFDFB5DF7B7
LocalFree.KERNEL32 ref: 00007FFDFB5DF7C0
LocalFree.KERNEL32 ref: 00007FFDFB5DF7C9

Part of subcall function 00007FFDFB5E1A50: VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1A9C
Part of subcall function 00007FFDFB5E1A50: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E1AC7

Strings

gdi32.dll, xrefs: 00007FFDFB5DF49B
D3DKMTQueryAdapterInfo, xrefs: 00007FFDFB5DF4F0
D3DKMTEnumAdapters3, xrefs: 00007FFDFB5DF52B
NVDA, xrefs: 00007FFDFB5DF687
\SystemRoot\system32\, xrefs: 00007FFDFB5DF758
D3DKMTEnumAdapters2, xrefs: 00007FFDFB5DF4C0

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Local$Free$AddressAllocProc$ConditionInfoMaskVerifyVersion
String ID: D3DKMTEnumAdapters2$D3DKMTEnumAdapters3$D3DKMTQueryAdapterInfo$NVDA$\SystemRoot\system32\$gdi32.dll
API String ID: 698622721-2155789793
Opcode ID: d4a589c3a0a5bf55228324b5aad85beed0ea77cbd582812984007bf09c3c7f7e
Instruction ID: c2fccfc7c87c66aab831c7af665211a96478a9077f9c11652ec8ac06ea5be9dc
Opcode Fuzzy Hash: d4a589c3a0a5bf55228324b5aad85beed0ea77cbd582812984007bf09c3c7f7e
Instruction Fuzzy Hash: DBA15725B0AB8389EB55CF65A860AB837A1BF48788F448135CA2D437BDEF3CE504C754

Function 00007FFDFB4C5430 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 136libraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5F4CD3
SetLastError.KERNEL32 ref: 00007FFDFB5F4CE3
LoadLibraryExW.KERNEL32 ref: 00007FFDFB5F4D2B
LocalFree.KERNEL32 ref: 00007FFDFB5F4D37
GetProcAddress.KERNEL32 ref: 00007FFDFB5F4D5C
GetProcAddress.KERNEL32 ref: 00007FFDFB5F4D88

Strings

, xrefs: 00007FFDFB5F4CAD
SetupDiGetDeviceRegistryPropertyW, xrefs: 00007FFDFB5F4D52
SetupDiDestroyDeviceInfoList, xrefs: 00007FFDFB5F4D7E
SYSTEM\CurrentControlSet\Control\Class\, xrefs: 00007FFDFB5F4E4B
Setupapi.dll, xrefs: 00007FFDFB5F4D0C

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AddressErrorLastProc$FreeLibraryLoadLocal
String ID: $SYSTEM\CurrentControlSet\Control\Class\$SetupDiDestroyDeviceInfoList$SetupDiGetDeviceRegistryPropertyW$Setupapi.dll
API String ID: 3750011226-2686055259
Opcode ID: 1dd6ce100cb580621a57aaa50faa47175d63362c2ce38f709ce9a83d8e805fc4
Instruction ID: 9663e85ec99c33e5f0bf6e080381a4bba6d0158d4cd7549e090a64e0d1b310bc
Opcode Fuzzy Hash: 1dd6ce100cb580621a57aaa50faa47175d63362c2ce38f709ce9a83d8e805fc4
Instruction Fuzzy Hash: 46512025B0EB8386FB559F11B860A76B7A1BF88780F084035DA6D47BBDDF3CE4058A44

Function 000002B38D0BFF14 Relevance: 24.2, APIs: 16, Instructions: 157COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 000002B38D0BFF22
malloc.LIBCMT ref: 000002B38D0BFF2E

Part of subcall function 000002B38D0BEA4C: _FF_MSGBANNER.LIBCMT ref: 000002B38D0BEA7C
Part of subcall function 000002B38D0BEA4C: _NMSG_WRITE.LIBCMT ref: 000002B38D0BEA86
Part of subcall function 000002B38D0BEA4C: _callnewh.LIBCMT ref: 000002B38D0BEABA
Part of subcall function 000002B38D0BEA4C: _errno.LIBCMT ref: 000002B38D0BEAC5
Part of subcall function 000002B38D0BEA4C: _errno.LIBCMT ref: 000002B38D0BEAD0

_CxxThrowException.LIBCMT ref: 000002B38D0BFF77
_heap_init.LIBCMT ref: 000002B38D0BFF92
_mtinit.LIBCMT ref: 000002B38D0BFFA2
_RTC_Initialize.LIBCMT ref: 000002B38D0BFFB2
__crtGetEnvironmentStringsA.LIBCMT ref: 000002B38D0BFFC4

Part of subcall function 000002B38D0CA8C4: _malloc_crt.LIBCMT ref: 000002B38D0CA944
Part of subcall function 000002B38D0CA8C4: free.LIBCMT ref: 000002B38D0CA97C

_ioinit.LIBCMT ref: 000002B38D0BFFD0

Part of subcall function 000002B38D0C73B0: _lock.LIBCMT ref: 000002B38D0C73DA
Part of subcall function 000002B38D0C73B0: _calloc_crt.LIBCMT ref: 000002B38D0C73EE

_setenvp.LIBCMT ref: 000002B38D0BFFE9
_cinit.LIBCMT ref: 000002B38D0BFFF4
_ioterm.LIBCMT ref: 000002B38D0C0008

Part of subcall function 000002B38D0C76E0: free.LIBCMT ref: 000002B38D0C7731

_ioterm.LIBCMT ref: 000002B38D0C0040
_calloc_crt.LIBCMT ref: 000002B38D0C0082

Part of subcall function 000002B38D0C2ABC: _calloc_impl.LIBCMT ref: 000002B38D0C2AEA

_initptd.LIBCMT ref: 000002B38D0C00AA
free.LIBCMT ref: 000002B38D0C00BE

Part of subcall function 000002B38D0BE5C8: _errno.LIBCMT ref: 000002B38D0BE5E8

_freeptd.LIBCMT ref: 000002B38D0C00CF

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: _errnofree$_callnewh_calloc_crt_ioterm$EnvironmentExceptionInitializeStringsThrow__crt_calloc_impl_cinit_freeptd_heap_init_initptd_ioinit_lock_malloc_crt_mtinit_setenvpmalloc
String ID:
API String ID: 712202392-0
Opcode ID: f606bec95c8351cef9193d2c7a4d89ca438d0247e1a5451a6bfea034d3d10262
Instruction ID: b5631282fb04f35ff2f9e915064bf18ef1422fdb0fff53216940cdc4c2aaa3d0
Opcode Fuzzy Hash: f606bec95c8351cef9193d2c7a4d89ca438d0247e1a5451a6bfea034d3d10262
Instruction Fuzzy Hash: 82515AF0608A0E8AFBA4EBB9954D7AD3795EF94348F20452DB546D21D3EF39C7408623

Function 00007FFDFB4C92D0 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 245COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FFDFB5CE43E
CoUninitialize.OLE32 ref: 00007FFDFB5CE7A2

Strings

InitializeApp, xrefs: 00007FFDFB5CE47E
%s: Transcode initialized for Image media type with %x object, xrefs: 00007FFDFB5CE4F8
%s: Total Frames generated - %d for %x video transcode object, xrefs: 00007FFDFB5CE758
%s: Cannot allocate transcode object, xrefs: 00007FFDFB5CE634
%s: MFStartup : MF initialization failed with %x error, xrefs: 00007FFDFB5CE474
%s: Invalid input file or NULL encoder params, xrefs: 00007FFDFB5CE7B4
Transcode, xrefs: 00007FFDFB5CE4E0, 00007FFDFB5CE5AD, 00007FFDFB5CE623, 00007FFDFB5CE751, 00007FFDFB5CE7AD
%s: CoInitializeEx failed with %x error, xrefs: 00007FFDFB5CE459
0, xrefs: 00007FFDFB5CE67A
%s: Transcode initialized for video media type with %x object, xrefs: 00007FFDFB5CE64E
%s: Total Frames generated - %x for %x Image transcode object, xrefs: 00007FFDFB5CE5B4

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: InitializeUninitialize
String ID: %s: Invalid input file or NULL encoder params$%s: Total Frames generated - %x for %x Image transcode object$%s: Cannot allocate transcode object$%s: CoInitializeEx failed with %x error$%s: MFStartup : MF initialization failed with %x error$%s: Total Frames generated - %d for %x video transcode object$%s: Transcode initialized for Image media type with %x object$%s: Transcode initialized for video media type with %x object$0$InitializeApp$Transcode
API String ID: 3442037557-3066126349
Opcode ID: 81151dc22e6085f7dcf4099bdfb8c54fe29bf8f3d460ed9fe7c7e9b300c8df07
Instruction ID: 85c32df8cb359371134921ba397fe1c39865d6caf22580c772e36b8daa277ac6
Opcode Fuzzy Hash: 81151dc22e6085f7dcf4099bdfb8c54fe29bf8f3d460ed9fe7c7e9b300c8df07
Instruction Fuzzy Hash: D1B16EB270AB9286E751CB15E450A6977E5FB88784F104035EEAC93BB9DF3CE441CB40

Function 00007FFDFB5EDA00 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FFDFB5EDA5A
VerSetConditionMask.KERNEL32 ref: 00007FFDFB5EDA6A
VerSetConditionMask.KERNEL32 ref: 00007FFDFB5EDA7A
VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5EDAB4
GetFullPathNameW.KERNEL32 ref: 00007FFDFB5EDAF7
LocalAlloc.KERNEL32 ref: 00007FFDFB5EDB11
GetFullPathNameW.KERNEL32 ref: 00007FFDFB5EDB2A

Part of subcall function 00007FFDFB5EB0D0: LoadLibraryExW.KERNEL32 ref: 00007FFDFB5EB144
Part of subcall function 00007FFDFB5EB0D0: LocalFree.KERNEL32 ref: 00007FFDFB5EB150
Part of subcall function 00007FFDFB5EB0D0: GetProcAddress.KERNEL32 ref: 00007FFDFB5EB174

LocalFree.KERNEL32 ref: 00007FFDFB5EDB85
LocalFree.KERNEL32 ref: 00007FFDFB5EDB9F
LocalFree.KERNEL32 ref: 00007FFDFB5EDBA8

Strings

*, xrefs: 00007FFDFB5EDA44
&, xrefs: 00007FFDFB5EDA30
$, xrefs: 00007FFDFB5EDA25

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Local$Free$ConditionMask$FullNamePath$AddressAllocInfoLibraryLoadProcVerifyVersion
String ID: $$&$*
API String ID: 828358482-3416282258
Opcode ID: 5729eadd254e398a79da1de9597fab71f461e464946d20159106587438328c11
Instruction ID: 7000e6085bec660e2ea1e552420435707c9f677f597241156e0dcf84bae64495
Opcode Fuzzy Hash: 5729eadd254e398a79da1de9597fab71f461e464946d20159106587438328c11
Instruction Fuzzy Hash: 48418B75F0A78386E755CF11A824A7677A1BF89794F044538CA6D473F9EE3CE8418A80

Function 00007FFDFB4D3920 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 109filelibraryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5E5929
GetFileAttributesW.KERNEL32 ref: 00007FFDFB5E5979
CreateFileW.KERNEL32 ref: 00007FFDFB5E59B5
SetLastError.KERNEL32 ref: 00007FFDFB5E59C7
SetLastError.KERNEL32 ref: 00007FFDFB5E5A0F
LoadLibraryExW.KERNEL32 ref: 00007FFDFB5E5A25
GetLastError.KERNEL32 ref: 00007FFDFB5E5A33
CloseHandle.KERNEL32 ref: 00007FFDFB5E5A3E
SetLastError.KERNEL32 ref: 00007FFDFB5E5A46
SetLastError.KERNEL32 ref: 00007FFDFB5E5A61
SetLastError.KERNEL32 ref: 00007FFDFB5E5A7D

Strings

:, xrefs: 00007FFDFB5E5957

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ErrorLast$File$AttributesCloseCreateHandleLibraryLoad
String ID: :
API String ID: 3653152856-336475711
Opcode ID: bbbf8b0cfe091933c39af1670c220df65eed86bdcb4e0475fc3e254f7dabdbc7
Instruction ID: c04c98dbfe87eb3a1355913ccfc9e49d325954aed0d13e5170974f4e2b0fd358
Opcode Fuzzy Hash: bbbf8b0cfe091933c39af1670c220df65eed86bdcb4e0475fc3e254f7dabdbc7
Instruction Fuzzy Hash: 82410622F0A74742EB568F25B97093866D1AF44BA5F444135DE6E027FEDF3CE842C644

Function 00007FFDFB4C5080 Relevance: 19.6, APIs: 13, Instructions: 107COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFDFB5E6195
FreeLibrary.KERNEL32 ref: 00007FFDFB5E61D1
FreeLibrary.KERNEL32 ref: 00007FFDFB5E6230
FreeLibrary.KERNEL32 ref: 00007FFDFB5E6250
FreeLibrary.KERNEL32 ref: 00007FFDFB5E62A8
FreeLibrary.KERNEL32 ref: 00007FFDFB5E62C8
FreeLibrary.KERNEL32 ref: 00007FFDFB5E62EF
FreeLibrary.KERNEL32 ref: 00007FFDFB5E6308
FreeLibrary.KERNEL32 ref: 00007FFDFB5E6321
FreeLibrary.KERNEL32 ref: 00007FFDFB5E633A
FreeLibrary.KERNEL32 ref: 00007FFDFB5E6353
FreeLibrary.KERNEL32 ref: 00007FFDFB5E636C
FreeLibrary.KERNEL32 ref: 00007FFDFB5E6385

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9f186a2e040995e6f0b0e64b1a87cd653ec6994900668234fa6fa4513ef19a1e
Instruction ID: 38bcf37e33155e6de883ef9a90d66b889b1493200cf0d2419d25b0b19af141de
Opcode Fuzzy Hash: 9f186a2e040995e6f0b0e64b1a87cd653ec6994900668234fa6fa4513ef19a1e
Instruction Fuzzy Hash: 9A611435B0FB4385E7598F60BC70A3436A4BF48B50B98C179D46D83ABD8F3C69508E55

Function 00007FFDFB5E1790 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E17C9
VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E17F4
GetProcAddress.KERNEL32 ref: 00007FFDFB5E185B
GetProcAddress.KERNEL32 ref: 00007FFDFB5E188A
GetLastError.KERNEL32 ref: 00007FFDFB5E189C
LocalFree.KERNEL32 ref: 00007FFDFB5E1984

Strings

RegCloseKey, xrefs: 00007FFDFB5E1880
Advapi32.dll, xrefs: 00007FFDFB5E182D
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FFDFB5E18BD
RegOpenKeyExW, xrefs: 00007FFDFB5E1851
CurrentBuildNumber, xrefs: 00007FFDFB5E18EC

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AddressProc$ConditionErrorFreeInfoLastLocalMaskVerifyVersion
String ID: Advapi32.dll$CurrentBuildNumber$RegCloseKey$RegOpenKeyExW$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1705557312-2525593150
Opcode ID: d838daccb81d71d35b80107858d774af3e5616e532a7525f8534e3fbf145c2ea
Instruction ID: cae0fa4fd3c34e93afd545ec1c96850820c8624c3c2ab90fa3162473573e4d77
Opcode Fuzzy Hash: d838daccb81d71d35b80107858d774af3e5616e532a7525f8534e3fbf145c2ea
Instruction Fuzzy Hash: 7D511831B0A74385EB55CB25A860AB973A4BB44B90F448135DAAE837F9EF3CE545CB40

Function 00007FFDFB4C7F70 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 115libraryloadermemoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5E4B28
GetProcAddress.KERNEL32 ref: 00007FFDFB5E4B6B
GetProcAddress.KERNEL32 ref: 00007FFDFB5E4B9B
LocalAlloc.KERNEL32 ref: 00007FFDFB5E4C19
LocalFree.KERNEL32 ref: 00007FFDFB5E4C6E
SetLastError.KERNEL32 ref: 00007FFDFB5E4C90

Part of subcall function 00007FFDFB5E1A50: VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1A9C
Part of subcall function 00007FFDFB5E1A50: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E1AC7

Strings

SetupDiGetDeviceRegistryPropertyW, xrefs: 00007FFDFB5E4B61
, xrefs: 00007FFDFB5E4B1C
SetupDiDestroyDeviceInfoList, xrefs: 00007FFDFB5E4B91
SYSTEM\CurrentControlSet\Control\Class\, xrefs: 00007FFDFB5E4C5C
Setupapi.dll, xrefs: 00007FFDFB5E4B3C

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AddressErrorLastLocalProc$AllocConditionFreeInfoMaskVerifyVersion
String ID: $SYSTEM\CurrentControlSet\Control\Class\$SetupDiDestroyDeviceInfoList$SetupDiGetDeviceRegistryPropertyW$Setupapi.dll
API String ID: 2783935822-2686055259
Opcode ID: 2c65741bb2e4e7683c67e8ef166769608d7f6bf1b8df71c7b07c1739b7130ba0
Instruction ID: ab5a68e5f6faeb2cf70f1c120623c79573c758f91a32ae7b786bbe1ce1615ac7
Opcode Fuzzy Hash: 2c65741bb2e4e7683c67e8ef166769608d7f6bf1b8df71c7b07c1739b7130ba0
Instruction Fuzzy Hash: 3A511E31B0EB4382EB51CF15A864A6973A5BF48B80F454135DA6D477BDEF3CE8018B44

Function 00007FFDFB4C5240 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 108libraryloadermemoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5E48B5
GetProcAddress.KERNEL32 ref: 00007FFDFB5E48F8
GetProcAddress.KERNEL32 ref: 00007FFDFB5E4928
LocalAlloc.KERNEL32 ref: 00007FFDFB5E49A6
LocalFree.KERNEL32 ref: 00007FFDFB5E49FB
SetLastError.KERNEL32 ref: 00007FFDFB5E4A25

Part of subcall function 00007FFDFB5E1A50: VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1A9C
Part of subcall function 00007FFDFB5E1A50: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E1AC7

Strings

SetupDiGetDeviceRegistryPropertyW, xrefs: 00007FFDFB5E48EE
, xrefs: 00007FFDFB5E4897
SetupDiDestroyDeviceInfoList, xrefs: 00007FFDFB5E491E
SYSTEM\CurrentControlSet\Control\Class\, xrefs: 00007FFDFB5E49E9
Setupapi.dll, xrefs: 00007FFDFB5E48C9

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: AddressErrorLastLocalProc$AllocConditionFreeInfoMaskVerifyVersion
String ID: $SYSTEM\CurrentControlSet\Control\Class\$SetupDiDestroyDeviceInfoList$SetupDiGetDeviceRegistryPropertyW$Setupapi.dll
API String ID: 2783935822-2686055259
Opcode ID: 6c6a4e8a0bcc7c5af865d58409ceb37ef023d90e6961c4f2e9d2de8a1adc6423
Instruction ID: 78a0fb199e296bf9c01fa7e266bfda4150046de88902f059e044aa0b2c5cc97a
Opcode Fuzzy Hash: 6c6a4e8a0bcc7c5af865d58409ceb37ef023d90e6961c4f2e9d2de8a1adc6423
Instruction Fuzzy Hash: 47511C31B0EB8382EB51DF15B860A6A73A5BB89740F444135DAAD47BBDEF3CE4058B44

Function 00007FFDFB4C5A80 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 80registrymemorythreadCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FFDFB5F8C90
RegQueryValueExW.ADVAPI32 ref: 00007FFDFB5F8CCA
RegCloseKey.ADVAPI32 ref: 00007FFDFB5F8CE6
GetConsoleWindow.KERNEL32 ref: 00007FFDFB5F8D16
GetWindowThreadProcessId.USER32 ref: 00007FFDFB5F8D28
GetCurrentProcessId.KERNEL32 ref: 00007FFDFB5F8D2E
AllocConsole.KERNEL32 ref: 00007FFDFB5F8D3A
SetConsoleTitleA.KERNEL32 ref: 00007FFDFB5F8D4D

Strings

LogLevel, xrefs: 00007FFDFB5F8CA9
NGX, xrefs: 00007FFDFB5F8D40
SOFTWARE\NVIDIA Corporation\Global\NGXCore, xrefs: 00007FFDFB5F8C82

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Console$ProcessWindow$AllocCloseCurrentOpenQueryThreadTitleValue
String ID: LogLevel$NGX$SOFTWARE\NVIDIA Corporation\Global\NGXCore
API String ID: 813702208-1451484610
Opcode ID: 50fab19680d1afe733d3e66660d2e70778c793c35c9ee94b78459fe8881ff264
Instruction ID: 70c46a8e22c25376b0987e1048887bef92d21c9951c9bcde9420c78489bf405c
Opcode Fuzzy Hash: 50fab19680d1afe733d3e66660d2e70778c793c35c9ee94b78459fe8881ff264
Instruction Fuzzy Hash: 36412625B0AB838AEB088F54E8A0929B7A1FF84794F444035DA6D47BBCDF7CE444CB44

Function 00007FFDFB4D5A60 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5E65CF
SetLastError.KERNEL32 ref: 00007FFDFB5E65DF
LocalFree.KERNEL32 ref: 00007FFDFB5E6623
LocalFree.KERNEL32 ref: 00007FFDFB5E662C

Strings

ShellExecuteExA, xrefs: 00007FFDFB5E667E
Shell32.dll, xrefs: 00007FFDFB5E6653

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ErrorFreeLastLocal
String ID: Shell32.dll$ShellExecuteExA
API String ID: 3928016487-2609298245
Opcode ID: 2e57f5782fe3bf08634fd71a5693bd78e2723d414804ef75c094206830ef4e48
Instruction ID: a839e60497fa1e52f2434776966daf79f5686e8b94f80e200b07fd12b3a5d589
Opcode Fuzzy Hash: 2e57f5782fe3bf08634fd71a5693bd78e2723d414804ef75c094206830ef4e48
Instruction Fuzzy Hash: CA211A25B1FB4381EF65DB61A870A3976A0AF49BC0F444435D96E477FEEE2CF4018684

Function 00007FFDFB5F1990 Relevance: 15.1, APIs: 12, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5F19B1
LocalAlloc.KERNEL32 ref: 00007FFDFB5F19EB
LocalFree.KERNEL32 ref: 00007FFDFB5F1A31
SetLastError.KERNEL32 ref: 00007FFDFB5F1A3C
LocalFree.KERNEL32 ref: 00007FFDFB5F1A58
SetLastError.KERNEL32 ref: 00007FFDFB5F1A63
LocalFree.KERNEL32 ref: 00007FFDFB5F1A7F
SetLastError.KERNEL32 ref: 00007FFDFB5F1AB8
GetLastError.KERNEL32 ref: 00007FFDFB5F1ABE
GetLastError.KERNEL32 ref: 00007FFDFB5F1AD4
LocalFree.KERNEL32 ref: 00007FFDFB5F1AE6
SetLastError.KERNEL32 ref: 00007FFDFB5F1AF2

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ErrorLast$Local$Free$Alloc
String ID:
API String ID: 916652521-0
Opcode ID: 7233dbdddb0dc7e43d53d00e7812c2ac2f0c79c21a3cd17f9c0fc5ae811c0866
Instruction ID: e804e982eef176df6afb6a5ac9c79c4ad354f1405ddd23c1adc5e505b5f5a497
Opcode Fuzzy Hash: 7233dbdddb0dc7e43d53d00e7812c2ac2f0c79c21a3cd17f9c0fc5ae811c0866
Instruction Fuzzy Hash: 15418121B0E78382EF555F25A924A79BA91AF45BD0F044034CD6E47BFEEF3CE8458284

Function 00007FFDFB4D5A10 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 187COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FFDFB6DF451
try_get_function.LIBVCRUNTIME ref: 00007FFDFB6DF4D2

Strings

MessageBoxA, xrefs: 00007FFDFB6DF4C6
RoInitialize, xrefs: 00007FFDFB6DF5D3
MessageBoxW, xrefs: 00007FFDFB6DF556
LocateXStateFeature, xrefs: 00007FFDFB6DF445

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: try_get_function
String ID: LocateXStateFeature$MessageBoxA$MessageBoxW$RoInitialize
API String ID: 2742660187-29969376
Opcode ID: 0c7dc754282232751ae50603538382f2149499098d56100760ace1ac31c63134
Instruction ID: e7f3451e3bac4fec668d08bfafb138a6deba3603cc813f47532be59d23fa4fa5
Opcode Fuzzy Hash: 0c7dc754282232751ae50603538382f2149499098d56100760ace1ac31c63134
Instruction Fuzzy Hash: 10417A61B0AB8785EB049B42B4608E57361AF4CBC0F584432EE6C0BBFEDE7CE5458740

Function 00007FFDFB4C1990 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89libraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5E37CA
LocalFree.KERNEL32 ref: 00007FFDFB5E380A
LocalFree.KERNEL32 ref: 00007FFDFB5E3813

Part of subcall function 00007FFDFB5DE1F0: LocalAlloc.KERNEL32 ref: 00007FFDFB5DE228

LocalFree.KERNEL32 ref: 00007FFDFB5E3820
LocalFree.KERNEL32 ref: 00007FFDFB5E3829
GetProcAddress.KERNEL32 ref: 00007FFDFB5E386B

Part of subcall function 00007FFDFB5E1A50: VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1A9C
Part of subcall function 00007FFDFB5E1A50: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E1AC7

Strings

CreateProcessAsUserA, xrefs: 00007FFDFB5E3861
Advapi32.dll, xrefs: 00007FFDFB5E383D

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Local$Free$AddressAllocConditionErrorInfoLastMaskProcVerifyVersion
String ID: Advapi32.dll$CreateProcessAsUserA
API String ID: 3397555361-3368371401
Opcode ID: 7493b9120896b692fd6b8bb541b1dc1633219b3aa57d3fe30c3548db32e78fe2
Instruction ID: 07efa44050a6a602d4d4637ad2157770ddea1e1a87c9c6ecb5e718381bc5907c
Opcode Fuzzy Hash: 7493b9120896b692fd6b8bb541b1dc1633219b3aa57d3fe30c3548db32e78fe2
Instruction Fuzzy Hash: 92314C26B0EB8385EBA5DF16A860A6A77A0BB49BD0F044035DD5D43BB9DF3CE4418B40

Function 000002B38D0C7884 Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000002B38D0C78B2

Part of subcall function 000002B38D0BE5C8: _errno.LIBCMT ref: 000002B38D0BE5E8

free.LIBCMT ref: 000002B38D0C78C7
free.LIBCMT ref: 000002B38D0C78E8
free.LIBCMT ref: 000002B38D0C78FD
free.LIBCMT ref: 000002B38D0C7911
free.LIBCMT ref: 000002B38D0C791D
free.LIBCMT ref: 000002B38D0C7948
free.LIBCMT ref: 000002B38D0C7969
free.LIBCMT ref: 000002B38D0C7982
free.LIBCMT ref: 000002B38D0C79B3

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: c236f47fa00f1eb095f464021b61fc5b1928e1c18c896dc44bc4746b0c097f4e
Instruction ID: 67789b1922cf7858fe9a338d7ef1da00372ed8dee6514fe24dcf9581378a1630
Opcode Fuzzy Hash: c236f47fa00f1eb095f464021b61fc5b1928e1c18c896dc44bc4746b0c097f4e
Instruction Fuzzy Hash: D941FD70264A0D5FFB94FB58E8A97A533E2FB99315F54005CF106D22A2DBBC9944CB13

Function 00007FFDFB4C3200 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 179COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDFB5C0379
GetLastError.KERNEL32 ref: 00007FFDFB5C0576

Strings

SetGUID MF_MT_SUBTYPE (%d) hr=0x%08X le=%d, xrefs: 00007FFDFB5C057F
SetCurrentMediaType MF_SOURCE_READER_FIRST_AUDIO_STREAM hr=0x%08X le=%d, xrefs: 00007FFDFB5C0448
GetNativeMediaType Stream %d hr=0x%08X le=%d, xrefs: 00007FFDFB5C0382
GetGUID MF_MT_SUBTYPE hr=0x%08X le=%d, xrefs: 00007FFDFB5C03CA

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID: GetGUID MF_MT_SUBTYPE hr=0x%08X le=%d$GetNativeMediaType Stream %d hr=0x%08X le=%d$SetCurrentMediaType MF_SOURCE_READER_FIRST_AUDIO_STREAM hr=0x%08X le=%d$SetGUID MF_MT_SUBTYPE (%d) hr=0x%08X le=%d
API String ID: 1452528299-3119712302
Opcode ID: e29568572fa14d84d16d7519d0c820b574227a19fb104b39875f44c73128b5f3
Instruction ID: afb4e595cf40bb887d8b312f9c4f61fe80f17c0eff31a6db9149a8bd4a664e3e
Opcode Fuzzy Hash: e29568572fa14d84d16d7519d0c820b574227a19fb104b39875f44c73128b5f3
Instruction Fuzzy Hash: 4D71816671AB4782EB118F2AE460A797761FB84B94F041035DE5D437B9EF3CE405C744

Function 000002B38D0D5B3C Relevance: 10.7, APIs: 7, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002B38D0D5B67
_errno.LIBCMT ref: 000002B38D0D5B5C

Part of subcall function 000002B38D0C02B0: _getptd_noexit.LIBCMT ref: 000002B38D0C02B4

_errno.LIBCMT ref: 000002B38D0D5C0A
_invalid_parameter_noinfo.LIBCMT ref: 000002B38D0D5C15

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 7afc2762c95521575d3116b194f351630dcc251883b617eb56e717d3dcf592c2
Instruction ID: 246aa4d504a0ac09089cfa52642fb58e060cbef941a57769fdeb169f0d6d17dc
Opcode Fuzzy Hash: 7afc2762c95521575d3116b194f351630dcc251883b617eb56e717d3dcf592c2
Instruction Fuzzy Hash: F251E5B0515A1D4EEB64E718484D3B573D0FF55321F94132FB8C6C71D9EB348A418683

Function 000002B38D0CF528 Relevance: 10.6, APIs: 7, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000002B38D0CF54E
_errno.LIBCMT ref: 000002B38D0CF543

Part of subcall function 000002B38D0C02B0: _getptd_noexit.LIBCMT ref: 000002B38D0C02B4

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000002B38D0CF5CD
_errno.LIBCMT ref: 000002B38D0CF5DE
_invalid_parameter_noinfo.LIBCMT ref: 000002B38D0CF5E9

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: a56ef14d950493e927c3ef52fe0069bfafb8291851f1440a19a1a290c08364fa
Instruction ID: c754b0af7197878777b871e4728937100346682333f194764de080c7620123e2
Opcode Fuzzy Hash: a56ef14d950493e927c3ef52fe0069bfafb8291851f1440a19a1a290c08364fa
Instruction Fuzzy Hash: 974168B0419A1E4BEB64EB18805C7B5BBE0FF54325F94021EB596C72E4DF348A81C383

Function 000002B38D0922C4 Relevance: 10.6, APIs: 7, Instructions: 134COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0922FF

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

Part of subcall function 000002B38D0983A4: ___lc_codepage_func.LIBCMT ref: 000002B38D0983C8
Part of subcall function 000002B38D0983A4: ___mb_cur_max_func.LIBCMT ref: 000002B38D0983CF
Part of subcall function 000002B38D0983A4: ___lc_locale_name_func.LIBCMT ref: 000002B38D0983D7

free.LIBCMT ref: 000002B38D092380

Part of subcall function 000002B38D0BE5C8: _errno.LIBCMT ref: 000002B38D0BE5E8

free.LIBCMT ref: 000002B38D092392
free.LIBCMT ref: 000002B38D0923A4
free.LIBCMT ref: 000002B38D0923B6
free.LIBCMT ref: 000002B38D0923C8
free.LIBCMT ref: 000002B38D0923DA

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: free$LockitLockit::____lc_codepage_func___lc_locale_name_func___mb_cur_max_func_errno_lockstd::_
String ID:
API String ID: 1142821818-0
Opcode ID: 1911704955e5e0ea99b43964440b80dd6f33ce142868086bf586ad4af8219b32
Instruction ID: efa53fe11661ee2c217c6b84de0665e94682a6ec94e85d109f039c108cb5b556
Opcode Fuzzy Hash: 1911704955e5e0ea99b43964440b80dd6f33ce142868086bf586ad4af8219b32
Instruction Fuzzy Hash: 33416BB0948B4D9FEB95EF98D0546EDB7B0FF58310F40425EE40AE7296DB309A458781

Function 00007FFDFB5EB0D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98librarymemoryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FFDFB5EB2C0: GetSystemDirectoryW.KERNEL32 ref: 00007FFDFB5EB2E8
Part of subcall function 00007FFDFB5EB2C0: LocalAlloc.KERNEL32 ref: 00007FFDFB5EB30B
Part of subcall function 00007FFDFB5EB2C0: GetSystemDirectoryW.KERNEL32 ref: 00007FFDFB5EB31E

LoadLibraryExW.KERNEL32 ref: 00007FFDFB5EB144
LocalFree.KERNEL32 ref: 00007FFDFB5EB150
GetProcAddress.KERNEL32 ref: 00007FFDFB5EB174
LocalAlloc.KERNEL32 ref: 00007FFDFB5EB1ED

Strings

Shell32.dll, xrefs: 00007FFDFB5EB11E
SHGetFolderPathW, xrefs: 00007FFDFB5EB16A

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Local$AllocDirectorySystem$AddressFreeLibraryLoadProc
String ID: SHGetFolderPathW$Shell32.dll
API String ID: 1341906590-1831903832
Opcode ID: 9bc15085328f5bfa94c6fc05054273b19d9ba2339b94c399c8978e9a2a124876
Instruction ID: 414b144cd4bf9b7689cf57a37cbae5fc96c7ec824be67e1e2e1f23f25be91149
Opcode Fuzzy Hash: 9bc15085328f5bfa94c6fc05054273b19d9ba2339b94c399c8978e9a2a124876
Instruction Fuzzy Hash: 0F419025B1AB9381FB65DB11A864A796260BF48BD4F448135DE2E477FDDE3CE4068700

Function 00007FFDFB5E1D50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 00007FFDFB5E1DC4
LocalAlloc.KERNEL32 ref: 00007FFDFB5E1E2F
GetLastError.KERNEL32 ref: 00007FFDFB5E1E3D

Part of subcall function 00007FFDFB5E1A50: VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1A9C
Part of subcall function 00007FFDFB5E1A50: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E1AC7

LocalFree.KERNEL32 ref: 00007FFDFB5E1E76

Strings

RegQueryValueExW, xrefs: 00007FFDFB5E1DBA
Advapi32.dll, xrefs: 00007FFDFB5E1D92

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Local$AddressAllocConditionErrorFreeInfoLastMaskProcVerifyVersion
String ID: Advapi32.dll$RegQueryValueExW
API String ID: 3707099831-295176829
Opcode ID: 698e8803dc34555242da3cc59fb36ac2bbed8fae0d3c80f23629390359c3b53d
Instruction ID: cd312c2616293d3070eff3a08642ea935ad8d5deb12353517c435fc83bdec5f5
Opcode Fuzzy Hash: 698e8803dc34555242da3cc59fb36ac2bbed8fae0d3c80f23629390359c3b53d
Instruction Fuzzy Hash: 18314F72B0AB4386EB55CF11A860A6977A4FF89B80F544435EA6D47BBDDF3CE4008B44

Function 00007FFDFB549E60 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FFDFB549E76

Strings

kernel32.dll, xrefs: 00007FFDFB549E6F
WakeAllConditionVariable, xrefs: 00007FFDFB549EC3
WakeConditionVariable, xrefs: 00007FFDFB549EAD
InitializeConditionVariable, xrefs: 00007FFDFB549E88
SleepConditionVariableCS, xrefs: 00007FFDFB549E97

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: HandleModule
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 4139908857-2387153273
Opcode ID: 13d3deadd11c91aaa1b09a78a1db330eb72840e8f80f03264e7b8b5f1608b1d5
Instruction ID: c68c0a57ce64a926460312eeb83171371fdc04118384f35f4f951d25479b3157
Opcode Fuzzy Hash: 13d3deadd11c91aaa1b09a78a1db330eb72840e8f80f03264e7b8b5f1608b1d5
Instruction Fuzzy Hash: 4411C565F0FB4390FF1A9B50E8B9BB122A5AF08340F584435C82D463FDEE6CAA84C640

Function 000002B38D0A099C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A09BD

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A09E2
numpunct.LIBCPMT ref: 000002B38D0A0A65
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A0A7C
_CxxThrowException.LIBCMT ref: 000002B38D0A0A8D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A0AAB

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: 9cf474680b64cc0a42dfb88614e6b436c95b169935a0ccc469abbe6bd9e922ca
Instruction ID: 5a899bbfb261f70f763c8e9f262bce0ea747f9ef5b7b7da776242d4146a6224c
Opcode Fuzzy Hash: 9cf474680b64cc0a42dfb88614e6b436c95b169935a0ccc469abbe6bd9e922ca
Instruction Fuzzy Hash: 994146B1518E0C8FE755EF18D499AA677E1FFA4310F60066EB05AC32A6DB30DA45C782

Function 000002B38D0991D4 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0991F5

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09921A
messages.LIBCPMT ref: 000002B38D09929D
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0992B4
_CxxThrowException.LIBCMT ref: 000002B38D0992C5
std::_Facet_Register.LIBCPMT ref: 000002B38D0992E3

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: d65d886f5a4a5fbf692825c0abf740438a2889b3773da977cec666f68a3605b7
Instruction ID: f8ce3730fd03e009274ae4461dd8bb006ed7cada3484b95389d95cf94c45cef4
Opcode Fuzzy Hash: d65d886f5a4a5fbf692825c0abf740438a2889b3773da977cec666f68a3605b7
Instruction Fuzzy Hash: 3F4177B1518E0C5FE795EB58E4986AA77E1FF98310F10166EB05BC32A2DF30D945C782

Function 000002B38D09FA2C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FA4D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FA72
messages.LIBCPMT ref: 000002B38D09FAF5
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09FB0C
_CxxThrowException.LIBCMT ref: 000002B38D09FB1D
std::_Facet_Register.LIBCPMT ref: 000002B38D09FB3B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 8ce21f825e0c86f2d4b8cb028bd5239e6d8b4f4478972e71b897618c04ae54ad
Instruction ID: 6b827164966ad64f173d9f788e7eed83d7d188e1fdf84a4198fce7aafa40aec3
Opcode Fuzzy Hash: 8ce21f825e0c86f2d4b8cb028bd5239e6d8b4f4478972e71b897618c04ae54ad
Instruction Fuzzy Hash: 0F4184B1608E0D5FE755EF18D4986AA77E1FFA8310F50065EB056C32A2DF30DA45C782

Function 000002B38D0B4A28 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4A49

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4A6E
messages.LIBCPMT ref: 000002B38D0B4AF1
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0B4B08
_CxxThrowException.LIBCMT ref: 000002B38D0B4B19
std::_Facet_Register.LIBCPMT ref: 000002B38D0B4B37

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 8101ceada97120b4e31297d4cb69fbff05a20529c4fc301d5dc3a6eecf40290d
Instruction ID: 707caf0b9ab4300f7e087ac31a8a8b93ae8d429ef434472128f0f696322d8851
Opcode Fuzzy Hash: 8101ceada97120b4e31297d4cb69fbff05a20529c4fc301d5dc3a6eecf40290d
Instruction Fuzzy Hash: 6C4162B151CA0C8FE755EF18D488AA673E1FF68318F10062DA15AD72A2DB34DA45CB86

Function 000002B38D0A086C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A088D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A08B2
messages.LIBCPMT ref: 000002B38D0A0935
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A094C
_CxxThrowException.LIBCMT ref: 000002B38D0A095D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A097B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: e8914c13f1a63b2bd7b0f8b8eb872b1415bdfa408ac95b106aef2af262e1ca3a
Instruction ID: 8a1b270c0386cfa64207643c764c451c3f95db28ddef5c1389382386310d437c
Opcode Fuzzy Hash: e8914c13f1a63b2bd7b0f8b8eb872b1415bdfa408ac95b106aef2af262e1ca3a
Instruction Fuzzy Hash: E44186B1518E0D8FE755EF28D488A6A77E0FF58310F20065EB05AC72A6DB70DA45CB82

Function 000002B38D0990A4 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0990C5

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0990EA
messages.LIBCPMT ref: 000002B38D09916D
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D099184
_CxxThrowException.LIBCMT ref: 000002B38D099195
std::_Facet_Register.LIBCPMT ref: 000002B38D0991B3

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 44f74ad60790d5f728fb9db277d581671f1682aeeeb9c216a3193cbb7b7aedb3
Instruction ID: 86aaaf9b0c7fedc596209c0a78533c03b4ff77ab5a40b410e95b261b0f6d5e18
Opcode Fuzzy Hash: 44f74ad60790d5f728fb9db277d581671f1682aeeeb9c216a3193cbb7b7aedb3
Instruction Fuzzy Hash: D84160B1508A0C9FE754EB58E49C66673E1FFA8310F10166EB05AC32A6DF30D945CB82

Function 000002B38D09F8FC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F91D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F942
messages.LIBCPMT ref: 000002B38D09F9C5
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09F9DC
_CxxThrowException.LIBCMT ref: 000002B38D09F9ED
std::_Facet_Register.LIBCPMT ref: 000002B38D09FA0B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: ad3d27e93c69ba864e2bfe9fd3f3486237bb31b56115dd73a035953c61f75546
Instruction ID: b0a86312dcdeef6e033a6013e8d7341a17f50ba55eee3a59feb9b9c2af2d558e
Opcode Fuzzy Hash: ad3d27e93c69ba864e2bfe9fd3f3486237bb31b56115dd73a035953c61f75546
Instruction Fuzzy Hash: 1F4142B1218E1D5FE755EF28D488AA677E1FF68310F10051EB056C32A5DF70DA45CB82

Function 000002B38D0B48F8 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4919

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B493E
collate.LIBCPMT ref: 000002B38D0B49C1
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0B49D8
_CxxThrowException.LIBCMT ref: 000002B38D0B49E9
std::_Facet_Register.LIBCPMT ref: 000002B38D0B4A07

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: 0233418cfae809917d103e780ede1da457fc54a499b3717859009be7294f54f8
Instruction ID: c1eed168f97ee1841d001037d675eaf3c930f8f9ca45a4cc9d86c22a7cd73ce0
Opcode Fuzzy Hash: 0233418cfae809917d103e780ede1da457fc54a499b3717859009be7294f54f8
Instruction Fuzzy Hash: EE41B3B150CE1C4FE754EF18D489AA673E1FF58318F10066DB05AD72A2DB70DA45CB82

Function 000002B38D0A014C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A016D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0192
moneypunct.LIBCPMT ref: 000002B38D0A0215
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A022C
_CxxThrowException.LIBCMT ref: 000002B38D0A023D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A025B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 23175eb6af71c341a43572a7cfc5c5faaad3fe0d8949ac351d6b072308f46143
Instruction ID: 3f6cb8f7d9c8326424f26ec195080133bc49edd18875e59fe34c38041d5bd084
Opcode Fuzzy Hash: 23175eb6af71c341a43572a7cfc5c5faaad3fe0d8949ac351d6b072308f46143
Instruction Fuzzy Hash: 624166B1618F0D8FE755EB18D498AA677E1FF64310F20056EB056C32AADB30DA45C782

Function 000002B38D09FB5C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FB7D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FBA2
messages.LIBCPMT ref: 000002B38D09FC25
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09FC3C
_CxxThrowException.LIBCMT ref: 000002B38D09FC4D
std::_Facet_Register.LIBCPMT ref: 000002B38D09FC6B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 9179dece544dd2d7b58664dfb820dd996a6c2b9e8f7944b505e616ecfab862ae
Instruction ID: c6c286e8c7188b5834d390c3139d102fb3b1202d5bb9bf7d74fb13c700843b38
Opcode Fuzzy Hash: 9179dece544dd2d7b58664dfb820dd996a6c2b9e8f7944b505e616ecfab862ae
Instruction Fuzzy Hash: F64160B1208E0D9FE754EF18D498AA677E1FF68310F10465EB456C32A2DF30DA06CB82

Function 000002B38D0B4B58 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4B79

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4B9E
messages.LIBCPMT ref: 000002B38D0B4C21
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0B4C38
_CxxThrowException.LIBCMT ref: 000002B38D0B4C49
std::_Facet_Register.LIBCPMT ref: 000002B38D0B4C67

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 1d91a49bc77edb7e22aa6e9a78d7975369a76cca3a033d80bf35b0100c632c7d
Instruction ID: e1574e6d35ac8d21d649e22139a15b199047b751bdab4d723279125b6af8b7a2
Opcode Fuzzy Hash: 1d91a49bc77edb7e22aa6e9a78d7975369a76cca3a033d80bf35b0100c632c7d
Instruction Fuzzy Hash: EA41737150CE0C8FE795EF18D489AA673E1FFA8318F10065DB14AD72A2DB34DA45CB82

Function 000002B38D0A03AC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A03CD

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A03F2
moneypunct.LIBCPMT ref: 000002B38D0A0475
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A048C
_CxxThrowException.LIBCMT ref: 000002B38D0A049D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A04BB

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: c66e09ab170a22db7c72c6839654604274626d1e646d604170c6a8578907e1a2
Instruction ID: 0c5b8f04d7c341d1578f0c9b32b96414c63734ee6395c3c7ba43d737ff88803b
Opcode Fuzzy Hash: c66e09ab170a22db7c72c6839654604274626d1e646d604170c6a8578907e1a2
Instruction Fuzzy Hash: 4D4164B1119E1D8FE755EB18D498A6677E0FF68310F60066EB05AC32A6DB30DE45C782

Function 000002B38D09F43C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F45D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F482
codecvt.LIBCPMT ref: 000002B38D09F505
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09F51C
_CxxThrowException.LIBCMT ref: 000002B38D09F52D
std::_Facet_Register.LIBCPMT ref: 000002B38D09F54B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcodecvtstd::bad_exception::bad_exception
String ID:
API String ID: 2666907392-0
Opcode ID: 45efec231ae2297d7a2142dcd9c2eae13585b2050d5428d033f28a6bf587b034
Instruction ID: daf89d02bdef8f8898f164a73e0c4769f410245428d8485854d31647dfd7aff5
Opcode Fuzzy Hash: 45efec231ae2297d7a2142dcd9c2eae13585b2050d5428d033f28a6bf587b034
Instruction Fuzzy Hash: 0F4174B1258A0D5FE755EF18D488AA677E1FF68310F50056EB05BC32A6DF30DA05C782

Function 000002B38D0A027C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A029D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A02C2
moneypunct.LIBCPMT ref: 000002B38D0A0345
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A035C
_CxxThrowException.LIBCMT ref: 000002B38D0A036D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A038B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 576ca43a9229fa76d4c30edbc1c9635a8bd1653c60898644c64f54b1b7beac0d
Instruction ID: b9968d89a10d7516a3c7939f145394fce5a77aab69a4a63be547737e7eaf9f24
Opcode Fuzzy Hash: 576ca43a9229fa76d4c30edbc1c9635a8bd1653c60898644c64f54b1b7beac0d
Instruction Fuzzy Hash: 34419AB1218E0D8FE765EF28D499AA677E1FF64310F30065EB056C32A6DB70D945C782

Function 000002B38D0A0ACC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0AED

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0B12
numpunct.LIBCPMT ref: 000002B38D0A0B95
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A0BAC
_CxxThrowException.LIBCMT ref: 000002B38D0A0BBD
std::_Facet_Register.LIBCPMT ref: 000002B38D0A0BDB

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: 822ec391d6621952e5469a8a2b9ff91c3985372570a95cd92eaf18f1c434b61d
Instruction ID: 66c14e9e021670ba93fb634a387abbf23335ec3733e0ee76ac117b5b0f61495f
Opcode Fuzzy Hash: 822ec391d6621952e5469a8a2b9ff91c3985372570a95cd92eaf18f1c434b61d
Instruction Fuzzy Hash: 894154B1218E0D8FE755EB18D498AAA73E0FF58314F70065FB056C32A6DB30DA45CB82

Function 000002B38D099304 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D099325

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09934A
numpunct.LIBCPMT ref: 000002B38D0993CD
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0993E4
_CxxThrowException.LIBCMT ref: 000002B38D0993F5
std::_Facet_Register.LIBCPMT ref: 000002B38D099413

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_locknumpunctstd::bad_exception::bad_exception
String ID:
API String ID: 4068408745-0
Opcode ID: 6f03905d0beafbc56963ed536e36f45f80a76ca8702b5fb871efbe115acaf3e9
Instruction ID: 0e8a7f34312ecb23ea9f82032d53b7e0caea79516db6e1705ed26fb11cc83f73
Opcode Fuzzy Hash: 6f03905d0beafbc56963ed536e36f45f80a76ca8702b5fb871efbe115acaf3e9
Instruction Fuzzy Hash: D0416FB111CE0C9FE755EF58E489A6677E1FF68310F10566EB05AC32A6DB30D9418B82

Function 000002B38D09F56C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F58D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F5B2
collate.LIBCPMT ref: 000002B38D09F635
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09F64C
_CxxThrowException.LIBCMT ref: 000002B38D09F65D
std::_Facet_Register.LIBCPMT ref: 000002B38D09F67B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: aa24ee5a496f3eccf8c40c5a857f936f456db878295ea4d5143e493ac5b1c9e7
Instruction ID: 057d10b6c52329c5476b0efb4ce9477e3b8b88f92b7c1eed825f828aa08e6f81
Opcode Fuzzy Hash: aa24ee5a496f3eccf8c40c5a857f936f456db878295ea4d5143e493ac5b1c9e7
Instruction Fuzzy Hash: 58414FB1619E0D9FE755EF28D4886AA77E1FF68310F10065EA157C32A2DF30DA45CB82

Function 000002B38D09FDBC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FDDD

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FE02
messages.LIBCPMT ref: 000002B38D09FE85
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09FE9C
_CxxThrowException.LIBCMT ref: 000002B38D09FEAD
std::_Facet_Register.LIBCPMT ref: 000002B38D09FECB

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: ea6ca55c775d0ccc4dd453c7f7005d0493a2785ec4fecb6ec9dba5e7c9d5e10a
Instruction ID: 1d88ad1ce94419853d522fb8f545980825c7e73fcf6bf8733f0eeec07a09b69b
Opcode Fuzzy Hash: ea6ca55c775d0ccc4dd453c7f7005d0493a2785ec4fecb6ec9dba5e7c9d5e10a
Instruction Fuzzy Hash: 5A4167B1618E0D9FE755EB18D4896A677D1FF64310F11065EB057C32A2DF30D945C782

Function 000002B38D0B4DB8 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4DD9

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4DFE
moneypunct.LIBCPMT ref: 000002B38D0B4E81
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0B4E98
_CxxThrowException.LIBCMT ref: 000002B38D0B4EA9
std::_Facet_Register.LIBCPMT ref: 000002B38D0B4EC7

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: ae327d2db070439c1c0d49b2585e1c384ae4971f0289f13c9f66755d90c69a8c
Instruction ID: 5ffde9a5246be9a72e85c28e442ce10325427fc2356ca0326436f84cda915da8
Opcode Fuzzy Hash: ae327d2db070439c1c0d49b2585e1c384ae4971f0289f13c9f66755d90c69a8c
Instruction Fuzzy Hash: 464152B151CE0C8FE755EF18D488A6A73E1FFA8318F10065DA05AD72A6DB34DA45CB82

Function 000002B38D0A060C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A062D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0652
messages.LIBCPMT ref: 000002B38D0A06D5
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A06EC
_CxxThrowException.LIBCMT ref: 000002B38D0A06FD
std::_Facet_Register.LIBCPMT ref: 000002B38D0A071B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: a32bcdbd7a4cb4dfc0fa6fcbf62aecbf5d9f3b997f2cf0a477f8f907014e1f81
Instruction ID: 2bae33cfe08339f8ccaddb533a3f638e1a90a3bc8e373b03ad1e808345f3606d
Opcode Fuzzy Hash: a32bcdbd7a4cb4dfc0fa6fcbf62aecbf5d9f3b997f2cf0a477f8f907014e1f81
Instruction Fuzzy Hash: A84153B1518E1C4FE755EF18D499AAA77D1FFA8314F30061EB056C32A6DB30D945CB82

Function 000002B38D098E44 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D098E65

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D098E8A
messages.LIBCPMT ref: 000002B38D098F0D
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D098F24
_CxxThrowException.LIBCMT ref: 000002B38D098F35
std::_Facet_Register.LIBCPMT ref: 000002B38D098F53

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 4ced370cee893604592898b3239523f5f93543cc81e6483edbf32b837da03206
Instruction ID: 8de8d54b93c0220992a22fed352b1478703a7ef6fb2a125f40ea02b7762e8fbf
Opcode Fuzzy Hash: 4ced370cee893604592898b3239523f5f93543cc81e6483edbf32b837da03206
Instruction Fuzzy Hash: 2E4161B1118E0C9FE759EB18D49866677E1FF64320F10462EB056D33A6DB30DE45D782

Function 000002B38D09FC8C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FCAD

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FCD2
messages.LIBCPMT ref: 000002B38D09FD55
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09FD6C
_CxxThrowException.LIBCMT ref: 000002B38D09FD7D
std::_Facet_Register.LIBCPMT ref: 000002B38D09FD9B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 233253f149e279e38e89f3a7e76266979d4b0c745f74142b2642ab861ab978b6
Instruction ID: 4bf917f7e25243790b1122b5edee36b52c2eeb9cf71e9f4d6075de69ef339709
Opcode Fuzzy Hash: 233253f149e279e38e89f3a7e76266979d4b0c745f74142b2642ab861ab978b6
Instruction Fuzzy Hash: 824171B1619A0D5FE755EB28D4886AA77E2FF68310F10065EB057C32A2DF30DA05CB86

Function 000002B38D0B4C88 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4CA9

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4CCE
messages.LIBCPMT ref: 000002B38D0B4D51
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0B4D68
_CxxThrowException.LIBCMT ref: 000002B38D0B4D79
std::_Facet_Register.LIBCPMT ref: 000002B38D0B4D97

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 33120029e13e597c9436f25d0a0d0519267f463dbb34c2f4dbf7f077c465b499
Instruction ID: 8033a558304e9182bc686ca6a8e19f83c106d46dc9bd8328a452dbb7e3e5c307
Opcode Fuzzy Hash: 33120029e13e597c9436f25d0a0d0519267f463dbb34c2f4dbf7f077c465b499
Instruction Fuzzy Hash: 7F4152B1A0CE0C4FE755EF18D488AA673E1FF68318F10055EA05AD72A2DB34DA45CB82

Function 000002B38D0A04DC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A04FD

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0522
messages.LIBCPMT ref: 000002B38D0A05A5
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A05BC
_CxxThrowException.LIBCMT ref: 000002B38D0A05CD
std::_Facet_Register.LIBCPMT ref: 000002B38D0A05EB

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: abaa451bbf9128479b128ef22488faa88a4a7ca70dc8d8c9ec040cfc4538b7c0
Instruction ID: 846bb9004e0716ff0cc3af011de23cc298d456fd03edb65ab450be81952fe6f4
Opcode Fuzzy Hash: abaa451bbf9128479b128ef22488faa88a4a7ca70dc8d8c9ec040cfc4538b7c0
Instruction Fuzzy Hash: 054188B1518E0C8FE755EF28D498A6777E1FF58310F60056EB056C32A6DB70DA45CB82

Function 000002B38D098F74 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D098F95

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D098FBA
ctype.LIBCPMT ref: 000002B38D09903D
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D099054
_CxxThrowException.LIBCMT ref: 000002B38D099065
std::_Facet_Register.LIBCPMT ref: 000002B38D099083

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID:
API String ID: 3320480354-0
Opcode ID: ac8da4e68497b6e33ad6b294c9a5cc016db34243099c128dedc5113e624588cf
Instruction ID: 88607b768e03709caf83e0d16a88a83b4f00bbb8b2101a5f85a78e2243b92d22
Opcode Fuzzy Hash: ac8da4e68497b6e33ad6b294c9a5cc016db34243099c128dedc5113e624588cf
Instruction Fuzzy Hash: 324183B1508E0C5FE755EB59D488A6A73E1FF94310F10465EA167C32A6DF30D945CB82

Function 000002B38D09F7CC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F7ED

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F812
ctype.LIBCPMT ref: 000002B38D09F895
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09F8AC
_CxxThrowException.LIBCMT ref: 000002B38D09F8BD
std::_Facet_Register.LIBCPMT ref: 000002B38D09F8DB

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockctypestd::bad_exception::bad_exception
String ID:
API String ID: 3320480354-0
Opcode ID: 9acc7d8935e0b6991aa026bbf44fd62e2f07b53be7d58e42d1e7b8c701af2e2c
Instruction ID: 7621c400c188843cef6dbd341ea486cf08c7e22a92fcf19cd21d73aef35d074b
Opcode Fuzzy Hash: 9acc7d8935e0b6991aa026bbf44fd62e2f07b53be7d58e42d1e7b8c701af2e2c
Instruction Fuzzy Hash: C34151B1258E0D5FE795EB28D488AAB77E1FF68310F50065EB056C32A2DF30D905DB82

Function 000002B38D0A001C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A003D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0062
moneypunct.LIBCPMT ref: 000002B38D0A00E5
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A00FC
_CxxThrowException.LIBCMT ref: 000002B38D0A010D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A012B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: be434e7532a21790c41d01ca9e6344b4bc2dcf28563e8adecb1c6891a9f02ef6
Instruction ID: 247261b16e8abb8df2ffcf3d63c74c21314e03c379c8cf1becfd73e599249eb9
Opcode Fuzzy Hash: be434e7532a21790c41d01ca9e6344b4bc2dcf28563e8adecb1c6891a9f02ef6
Instruction Fuzzy Hash: F94186B1208E1D4FE755EB18D498EAA77E0FF58310F60062EB056C32A6DB30DA45C782

Function 000002B38D09F69C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F6BD

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09F6E2
collate.LIBCPMT ref: 000002B38D09F765
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09F77C
_CxxThrowException.LIBCMT ref: 000002B38D09F78D
std::_Facet_Register.LIBCPMT ref: 000002B38D09F7AB

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockcollatestd::bad_exception::bad_exception
String ID:
API String ID: 3240839640-0
Opcode ID: 3a4a181e59c721172dc463b7b24d81f07618d15fcfc0d0b84ccd0b258a6af7c2
Instruction ID: c572097ec8d8f260c2d3abb35e9477363bc2c4d90e68a10fa5ce511fb7af581b
Opcode Fuzzy Hash: 3a4a181e59c721172dc463b7b24d81f07618d15fcfc0d0b84ccd0b258a6af7c2
Instruction Fuzzy Hash: AE4151B1618A0D5FE755EB28D4886A677E1FF68310F50066EB05AC32A6DF30D945CB82

Function 000002B38D09FEEC Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FF0D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09FF32
messages.LIBCPMT ref: 000002B38D09FFB5
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D09FFCC
_CxxThrowException.LIBCMT ref: 000002B38D09FFDD
std::_Facet_Register.LIBCPMT ref: 000002B38D09FFFB

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 2b7e21ad93b706ad8219d7ae988ec98a48c25e03c0470851d55ba27f21d26565
Instruction ID: 2670ca53aad618263fb438bc1ec316399522a2c51de032e9204b706af56c7f96
Opcode Fuzzy Hash: 2b7e21ad93b706ad8219d7ae988ec98a48c25e03c0470851d55ba27f21d26565
Instruction Fuzzy Hash: 974174B1218A1D5FE755EF19D498AAA77E0FF68310F60066EB016C32A6DF30DA45C782

Function 000002B38D0B4EE8 Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4F09

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B4F2E
moneypunct.LIBCPMT ref: 000002B38D0B4FB1
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0B4FC8
_CxxThrowException.LIBCMT ref: 000002B38D0B4FD9
std::_Facet_Register.LIBCPMT ref: 000002B38D0B4FF7

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmoneypunctstd::bad_exception::bad_exception
String ID:
API String ID: 3809448442-0
Opcode ID: 8e53daf0cf3eb3dc316871336ff6c7f8367102b00b81160cfd78f9b718d2d828
Instruction ID: da27adea1d9872577b941a1285d6949f92a7a1bdfa46f8a6dfb7c4e184caa460
Opcode Fuzzy Hash: 8e53daf0cf3eb3dc316871336ff6c7f8367102b00b81160cfd78f9b718d2d828
Instruction Fuzzy Hash: 6241B37150CE0D8FE755EB19D488A6677E1FF68318F10066DB05AD72A2CB34EA85CB82

Function 000002B38D0A073C Relevance: 9.1, APIs: 6, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A075D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0782
messages.LIBCPMT ref: 000002B38D0A0805
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A081C
_CxxThrowException.LIBCMT ref: 000002B38D0A082D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A084B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockmessagesstd::bad_exception::bad_exception
String ID:
API String ID: 620047600-0
Opcode ID: 7cc497a77380ee9ed3c2c928d128c4cad0fcd30d51c5d3f05070fedc9749b0bd
Instruction ID: 0320588c2b5dde858db58660abfb47cf51ff06ab655074a2ddec2b5233d70d6f
Opcode Fuzzy Hash: 7cc497a77380ee9ed3c2c928d128c4cad0fcd30d51c5d3f05070fedc9749b0bd
Instruction Fuzzy Hash: 714162B1519E0D8FE755EF18D898A6A73E1FF68310F30065EB056C72A6DB30DA45CB82

Function 00007FFDFB6FD77C Relevance: 9.1, APIs: 6, Instructions: 103threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FFDFB6FD7A9
GetCurrentThreadId.KERNEL32 ref: 00007FFDFB6FD7C4
GetCurrentThreadId.KERNEL32 ref: 00007FFDFB6FD7DA
GetCurrentThreadId.KERNEL32 ref: 00007FFDFB6FD831
GetCurrentThreadId.KERNEL32 ref: 00007FFDFB6FD863
GetCurrentThreadId.KERNEL32 ref: 00007FFDFB6FD8BC

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a6c294782ecb49a4f98d512ccf521d9b166f33ffd94ec85b9b506cbbeadca105
Instruction ID: cb18b386dd3999e78d9d57854ee270fb3ea8ce28837863d337b9de5ea8a5293a
Opcode Fuzzy Hash: a6c294782ecb49a4f98d512ccf521d9b166f33ffd94ec85b9b506cbbeadca105
Instruction Fuzzy Hash: 01410F31B0A68786EB609F19E460A797BA0EB44B54F104035CA7E467F8EF3DF884C784

Function 00007FFDFB4D3240 Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

GetModuleHandleExA.KERNEL32 ref: 00007FFDFB54183B
CreateSemaphoreA.KERNEL32 ref: 00007FFDFB541856
CreateSemaphoreA.KERNEL32 ref: 00007FFDFB541875

Part of subcall function 00007FFDFB4C8ED0: ReleaseSemaphore.KERNEL32 ref: 00007FFDFB53FF76

FreeLibrary.KERNEL32 ref: 00007FFDFB5418D5
CloseHandle.KERNEL32 ref: 00007FFDFB5418E3
CloseHandle.KERNEL32 ref: 00007FFDFB5418F1

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: HandleSemaphore$CloseCreate$FreeLibraryModuleRelease
String ID:
API String ID: 2305605725-0
Opcode ID: 2d879112fbd9533a903f1173ef03b82438ed6fbc637b852d21d6883aba767204
Instruction ID: e514fe8c001823510a1932363da73c3845de1c4ccb6b3afe92352c3147544388
Opcode Fuzzy Hash: 2d879112fbd9533a903f1173ef03b82438ed6fbc637b852d21d6883aba767204
Instruction Fuzzy Hash: 3C416F32B0AB4381EB959F61A460A6937A4FF44F58B144138DE6D433E9EF7CE554C384

Function 00007FFDFB4C3D70 Relevance: 9.1, APIs: 6, Instructions: 66processCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5E367A
LocalFree.KERNEL32 ref: 00007FFDFB5E36BA
LocalFree.KERNEL32 ref: 00007FFDFB5E36C3

Part of subcall function 00007FFDFB5DE1F0: LocalAlloc.KERNEL32 ref: 00007FFDFB5DE228

LocalFree.KERNEL32 ref: 00007FFDFB5E36CD
LocalFree.KERNEL32 ref: 00007FFDFB5E36D6
CreateProcessA.KERNEL32 ref: 00007FFDFB5E3732

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: Local$Free$AllocCreateErrorLastProcess
String ID:
API String ID: 1969510515-0
Opcode ID: 12740f08b17e158aafcf8b993e97012b1c5048d0ee68dbad3ebb90abe51118b6
Instruction ID: 6188a18a35cc88c81f80e43fc1dbdf09c3fcb3c48d0ea9edf43280603768ca8b
Opcode Fuzzy Hash: 12740f08b17e158aafcf8b993e97012b1c5048d0ee68dbad3ebb90abe51118b6
Instruction Fuzzy Hash: 97212D36B0AB8286DB619F26A85066AB7A0BB89BD0F144134DE9D47B79DF3CD0418B44

Function 00007FFDFB4D5E50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5E6711
SetLastError.KERNEL32 ref: 00007FFDFB5E6721
GetProcAddress.KERNEL32 ref: 00007FFDFB5E6784

Strings

Shell32.dll, xrefs: 00007FFDFB5E6756
ShellExecuteExW, xrefs: 00007FFDFB5E677A

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ErrorLast$AddressProc
String ID: Shell32.dll$ShellExecuteExW
API String ID: 1975335638-1867648532
Opcode ID: fb2c20d02fc5ce01f6fbea5abba0739a854b0586ab376f0aa36309c75b8c1e82
Instruction ID: 6d2e54f7254a9f8cc2e09655b689767813a78ae1da1f8e42e904441d37d58b60
Opcode Fuzzy Hash: fb2c20d02fc5ce01f6fbea5abba0739a854b0586ab376f0aa36309c75b8c1e82
Instruction Fuzzy Hash: 6D112E61B0BB4341FF59CB25AD60A352691AF48BC4F589034D96D477FEEE2CE8408744

Function 00007FFDFB4C1230 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35COMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32 ref: 00007FFDFB5EE347

Strings

NGXGetPath, xrefs: 00007FFDFB5EE361
\NVIDIA\NGX\models\, xrefs: 00007FFDFB5EE32E
error: NGXGetPath failed to obtain path to models, xrefs: 00007FFDFB5EE355
C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_common.cpp, xrefs: 00007FFDFB5EE368

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: FreeTask
String ID: C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_common.cpp$NGXGetPath$\NVIDIA\NGX\models\$error: NGXGetPath failed to obtain path to models
API String ID: 734271698-558388089
Opcode ID: cf7afd06313f23bc2d3ce6267aed7f858da56ded38a386cad9cd68212315a593
Instruction ID: 32c9e9250f37b79dcdfb9c21695d0ce2af26ec56ae72d5c7d95ee990bc061ea8
Opcode Fuzzy Hash: cf7afd06313f23bc2d3ce6267aed7f858da56ded38a386cad9cd68212315a593
Instruction Fuzzy Hash: 32018465B1A78791E700DB11A860AF52710EF89380F981031E96E4A7F9CE3CE185C740

Function 000002B38D0B5148 Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B5169

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B518E
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0B5228
_CxxThrowException.LIBCMT ref: 000002B38D0B5239
std::_Facet_Register.LIBCPMT ref: 000002B38D0B5257

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 974ede7f30293504cfca69c6e9eedf048e91d7ff5cdced49d59fdf073cd3f58c
Instruction ID: 93c954ba08c7c1343bcb46bc3705e1202fdf4bb2c9de104c0edd13d0c8f5e97f
Opcode Fuzzy Hash: 974ede7f30293504cfca69c6e9eedf048e91d7ff5cdced49d59fdf073cd3f58c
Instruction Fuzzy Hash: 644162B150DE0C8FF755EB18D48CA6A73E1FF68314F100A6DA05AD32A2DB34DA45CB82

Function 000002B38D0A0BFC Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0C1D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0C42
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A0CDC
_CxxThrowException.LIBCMT ref: 000002B38D0A0CED
std::_Facet_Register.LIBCPMT ref: 000002B38D0A0D0B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: e1f4d6eaef8a7574c47d1234b56451b731f0bac4a986ee248217b9bbbeb82756
Instruction ID: bb2c0b9e1dc62a3c6dac08cd307f5550edce1f7b8c7f2571ee4c1e7bd51b2221
Opcode Fuzzy Hash: e1f4d6eaef8a7574c47d1234b56451b731f0bac4a986ee248217b9bbbeb82756
Instruction Fuzzy Hash: 3A4153B1518E0C8FE755EB18D898A6673E1FF54310F31065EB056C32A6DB30EA45CB82

Function 000002B38D0A0D2C Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0D4D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0D72
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A0E0C
_CxxThrowException.LIBCMT ref: 000002B38D0A0E1D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A0E3B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 8fdf513530068a902d25d78bae91176465b11ab45bf8a46f09239c48ad2af317
Instruction ID: a49ecc555e9ce4aafbab7b4e4994be40eb7c52659375caac7c3bc6cd2f62abb2
Opcode Fuzzy Hash: 8fdf513530068a902d25d78bae91176465b11ab45bf8a46f09239c48ad2af317
Instruction Fuzzy Hash: BE4153B1518E0D8FE755EB18D498BA677E1FF58310F30065EB056D32A6DB30EA45CB82

Function 000002B38D0A0F8C Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0FAD

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0FD2
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A106C
_CxxThrowException.LIBCMT ref: 000002B38D0A107D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A109B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 754921af7cdef96820ff9b3d4eef77f5c75193bf26e44bc3b8e02521ab34382a
Instruction ID: 74c997e6623c803303eb9e01c13f837f449c4024b5847add6ebdbbe515a15dbd
Opcode Fuzzy Hash: 754921af7cdef96820ff9b3d4eef77f5c75193bf26e44bc3b8e02521ab34382a
Instruction Fuzzy Hash: B64177B1518E5C8FE755EB18D488E5A77E0FF68311F20061EB056C72A6DB70DA45CB82

Function 000002B38D0B5018 Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B5039

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0B505E
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0B50F8
_CxxThrowException.LIBCMT ref: 000002B38D0B5109
std::_Facet_Register.LIBCPMT ref: 000002B38D0B5127

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 92af57e8867080ea5019b2b12003b9e7e07e7fa36929844691497215ad5e35da
Instruction ID: df36782798a608a9c6567f208e90f1df8a5936f457392b3c01cf11c1d114f59a
Opcode Fuzzy Hash: 92af57e8867080ea5019b2b12003b9e7e07e7fa36929844691497215ad5e35da
Instruction Fuzzy Hash: 034181B1518E0C4FF755EB28D488AAA73E1FF68314F10065DA09AD32A6DB34D945CB82

Function 000002B38D0A0E5C Relevance: 7.6, APIs: 5, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0E7D

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0A0EA2
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0A0F3C
_CxxThrowException.LIBCMT ref: 000002B38D0A0F4D
std::_Facet_Register.LIBCPMT ref: 000002B38D0A0F6B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: f2baaf6b52b28d77f9878d948b49f01641329e4817bae3496f349ebe052f967c
Instruction ID: 046da5f43804c13010b4a139f2fc27f8f79d6c581247dbb527625a3298c25bca
Opcode Fuzzy Hash: f2baaf6b52b28d77f9878d948b49f01641329e4817bae3496f349ebe052f967c
Instruction Fuzzy Hash: 6B4164B1108E0D8FE755EF19D498A6A77E0FF58310F20465EB156D32A6DB30DE45CB82

Function 000002B38D098154 Relevance: 7.6, APIs: 5, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D098175

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09819A
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D098235
_CxxThrowException.LIBCMT ref: 000002B38D098246
std::_Facet_Register.LIBCPMT ref: 000002B38D098264

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 92015b14bd73c83c1c959776a5be445e619632d57b53d4474fcc8a1895014d5d
Instruction ID: 2428e8d1dd5b84cdeacdfe37d3e313973b3358742d1c46144b71739eb725e693
Opcode Fuzzy Hash: 92015b14bd73c83c1c959776a5be445e619632d57b53d4474fcc8a1895014d5d
Instruction Fuzzy Hash: 83413FB1518E0C9FE755EB28D49869677E1FF69320F10056EA05BC32A2DB30DA05DB82

Function 000002B38D097914 Relevance: 7.6, APIs: 5, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D097935

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D09795A
std::bad_exception::bad_exception.LIBCMT ref: 000002B38D0979F5
_CxxThrowException.LIBCMT ref: 000002B38D097A06
std::_Facet_Register.LIBCPMT ref: 000002B38D097A24

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: std::_$LockitLockit::_$ExceptionFacet_RegisterThrow_lockstd::bad_exception::bad_exception
String ID:
API String ID: 1776536810-0
Opcode ID: 91580c9e29cc5cfd3624ebbbe716160b4e59b82f650692f386e3f440ca4f80b6
Instruction ID: f74c89ccd1b03d808990a9234d48a4660fd548ade30d6b43d03f9682413022cf
Opcode Fuzzy Hash: 91580c9e29cc5cfd3624ebbbe716160b4e59b82f650692f386e3f440ca4f80b6
Instruction Fuzzy Hash: A54141B1218E1C5FE755EF28D48979677D1FFA8310F10055EA057C32A2DB70DA46CB82

Function 00007FFDFB4D50C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00007FFDFB593EC7
SetRectEmpty.USER32 ref: 00007FFDFB593EEF

Strings

%s - Cannot allocate CNvMediaStream object, xrefs: 00007FFDFB593FC4
CNvMediaStream::createInstance, xrefs: 00007FFDFB593FBD

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: EmptyRect
String ID: %s - Cannot allocate CNvMediaStream object$CNvMediaStream::createInstance
API String ID: 2270935405-2132362898
Opcode ID: 1909a5ec3928abb6569e16f3c136be8b54ff892250961ddcd135eeaa0d9569e6
Instruction ID: 3efe134db0b3cb4441e6408f1abac9a500bb14e4be6d9f33930c8f93a7052a07
Opcode Fuzzy Hash: 1909a5ec3928abb6569e16f3c136be8b54ff892250961ddcd135eeaa0d9569e6
Instruction Fuzzy Hash: F3514D32B09B8281E7018F25E9505A9B3B4FF88B98F488135DEAD4B7ADEF3CD5558710

Function 00007FFDFB4C1B00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5E3982

Part of subcall function 00007FFDFB5E2840: SetLastError.KERNEL32 ref: 00007FFDFB5E2861
Part of subcall function 00007FFDFB5E2840: LocalAlloc.KERNEL32 ref: 00007FFDFB5E289B
Part of subcall function 00007FFDFB5E2840: LocalFree.KERNEL32 ref: 00007FFDFB5E28E1
Part of subcall function 00007FFDFB5E2840: SetLastError.KERNEL32 ref: 00007FFDFB5E28EC

GetProcAddress.KERNEL32 ref: 00007FFDFB5E39E3

Part of subcall function 00007FFDFB5E1A50: VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1A9C
Part of subcall function 00007FFDFB5E1A50: VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E1AC7

Strings

Advapi32.dll, xrefs: 00007FFDFB5E39B1
CreateProcessAsUserW, xrefs: 00007FFDFB5E39D9

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ErrorLast$Local$AddressAllocConditionFreeInfoMaskProcVerifyVersion
String ID: Advapi32.dll$CreateProcessAsUserW
API String ID: 1335820174-1007808920
Opcode ID: 9313167633e3093886861a610880a2977e5a3e8435188262efbfc91fb09343e7
Instruction ID: 8b5d58a9698f7d38072923acf65c166b86be5598132e74958ea730b16aa59864
Opcode Fuzzy Hash: 9313167633e3093886861a610880a2977e5a3e8435188262efbfc91fb09343e7
Instruction Fuzzy Hash: 1F31EF2570EB8285EB61CB15F86067A77A4FB88B80F544135EA9D83BBDDF3CE5508B00

Function 00007FFDFB4C7E80 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FFDFB6DF9D0
try_get_function.LIBVCRUNTIME ref: 00007FFDFB6DFA0A

Strings

GetActiveWindow, xrefs: 00007FFDFB6DF9C9
GetLastActivePopup, xrefs: 00007FFDFB6DFA03

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: try_get_function
String ID: GetActiveWindow$GetLastActivePopup
API String ID: 2742660187-3742175580
Opcode ID: 30162a81ab991935d28d0d1c821ab97a2df501696bf24f83211b68c12433b53e
Instruction ID: ab1e6c6593e8ea4e1832c24994703c7299df8d2b1a054712ad048795f17bc176
Opcode Fuzzy Hash: 30162a81ab991935d28d0d1c821ab97a2df501696bf24f83211b68c12433b53e
Instruction Fuzzy Hash: 72F03C51F0BB8B91FF148B50A870AB02251AF0C350F481432CD3C0E2F9EF2CB985D294

Function 00007FFDFB4C9D50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

SHCreateDirectoryExW.SHELL32 ref: 00007FFDFB5EDE55

Strings

NGXCreateDirectoryRecursively, xrefs: 00007FFDFB5EDE73
failed to create directory %S - error %d, xrefs: 00007FFDFB5EDE6C
C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_common.cpp, xrefs: 00007FFDFB5EDE84

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: CreateDirectory
String ID: C:\dvs\p4\build\sw\devrel\libdev\NGX\core\r1.2\source\api\nvsdk_ngx_common.cpp$NGXCreateDirectoryRecursively$failed to create directory %S - error %d
API String ID: 4241100979-1361627980
Opcode ID: 7c024f1bb6d74ec21c2d2f033cf2bf4cf5f2d7814f91e9676ac46fc94289f014
Instruction ID: cf543852837c567dbf9e83a5a417a75ea78cbc3d6e0cab359acf4b53932781a0
Opcode Fuzzy Hash: 7c024f1bb6d74ec21c2d2f033cf2bf4cf5f2d7814f91e9676ac46fc94289f014
Instruction Fuzzy Hash: 4EF09622B1D68382EB158B18F56457A73A0EB58384F584532DA6C87BFDDE3CD8848744

Function 000002B38D0994F8 Relevance: 6.5, APIs: 4, Instructions: 479stringCOMMON

Download Yara Rule

APIs

strcspn.LIBCMT ref: 000002B38D0995A0
localeconv.LIBCMT ref: 000002B38D0995B3
strcspn.LIBCMT ref: 000002B38D0995C9
_Mpunct.LIBCPMT ref: 000002B38D09969B

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: strcspn$Mpunctlocaleconv
String ID:
API String ID: 2882554788-0
Opcode ID: bcc6cb22bcc6662c5148917bc3b0070cd7f36023e4dfb007b0116752ec6da29b
Instruction ID: 7fabbec255059218ad0b1574d74c2511a2f8c39e8b2fb1bc1183e4e7d78ca982
Opcode Fuzzy Hash: bcc6cb22bcc6662c5148917bc3b0070cd7f36023e4dfb007b0116752ec6da29b
Instruction Fuzzy Hash: 04F1BE70A18E5C8FEB54EFA8D4596EDB7F1EF69300F50115DE48AD3282DB309A45CB82

Function 000002B38D096704 Relevance: 6.5, APIs: 4, Instructions: 461COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 000002B38D096A1F
_CxxThrowException.LIBCMT ref: 000002B38D096A3A
std::exception::exception.LIBCMT ref: 000002B38D096A9D
_CxxThrowException.LIBCMT ref: 000002B38D096AB8

Part of subcall function 000002B38D097414: std::_Xbad_alloc.LIBCPMT ref: 000002B38D0974A1

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: ExceptionThrowstd::exception::exception$Xbad_allocstd::_
String ID:
API String ID: 1519488521-0
Opcode ID: 6a8671919e32ba125cade8bebbf54ead894d3c5916fed936291344f9fc298fe1
Instruction ID: 3f4c18c9c0821746ae1bea2794042d8ea69d3d24a82dc9cf60169be47b349a72
Opcode Fuzzy Hash: 6a8671919e32ba125cade8bebbf54ead894d3c5916fed936291344f9fc298fe1
Instruction Fuzzy Hash: 1BE14D70918A5D9FEB54EF68D4986EEB7E0FF69300F50062EE047D3192DB709649CB82

Function 000002B38D094E34 Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

fgetwc.LIBCMT ref: 000002B38D094EF3

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: fgetwc
String ID:
API String ID: 2948136663-0
Opcode ID: 3db69b43b33087f9728a2504ea2a3bd94983f958b461452a88f201f86a2a2501
Instruction ID: c67bb9172984f0f441851b87c12b1495a5500ca3d49496c2a194ffa285bf9950
Opcode Fuzzy Hash: 3db69b43b33087f9728a2504ea2a3bd94983f958b461452a88f201f86a2a2501
Instruction Fuzzy Hash: EBB16970218E0D9FDB58EF29C499AE973E0FF68304F50466AE40BD7595DB31EA04CB82

Function 000002B38D09DF28 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

_wfsopen.LIBCMT ref: 000002B38D09DEBD
fclose.LIBCMT ref: 000002B38D09DECA
_wfsopen.LIBCMT ref: 000002B38D09DEDF
fseek.LIBCMT ref: 000002B38D09DEF9

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: _wfsopen$fclosefseek
String ID:
API String ID: 1261181034-0
Opcode ID: 060668c88b56fe38f5c44a18ba7740774a474d3c0946bdb231730e3168279bf2
Instruction ID: 093664804dd343b7707223a6f252aeaabc3a2194eb33a126fe1c2f43eb090151
Opcode Fuzzy Hash: 060668c88b56fe38f5c44a18ba7740774a474d3c0946bdb231730e3168279bf2
Instruction Fuzzy Hash: 2331E4B0254A0E5FE7E8EA2C989A77573D1EF98304F14406DA88BC32D7DB38DD428752

Function 000002B38D098294 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000002B38D0982D3

Part of subcall function 000002B38D098BAC: _lock.LIBCMT ref: 000002B38D098BBE

std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 000002B38D098310
free.LIBCMT ref: 000002B38D098337
malloc.LIBCMT ref: 000002B38D098356

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: AddfacLocimp::_Locimp_LockitLockit::__lockfreemallocstd::_std::locale::_
String ID:
API String ID: 2732429687-0
Opcode ID: 9338e4efca5c51ffab6ba31e7edec2782b071aaf483cef073fc2194b9753611b
Instruction ID: 660060085b1a95e976d8b4c04c9dfe56eec2f3edda593dcf3fbeac3819166731
Opcode Fuzzy Hash: 9338e4efca5c51ffab6ba31e7edec2782b071aaf483cef073fc2194b9753611b
Instruction Fuzzy Hash: 3A314AB0518E1C9FEB94EF18E488B55B7E0FF59310F50455EE44AC33A6DB74E9408B82

Function 00007FFDFB5E1A50 Relevance: 6.1, APIs: 4, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 00007FFDFB5E1A9C
VerifyVersionInfoW.KERNEL32 ref: 00007FFDFB5E1AC7
LoadLibraryExW.KERNEL32 ref: 00007FFDFB5E1B20
LocalFree.KERNEL32 ref: 00007FFDFB5E1B2C

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ConditionFreeInfoLibraryLoadLocalMaskVerifyVersion
String ID:
API String ID: 3996897175-0
Opcode ID: 7b90ea187a19757d781d7a8508d29235edc04a82aa32fe15ca570446b8cc600a
Instruction ID: 52d280054b242f9761a51f942f5b89182a10078b9297dc21301a5f8b04974f9e
Opcode Fuzzy Hash: 7b90ea187a19757d781d7a8508d29235edc04a82aa32fe15ca570446b8cc600a
Instruction Fuzzy Hash: F221A731B1969385EB65DF22A820AB57655BB8DB80F058034DE6D477BDDE3CD5028A40

Function 00007FFDFB4D1B20 Relevance: 6.1, APIs: 4, Instructions: 61threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 00007FFDFB6C4F15
GetLastError.KERNEL32 ref: 00007FFDFB6C4F23
CloseHandle.KERNEL32 ref: 00007FFDFB6C4F40
FreeLibrary.KERNEL32 ref: 00007FFDFB6C4F4F

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread
String ID:
API String ID: 3065451008-0
Opcode ID: 0d8131eb396a8f802abd1963439fb8b77639c9a0312576953a7fd75421bdef18
Instruction ID: 527ae8556d1e42beb77d91e3299dc15972d8051c08b86b7943289237aaf67d3f
Opcode Fuzzy Hash: 0d8131eb396a8f802abd1963439fb8b77639c9a0312576953a7fd75421bdef18
Instruction Fuzzy Hash: E4215075B0B74386EF14EF61A46097963A0AF84B99F044435EA7D4B7FDDE3CE4008684

Function 00007FFDFB4C1190 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FFDFB5F5461
GetModuleHandleW.KERNEL32 ref: 00007FFDFB5F54BC
LocalFree.KERNEL32 ref: 00007FFDFB5F54C8
SetLastError.KERNEL32 ref: 00007FFDFB5F54E6

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ErrorLast$FreeHandleLocalModule
String ID:
API String ID: 2775970868-0
Opcode ID: 9e3bd118697827140c8c35a418e2f991fb94ac97f9fdae92732178acaa3a4831
Instruction ID: 63578efc3ed7feb6ea5464d3a9510b3fe3df24d4465ef29784639d4a8d2360fe
Opcode Fuzzy Hash: 9e3bd118697827140c8c35a418e2f991fb94ac97f9fdae92732178acaa3a4831
Instruction Fuzzy Hash: 14113621F0A3A742EF5A6B157429979A791EF04BD1F081630DE3E07BFACE2CE4424380

Function 000002B38D0C5008 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000002B38D0C503A

Part of subcall function 000002B38D0C0320: _getptd.LIBCMT ref: 000002B38D0C0336
Part of subcall function 000002B38D0C0320: __updatetlocinfo.LIBCMT ref: 000002B38D0C036B
Part of subcall function 000002B38D0C0320: __updatetmbcinfo.LIBCMT ref: 000002B38D0C0392

_malloc_crt.LIBCMT ref: 000002B38D0C5085

Strings

:, xrefs: 000002B38D0C50A4

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crt
String ID: :
API String ID: 875692556-336475711
Opcode ID: 87dcd81199e5c75fe6f4eb1ed4ca3c3cad752f6282d2ad23c1f32017a9299fd6
Instruction ID: 10c1f5c269af4541714639e6373cdfad89ac62f7a1e9a3a053f6c17506094ca1
Opcode Fuzzy Hash: 87dcd81199e5c75fe6f4eb1ed4ca3c3cad752f6282d2ad23c1f32017a9299fd6
Instruction Fuzzy Hash: A641A771628E0C4FDB58EF2C988D7B573D1FB58310F41466EE84AC3196DF30D9028682

Function 000002B38D0C4E88 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc_crt.LIBCMT ref: 000002B38D0C4F05
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000002B38D0C4EBA

Part of subcall function 000002B38D0C0320: _getptd.LIBCMT ref: 000002B38D0C0336
Part of subcall function 000002B38D0C0320: __updatetlocinfo.LIBCMT ref: 000002B38D0C036B
Part of subcall function 000002B38D0C0320: __updatetmbcinfo.LIBCMT ref: 000002B38D0C0392

Strings

:, xrefs: 000002B38D0C4F24

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_getptd_malloc_crt
String ID: :
API String ID: 875692556-336475711
Opcode ID: b6f76ccc677749e7e47c8f1fd9208b4adf8ad809ee0fda7590a67167e05195a0
Instruction ID: 27c851ead1505fd0344a2e8effee4ab0d83eea2d3692d7bcf266a60766d00158
Opcode Fuzzy Hash: b6f76ccc677749e7e47c8f1fd9208b4adf8ad809ee0fda7590a67167e05195a0
Instruction Fuzzy Hash: 3F41B771628E0C4FDB68EF2CA8896B573D1FB58310F41426EE84AC7197DF30E9028782

Function 00007FFDFB4C5AE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 00007FFDFB5C492E

Strings

CNvAnimatedGifStreamEncoderWIC::initialize, xrefs: 00007FFDFB5C4940
%s - CoCreateInstance on CLSID_WICImagingFactory failed, xrefs: 00007FFDFB5C494C

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: CreateInstance
String ID: %s - CoCreateInstance on CLSID_WICImagingFactory failed$CNvAnimatedGifStreamEncoderWIC::initialize
API String ID: 542301482-3781439623
Opcode ID: d3b19091ed0324d88df89671fc1af45145660e2e85ad139f3cdde19376e2d69d
Instruction ID: 313135a60c2753afb8145555b423083ca706bfcb11c9119348814eb783ea5159
Opcode Fuzzy Hash: d3b19091ed0324d88df89671fc1af45145660e2e85ad139f3cdde19376e2d69d
Instruction Fuzzy Hash: E0115926B0AA5681EB108F25E460AB963A0EB48B88F544031DA6C477B8DF2CD8558B40

Function 00007FFDFB4CBCD0 Relevance: 5.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFDFB5E2CC6
SetLastError.KERNEL32 ref: 00007FFDFB5E2DB9

Memory Dump Source

Source File: 00000003.00000002.2113809198.00007FFDFB4C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFDFB4C0000, based on PE: true

Associated: 00000003.00000002.2113790917.00007FFDFB4C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB500000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB55C000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB705000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2113809198.00007FFDFB710000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB713000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB77A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114037887.00007FFDFB7B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114128379.00007FFDFB7B6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114145066.00007FFDFB7B7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114160649.00007FFDFB7B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114178245.00007FFDFB7B9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7D5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114197348.00007FFDFB7F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2114238689.00007FFDFB7FC000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffdfb4c0000_rundll32.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7e5c6a5d257a954f4ece03d72a07074d059db0adc786de0da86780d6e63026fc
Instruction ID: 1ab54a42fd8a4e843ca1f2b863f77b8d499a1fdd269b4c8d87d6b91366bd9a01
Opcode Fuzzy Hash: 7e5c6a5d257a954f4ece03d72a07074d059db0adc786de0da86780d6e63026fc
Instruction Fuzzy Hash: 0A418021B0AB4786FB15DB65A860A3936A0AF48B94F004435DE2E437BDEE3DE4458B44

Function 000002B38D0933C4 Relevance: 5.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_CxxThrowException.LIBCMT ref: 000002B38D093416
_CxxThrowException.LIBCMT ref: 000002B38D093452
_CxxThrowException.LIBCMT ref: 000002B38D09347A
_CxxThrowException.LIBCMT ref: 000002B38D0934A2

Memory Dump Source

Source File: 00000003.00000002.2112900009.000002B38D090000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B38D090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2b38d090000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 34052b98ec5b6cb08a453d4da99d8fe8dbaf6c7a065dd0f46931283defdf51d4
Instruction ID: 92de3923dc55a6b19695f3238bd0b5e0540bcb81df5f49a36fb1d26001504510
Opcode Fuzzy Hash: 34052b98ec5b6cb08a453d4da99d8fe8dbaf6c7a065dd0f46931283defdf51d4
Instruction Fuzzy Hash: B5210C71914B1C9AEF16EB64EC85ADEB3B4FF64304F20431AE446E6051EB34A7458F82

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report appgpuset.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_a92ee45c-4a8c-48e2-ae99-7ffc8905fe0f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bad_module_info_59ea469c9cde70e5cc5fc8dc983f2f16bebbf3_85207d7d_fa34a916-0ee7-420e-b892-7538d510bc46\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_app_368b75c013d478ef855eadbf85b69d15b5c85bc_a483008d_7ce35560-ca5a-4c7d-a743-57bb1d3c6542\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_app_ea5749b1d7fa548c1274df7cdb4372edb8fea1_a483008d_bfa66183-2a7d-437b-ad39-dcd0dc11a1c6\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB04.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBA0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBC1.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBD0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0EE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD350.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD370.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREF24.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0BB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0FB.tmp.xml

C:\Users\user\AppData\Local\Temp\WERBB15.tmp.WERDataCollectionStatus.txt

C:\Users\user\AppData\Local\Temp\WERBB25.tmp.WERDataCollectionStatus.txt

C:\Users\user\NTUSER.DAT.Not

C:\Windows\appcompat\Programs\Amcache.hve

Windows Analysis Report
appgpuset.dll.dll