Edit tour

Windows Analysis Report
file.dll

Overview

General Information

Sample name:	file.dll (renamed file extension from exe to dll)
Original sample name:	file.exe
Analysis ID:	1524398
MD5:	3221211c319e55e42e398e062c1e155e
SHA1:	b1378446aa1cbe0858eed3c7083235a3856a82ba
SHA256:	cae7512666ae3f18702df3bffaf297739a30aa05ea73a7d1ee4c50ba2d874b93
Tags:	dllexesignedx64user-jstrosch
Infos:

Detection

Score:	6
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6532 cmdline: loaddll64.exe "C:\Users\user\Desktop\file.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6704 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 6768 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7092 cmdline: C:\Windows\system32\WerFault.exe -u -p 6768 -s 356 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 6728 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 2124 cmdline: C:\Windows\system32\WerFault.exe -u -p 6728 -s 356 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 6036 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetName MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7088 cmdline: C:\Windows\system32\WerFault.exe -u -p 6036 -s 528 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

rundll32.exe (PID: 6292 cmdline: rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7072 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7000 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetName MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2708 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 5180 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nOpen MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6220 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortType MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 4408 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortName MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7176 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortCount MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7184 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetControls MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7192 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlSetIntValue MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7208 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlSetFloatValue MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7216 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlGetIntValue MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7224 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlGetFloatValue MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7236 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nClose MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7292 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixerProvider_nNewPortMixerInfo MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7304 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixerProvider_nGetNumDevices MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7316 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nIsSigned8 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7336 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nIsBigEndian MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7356 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nGetLibraryForFeature MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7368 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nGetExtraLibraries MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7384 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nSendShortMessage MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7400 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nSendLongMessage MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7408 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nOpen MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7424 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nGetTimeStamp MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7468 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nClose MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7484 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVersion MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7500 cmdline: rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVendor MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Code function: 3_2_00007FFE148E538C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_00007FFE148E538C

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE148E5078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFE148E5078
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE148E538C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFE148E538C
Source: C:\Windows\System32\rundll32.exe	Code function: 41_2_00007FFE148E5078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	41_2_00007FFE148E5078
Source: C:\Windows\System32\rundll32.exe	Code function: 41_2_00007FFE148E538C IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	41_2_00007FFE148E538C

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 3_2_00007FFE148E54DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_00007FFE148E54DC

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Rundll32	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	22 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	22 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
171.39.242.20.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524398
Start date and time:	2024-10-02 18:45:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.dll (renamed file extension from exe to dll)
Original Sample Name:	file.exe
Detection:	CLEAN
Classification:	clean6.winDLL@78/13@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 32

Warnings

Exclude process from analysis (whitelisted): WerFault.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: file.dll

Simulations

Behavior and APIs

Time	Type	Description
12:46:34	API Interceptor	3x Sleep call for process: WerFault.exe modified
12:48:23	API Interceptor	1x Sleep call for process: loaddll64.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_41295953bbcbb6c049bf78baaa48b958e26b4df_d75f6fa5_70893c81-26e0-49bf-b072-f56d5596ff66\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7660426019734736
Encrypted:	false
SSDEEP:	192:dN9jFi/y7o0S0IvTdjlwCzuiFWZ24lO8V:lhia7NIvTdjfzuiFWY4lO8V
MD5:	C3B3919C625BA6FC029A2C9024A23AB8
SHA1:	61BCD4B2E7C2DF2421839FD0F033E8CD9A9AC217
SHA-256:	195027EE29D4176EEB7D7C3CDE90A5F989BE8C34B56307CDD012C564FE0A6CF8
SHA-512:	BF658681AD4C6B68BEFBC8B0B323EA24B7AA962F885A222C149FE68C52A99A896C93074C1A313054D318CCF04E66BF7164D66A16F1FFEB013BB612FDD1BD1C21
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.6.1.1.7.9.2.4.1.9.8.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.6.1.1.7.9.6.4.8.2.3.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.8.9.3.c.8.1.-.2.6.e.0.-.4.9.b.f.-.b.0.7.2.-.f.5.6.d.5.5.9.6.f.f.6.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.a.0.0.1.d.2.-.a.1.3.9.-.4.7.f.8.-.8.5.9.7.-.9.d.1.8.d.a.8.b.b.a.0.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.8.-.0.0.0.1.-.0.0.1.4.-.9.3.8.9.-.c.6.9.a.e.a.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_41295953bbcbb6c049bf78baaa48b958e26b4df_d75f6fa5_aa9297c9-4bb3-4dd6-90b8-f5b8ad05b9a0\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7660272063289806
Encrypted:	false
SSDEEP:	192:hJxWFihyKo0S0IvTdjlwCzuiFWZ24lO8V:/x4iEKNIvTdjfzuiFWY4lO8V
MD5:	513B6373C9260FE2FD5EB5DDD09A6D77
SHA1:	E5C0B2F3927546C381D08960762D5F3DB48864CC
SHA-256:	5DF9387BC06D3A2FE1B84C809D8E577D438A16A9ECEA2FAB41C22E3AAEA08345
SHA-512:	2607B98CE618E63059406F3A843CBD4CA9E352EA70C050F422CC14A7C5717EA4637F32A51D9E9531A4F2F86BF9E218F53704239371B03F3AC4618DE5054542C0
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.6.1.1.7.9.2.0.6.7.1.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.6.1.1.7.9.7.0.6.7.0.9.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.9.2.9.7.c.9.-.4.b.b.3.-.4.d.d.6.-.9.0.b.8.-.f.5.b.8.a.d.0.5.b.9.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.9.d.a.7.8.b.-.4.1.e.5.-.4.1.f.b.-.9.1.6.e.-.e.d.0.d.6.d.f.6.9.8.a.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.0.-.0.0.0.1.-.0.0.1.4.-.2.c.c.5.-.c.7.9.a.e.a.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_65e4b14aae1adf98ac97cac7affb5dbf3d4bee80_d75f6fa5_24b3bb7f-f7de-4dd9-aa14-369834d33aef\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8784576174167049
Encrypted:	false
SSDEEP:	96:siF+dFi8yKynsjds4RvSmmTfTQXIDcQ2c63bcEEcw3EXaXz+HbHgSQgJjt7FwXqb:PGFi8yno0Q0IvOejlQ/zuiFWZ24lO8V
MD5:	141075855E85688ED779727DF71986B8
SHA1:	2FD25A05DC75811DEC670F24BEBA17213B9839D1
SHA-256:	D0B62B9202BBBB16601C008AB5CD87768E3C7AEE37663B125393C0269DA0AF81
SHA-512:	B2E163D59E335665D5E04792269CEE8FCC5606522DE8270392D9CE90BEC63FD81400FFBD18D87922782C1EB158B40F6AB8703BBE3DACA9F3050C447A59DAF814
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.3.6.1.1.8.2.1.0.4.6.2.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.3.6.1.1.8.2.5.2.6.5.0.7.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.b.3.b.b.7.f.-.f.7.d.e.-.4.d.d.9.-.a.a.1.4.-.3.6.9.8.3.4.d.3.3.a.e.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.f.b.9.f.3.4.-.1.f.4.7.-.4.1.8.1.-.b.9.3.2.-.3.1.c.5.5.e.2.3.9.4.c.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.f.i.l.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.9.4.-.0.0.0.1.-.0.0.1.4.-.8.8.6.5.-.9.2.9.c.e.a.1.4.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.2.2.!.r.u.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER474C.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 16:46:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	67448
Entropy (8bit):	1.552733074913142
Encrypted:	false
SSDEEP:	192:aN1t5oFgOMxE+tScRomg63XSXTXdvljI50ynAaT:/JH6JomjyN+n
MD5:	2EBECE16D4721EDD9CFE0AD6E6170773
SHA1:	A24A98762F3DEA59B2D433D5C54F391CD6D045AB
SHA-256:	DD87361A7705776D55945ED8E56C32C78C4213B6457E59933002F27B4F9EC8D4
SHA-512:	E261961D0BC6F935EA5E96F421D4570CB0722F7504BF0AD081CD63AA760FA1BB8AE6D98E072B7170AF298ACB8B4B8E2182C6BCAD7AA04D904558981B43DD6FE7
Malicious:	false
Preview:	MDMP..a..... ........x.f....................................................T.......8...........T...........p...........................p...............................................................................eJ..............Lw......................T.......p....x.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER476B.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 16:46:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	69580
Entropy (8bit):	1.5083032608148348
Encrypted:	false
SSDEEP:	192:aQT5oFYrIOMx4T3RXT9OQwRXdel/IcDoyJqWc:0ib7ThZWKiyO
MD5:	13AB54C2CCB3536FE25B33B19889EB9D
SHA1:	4089FAA6F40C561840BFF8F8D66F0957FC0901FA
SHA-256:	57EA17E832C33B4416826875BE1ECF18CB2E0B42F3389ED894D06FA259CB6A23
SHA-512:	C55669F6D5A0721214F41731642CE9A15AF277BAEA2AEBFB08110F891E7113D3A424552DAE877DD72EC7DBE3B9C6537C6E27B4B353EB1156F8ED9786690A9F81
Malicious:	false
Preview:	MDMP..a..... ........x.f....................................................T.......8...........T........... ...........................p...............................................................................eJ..............Lw......................T.......H....x.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47CA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8490
Entropy (8bit):	3.694342102704871
Encrypted:	false
SSDEEP:	192:R6l7wVeJupybJ46Y7eqgmfiL0Q9pr+89bwiVftQm:R6lXJwyb26YiqgmfG7XwIfP
MD5:	AC265D9444A97103120CBD947A3CC017
SHA1:	DFDE6B38EC385163D493A7300DD737306A765C7A
SHA-256:	CA8B6F4F40496569871697767BF018281BAC5E5EE72B0A5F2C56FB0635A5B51B
SHA-512:	FDDAFA28E4DCED38191E7FFE7151EFCCDBC0E1C9558D133431BFA8C0A5B36E4FD14C1D516B32B6C2620637FE745555D20049E264266DE5B75AC6945B976C8227
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47FA.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4729
Entropy (8bit):	4.463109458847425
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg771I9RuWpW8VYIYm8M4JCFCtsNeFknyq85m4zVncptSTSMd:uIjfwI7uP7VYJilnGOpoOMd
MD5:	7A5F1B544482D5869D74777E8819B523
SHA1:	F82C62CA4398D65E32B62377D46CAE934BBA106C
SHA-256:	F6B44FEA7A28DDF30A2B19931EBF4422896090CEC7D3664B1B1A9C68E74596A7
SHA-512:	1EBC7C31C492D47D89EC9118743C08FD241B7D5040DDF81D98BADD99DC3BB9FFF45E25CB43EECCB277AEC82159BF03C017506A987D2A9E353B20472566D0E9B3
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526069" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4848.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8498
Entropy (8bit):	3.696500935646734
Encrypted:	false
SSDEEP:	192:R6l7wVeJqUxbr6Yza8O0gmfiL0Q9prT89bw/Vf0rkQm:R6lXJJxbr6YlVgmfG7Ewdfgi
MD5:	B9212D90F4D6E7516F46601735420468
SHA1:	F7AAC4802479D557C74415E966BF76A941AD66A4
SHA-256:	3A25C967B6A64E635B7F726B6F3A21ED6C444EA2531936B1D18E209E8253834E
SHA-512:	C8C811A98F451914867976C94C5B228F9274A3D3E50BFB94F675E55DE3F890AC63E29CD39BD4AF74942E498B65147C3763AF301A56DBDE2A8D7FA8128898AC69
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4888.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4729
Entropy (8bit):	4.464117418127518
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg771I9RuWpW8VYhYm8M4JCFCtsNeFNyq85m4zVY3ptSTSnd:uIjfwI7uP7VVJiWG+3poOnd
MD5:	94F1108AB1BDC4A8026BF32EBD10A10F
SHA1:	7FEB5633142FFA21C206ED3CA84F2F982F1EE4BB
SHA-256:	25AAF850869D825CC8EE7716B4EC313444D4EACC2652B0B5EB617632B331864D
SHA-512:	AB3B9A5D74146F51D6DB57B9D6FDF67221BF2D1DB209B2865BADB6A4B6661E1B23FEDE68B48C2D9B9B6252CC9C276C752B2F8E271E25778EAC0904969D487CF2
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526069" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52D5.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Oct 2 16:46:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	74260
Entropy (8bit):	1.6198720305363832
Encrypted:	false
SSDEEP:	192:nEMPVWCNWkX95OMxRAMUIdMnjDCrdRrP8I2ianeSujwG5:rBNr6KAXIdMnjDCnEI2iyH8
MD5:	0BF095AB333E4DE5106D04FE7D6AA0C0
SHA1:	52A4DB7CD813175904D1AB3F77EE16E7974BE8C5
SHA-256:	58C61CFA820CA63DA8B6145901701C40933E5873093A268BE63C90E013A1DCBB
SHA-512:	41472B5D830C12C7CF72136F4432E9E548394C58BFA0DE5A7AE751AA794771A9B4FE8E912F3B9D6ACB6276258383983B2E9A75ED369B9841870DEB939D7EF278
Malicious:	false
Preview:	MDMP..a..... ........x.f........................x...........D...>7..........T.......8...........T...........(...............D...........0...............................................................................eJ..............Lw......................T............x.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5382.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8492
Entropy (8bit):	3.691245110880909
Encrypted:	false
SSDEEP:	192:R6l7wVeJeuO6Y7HMqgmfiL0GFprRC89bwuVfuwm:R6lXJHO6YwqgmfGxZ7wkfA
MD5:	F8CD689E4FB3AAE5013BC41FD936F2D9
SHA1:	8069982DCA3ED5A66E37E3F4F48C98AAD88E7AA8
SHA-256:	3F7DAB23570ECD4D7FF7DD65743A21A2AACA2FBB15165379AAD7E38446CA42E0
SHA-512:	40A0E28216E88666A7E18FFE40F638E1C0C2C49754B23A1EBBB06066EEB010A7B034216F98613C360219432FE8E3C26B0FE684EC45BD258BA993BABC0489E9C5
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A2.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4729
Entropy (8bit):	4.466169803148608
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg771I9RuWpW8VYBYm8M4JCFCtsNRcFKyq85m4zVvpptSTSud:uIjfwI7uP7VRJi5GjpoOud
MD5:	06F4AEA506E15E8C7774E33A3D7CE221
SHA1:	F7D0D2140C4EB8A7461F02B5E7F7B44424DA3F79
SHA-256:	24A4D8257B777F54EEAFEE4999DEE9DEE2FBCA87B3BE1FFCAD31DFCBBE5935F9
SHA-512:	F3C98851E995AB35DE6A43646BD1373DF0A42AF461A602DF1C83306C24E956DD9F0F004A40E3FDB34D41CAAAD97E4C083BFA3B8AB334A11A2288D4F517F43839
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="526069" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466394506296931
Encrypted:	false
SSDEEP:	6144:iIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:HXD94zWlLZMM6YFHa+9
MD5:	70C094BAB49B4AA6306E611BD10087A0
SHA1:	53C8ECE1140B181B516E2F001BCCB7EF7B4FF4F2
SHA-256:	0F5D8F4BD3589471013A309443DA718F2CECC787F8ED51513877948FC2F82623
SHA-512:	0465C005F4AA4019643AEB81117BE9FD787A62E5464CFCCBEE1334C6D693DBD2A27CA6895CA288E3B5154D71F9C09F122C32C5371F5849309C5C720F03233B95
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	6.483035224848994
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	file.dll
File size:	43'168 bytes
MD5:	3221211c319e55e42e398e062c1e155e
SHA1:	b1378446aa1cbe0858eed3c7083235a3856a82ba
SHA256:	cae7512666ae3f18702df3bffaf297739a30aa05ea73a7d1ee4c50ba2d874b93
SHA512:	51c9891055cbaa919a6094ab3cff1082423d6fb64496651d8d07afd2d8cebff3ed9f48213dc4a20c314a74072dbf720c9279412b1ecddaba6d754edb0bf5067e
SSDEEP:	768:79cuau+2V72zJ3R5O/PzZ6xez66BmxSoYiUFVPxWEexj:79cLz5yzZ60z66IxSo7UDPxY
TLSH:	C3137C67A761489EF46FA1F7F852823BE472781107A0D7CE07A543360FA7351792E3A8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;..;Z..;Z..;Z..2"..3Z..i2..9Z..i2..7Z..i2..3Z..i2..9Z..`2..>Z..;Z..kZ...3..:Z...3..7Z...3..:Z...3a.:Z...3..:Z..Rich;Z.........

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180005038
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x63BBD4C4 [Mon Jan 9 08:48:04 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3164d0dcdc57c2cea278225ece4bbbd5

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	19/08/2021 01:00:00 20/08/2023 00:59:59
Subject Chain	CN="Oracle America, Inc.", OU=Software Engineering, O="Oracle America, Inc.", L=Redwood City, S=California, C=US
Version:	3
Thumbprint MD5:	2876C1BECB51837D0E3DE50903D025B6
Thumbprint SHA-1:	940D69C0A34A1B4CFD8048488BA86F4CED60481A
Thumbprint SHA-256:	EE46613A38B4F486164BCE7FB23178667715617F511B364594311A1548B08EB1
Serial:	068BE2F53452C882F18ED41A5DD4E7A3

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FED9D4D4917h
call 00007FED9D4D4D98h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FED9D4D47A4h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00000FEFh]
dec eax
mov ecx, ebx
call dword ptr [00000FEEh]
call dword ptr [00000FD8h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00000FBCh]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call 00007FED9D4D4EC6h
test eax, eax
je 00007FED9D4D4919h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [0000425Fh]
call 00007FED9D4D49BFh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00004346h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [000042D6h], eax
dec eax
mov eax, dword ptr [0000432Fh]
dec eax
mov dword ptr [000041A0h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6fa0	0x944	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x78e4	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb000	0x3a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa000	0x66c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8000	0x28a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc000	0x18	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6740	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x67a0	0x100	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4780	0x4800	3ef4b245e8be83c024d2ef01753bfbae	False	0.56689453125	data	6.2051827024136115	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x22a6	0x2400	0043139e7dbe6ce9e543722d03b4c6cb	False	0.3543836805555556	data	4.9389637349025834	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x830	0x200	d96918b565dad030e59cc5b97626602f	False	0.09375	data	0.4700436669171336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xa000	0x66c	0x800	337bfd92a7453269435e572cce6e517e	False	0.39111328125	data	3.5976681162117394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xb000	0x3a0	0x400	738b9352a1dec6e8f3817478c2957724	False	0.40625	data	3.0574189285914155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc000	0x18	0x200	432df58a52e37464023b56c7eba3dd8d	False	0.07421875	data	0.3398375245953951	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb060	0x33c	data			0.463768115942029

Imports

DLL	Import
WINMM.dll	mixerSetControlDetails, mixerGetControlDetailsA, mixerGetLineControlsA, mixerGetLineInfoA, mixerClose, mixerOpen, mixerGetDevCapsA, mixerGetNumDevs, timeEndPeriod, timeBeginPeriod, midiInGetNumDevs, midiOutReset, midiOutLongMsg, midiOutShortMsg, midiOutUnprepareHeader, midiOutPrepareHeader, midiOutClose, midiOutOpen, midiOutGetErrorTextA, midiOutGetDevCapsA, midiOutGetNumDevs, midiInReset, midiInStop, midiInStart, midiInAddBuffer, midiInUnprepareHeader, midiInPrepareHeader, midiInClose, midiInOpen, midiInGetErrorTextA, midiInGetDevCapsA, timeGetTime
KERNEL32.dll	RtlCaptureContext, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetEvent, InitializeSListHead, DisableThreadLibraryCalls, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, DeleteCriticalSection, CreateThread, Sleep, CreateEventA, WaitForSingleObject, CloseHandle
VCRUNTIME140.dll	__C_specific_handler, memset, memcpy, __std_type_info_destroy_list
api-ms-win-crt-string-l1-1-0.dll	strcpy, strncpy
api-ms-win-crt-heap-l1-1-0.dll	malloc, free
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsprintf
api-ms-win-crt-runtime-l1-1-0.dll	_initterm_e, _seh_filter_dll, _configure_narrow_argv, _initialize_narrow_environment, _initialize_onexit_table, _register_onexit_function, _execute_onexit_table, _crt_atexit, _cexit, _initterm

Exports

Name	Ordinal	Address
Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription	1	0x18000130c
Java_com_sun_media_sound_MidiInDeviceProvider_nGetName	2	0x180001388
Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices	3	0x180001404
Java_com_sun_media_sound_MidiInDeviceProvider_nGetVendor	4	0x18000140c
Java_com_sun_media_sound_MidiInDeviceProvider_nGetVersion	5	0x180001488
Java_com_sun_media_sound_MidiInDevice_nClose	6	0x180001020
Java_com_sun_media_sound_MidiInDevice_nGetMessages	7	0x180001028
Java_com_sun_media_sound_MidiInDevice_nGetTimeStamp	8	0x180001260
Java_com_sun_media_sound_MidiInDevice_nOpen	9	0x18000127c
Java_com_sun_media_sound_MidiInDevice_nStart	10	0x1800012d0
Java_com_sun_media_sound_MidiInDevice_nStop	11	0x180001304
Java_com_sun_media_sound_MidiOutDeviceProvider_nGetDescription	12	0x1800015f0
Java_com_sun_media_sound_MidiOutDeviceProvider_nGetName	13	0x18000166c
Java_com_sun_media_sound_MidiOutDeviceProvider_nGetNumDevices	14	0x1800016e8
Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVendor	15	0x18000140c
Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVersion	16	0x1800016f0
Java_com_sun_media_sound_MidiOutDevice_nClose	17	0x180001504
Java_com_sun_media_sound_MidiOutDevice_nGetTimeStamp	18	0x180001260
Java_com_sun_media_sound_MidiOutDevice_nOpen	19	0x18000150c
Java_com_sun_media_sound_MidiOutDevice_nSendLongMessage	20	0x180001558
Java_com_sun_media_sound_MidiOutDevice_nSendShortMessage	21	0x1800015e0
Java_com_sun_media_sound_Platform_nGetExtraLibraries	22	0x180003c48
Java_com_sun_media_sound_Platform_nGetLibraryForFeature	23	0x180003c5c
Java_com_sun_media_sound_Platform_nIsBigEndian	24	0x180003c80
Java_com_sun_media_sound_Platform_nIsSigned8	25	0x180003c88
Java_com_sun_media_sound_PortMixerProvider_nGetNumDevices	26	0x180004658
Java_com_sun_media_sound_PortMixerProvider_nNewPortMixerInfo	27	0x180004660
Java_com_sun_media_sound_PortMixer_nClose	28	0x18000405c
Java_com_sun_media_sound_PortMixer_nControlGetFloatValue	29	0x180004074
Java_com_sun_media_sound_PortMixer_nControlGetIntValue	30	0x180004090
Java_com_sun_media_sound_PortMixer_nControlSetFloatValue	31	0x1800040a8
Java_com_sun_media_sound_PortMixer_nControlSetIntValue	32	0x1800040c4
Java_com_sun_media_sound_PortMixer_nGetControls	33	0x1800040e0
Java_com_sun_media_sound_PortMixer_nGetPortCount	34	0x1800041c0
Java_com_sun_media_sound_PortMixer_nGetPortName	35	0x1800041d8
Java_com_sun_media_sound_PortMixer_nGetPortType	36	0x180004248
Java_com_sun_media_sound_PortMixer_nOpen	37	0x180004264

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 18:46:51.670253992 CEST	53	59778	162.159.36.2	192.168.2.4
Oct 2, 2024 18:46:52.363692045 CEST	51663	53	192.168.2.4	1.1.1.1
Oct 2, 2024 18:46:52.371179104 CEST	53	51663	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 18:46:52.363692045 CEST	192.168.2.4	1.1.1.1	0x2f2e	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 18:46:52.371179104 CEST	1.1.1.1	192.168.2.4	0x2f2e	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	12:46:18
Start date:	02/10/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\file.dll"
Imagebase:	0x7ff725a60000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:46:18
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	12:46:18
Start date:	02/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x7ff6ce760000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:46:18
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:46:18
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:46:19
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6768 -s 356
Imagebase:	0x7ff79df30000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:46:19
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6728 -s 356
Imagebase:	0x7ff79df30000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:46:21
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetName
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:46:22
Start date:	02/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6036 -s 528
Imagebase:	0x7ff79df30000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:46:24
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:46:27
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:46:27
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetName
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nOpen
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortType
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortName
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortCount
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetControls
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlSetIntValue
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlSetFloatValue
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlGetIntValue
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlGetFloatValue
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nClose
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixerProvider_nNewPortMixerInfo
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixerProvider_nGetNumDevices
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nIsSigned8
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nIsBigEndian
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nGetLibraryForFeature
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nGetExtraLibraries
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nSendShortMessage
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nSendLongMessage
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nOpen
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nGetTimeStamp
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nClose
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVersion
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:46:28
Start date:	02/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVendor
Imagebase:	0x7ff620b60000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	460
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFE148E176C Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(?,?,?,?,?,00007FFE148E1010), ref: 00007FFE148E177D
CreateEventA.KERNEL32(?,?,?,?,?,00007FFE148E1010), ref: 00007FFE148E178D
CreateEventA.KERNEL32(?,?,?,?,?,00007FFE148E1010), ref: 00007FFE148E17A1
CreateThread.KERNELBASE ref: 00007FFE148E17D6

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: Create$Event$CriticalInitializeSectionThread
String ID:
API String ID: 3438895259-0
Opcode ID: 2d6e4faee9e6a59898c1b5fa070b56048772e074198fbf9ad4f01bf78210a03c
Instruction ID: 8c296b29048ca6cdb685666cc3b024383b8a3462734b3a8635485046815cfc90
Opcode Fuzzy Hash: 2d6e4faee9e6a59898c1b5fa070b56048772e074198fbf9ad4f01bf78210a03c
Instruction Fuzzy Hash: 2501D632B14F2182FB648F72A485B2A73A1FB49B68F485038DE0E26764CF3CD059C700

Function 00007FFE148E4D08 Relevance: 24.2, APIs: 16, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE148E4D30
__scrt_initialize_crt.LIBCMT ref: 00007FFE148E4D75
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148E4D96
_RTC_Initialize.LIBCMT ref: 00007FFE148E4DC4
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00007FFE148E4DCE
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE148E4DEA
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148E4E15
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FFE148E4E34
__scrt_fastfail.LIBCMT ref: 00007FFE148E4E6A
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148E4EAC
_RTC_Initialize.LIBCMT ref: 00007FFE148E4ECB
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148E4EDE
__scrt_uninitialize_crt.LIBCMT ref: 00007FFE148E4EE8
__scrt_fastfail.LIBCMT ref: 00007FFE148E4EFB

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
String ID:
API String ID: 627783611-0
Opcode ID: 056d6750fde198f91544434d7cbc5cf67e40d8c08eda44e0ed4b27dfc17de77d
Instruction ID: 98acc305b200f7342822163641d9e01b323c3395413f09cbf90a2e9a9a72914c
Opcode Fuzzy Hash: 056d6750fde198f91544434d7cbc5cf67e40d8c08eda44e0ed4b27dfc17de77d
Instruction Fuzzy Hash: A7919421E08E4385FA50AB5B94C0279E691AF87BA0F5440B5FA0D777B7EE3CE44D8710

Non-executed Functions

Function 00007FFE148E54DC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE148E5508
GetCurrentThreadId.KERNEL32 ref: 00007FFE148E5516
GetCurrentProcessId.KERNEL32 ref: 00007FFE148E5522
QueryPerformanceCounter.KERNEL32 ref: 00007FFE148E5532

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: ec2b26dfd0f8d2385e38df15ba1bbdf8fa87fe85032632b51f52bfdc86b47aa3
Instruction ID: 7d34cce8dd01dc251d4bcce7b131e6edec79d3b1f0210638d06e1747a8dfd1a4
Opcode Fuzzy Hash: ec2b26dfd0f8d2385e38df15ba1bbdf8fa87fe85032632b51f52bfdc86b47aa3
Instruction Fuzzy Hash: 9E113C32A04F418AEB10DF62E8942A833A4FB1E76CF441A71FA5D567A4DF7CD1A88340

Function 00007FFE148E220C Relevance: 13.6, APIs: 9, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2229
memset.VCRUNTIME140 ref: 00007FFE148E224A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2263
CreateEventA.KERNEL32 ref: 00007FFE148E2279
midiOutOpen.WINMM ref: 00007FFE148E22AB
midiOutShortMsg.WINMM ref: 00007FFE148E22C8
CloseHandle.KERNEL32 ref: 00007FFE148E22DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E22EB

Part of subcall function 00007FFE148E3C10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1B29), ref: 00007FFE148E3C33
Part of subcall function 00007FFE148E3C10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1B29), ref: 00007FFE148E3C3C

timeBeginPeriod.WINMM ref: 00007FFE148E22FE

Part of subcall function 00007FFE148E3AF0: timeGetTime.WINMM(?,?,00000000,00007FFE148E1D90), ref: 00007FFE148E3AFD

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: free$miditime$BeginCloseCreateEventHandleOpenPeriodShortTimemallocmemset
String ID:
API String ID: 2590383263-0
Opcode ID: 945e9617297c58ca91df0ca5ef4782bbb3c99100ad36cadd2da840e40240026d
Instruction ID: 9041818797d37102293e03e151b2338ebeadaebe99cda0fdd3da1073daa89bc3
Opcode Fuzzy Hash: 945e9617297c58ca91df0ca5ef4782bbb3c99100ad36cadd2da840e40240026d
Instruction Fuzzy Hash: ED312332B08D0186EB559B77D89037DA3A1BF86F68F504571EA0EA73B5DF3DD4498201

Function 00007FFE148E47B8 Relevance: 12.0, APIs: 4, Strings: 4, Instructions: 25
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E46E0), ref: 00007FFE148E47D1
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E46E0), ref: 00007FFE148E47E4
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E46E0), ref: 00007FFE148E47F7
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E46E0), ref: 00007FFE148E480A

Part of subcall function 00007FFE148E2A30: mixerGetDevCapsA.WINMM ref: 00007FFE148E2A56
Part of subcall function 00007FFE148E2A30: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E2A6E
Part of subcall function 00007FFE148E2A30: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E2AB1

Strings

Unknown Vendor, xrefs: 00007FFE148E47DD
Unknown Name, xrefs: 00007FFE148E47CA
Port Mixer, xrefs: 00007FFE148E47F0
Unknown Version, xrefs: 00007FFE148E4803

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: strcpy$strncpy$Capsmixer
String ID: Port Mixer$Unknown Name$Unknown Vendor$Unknown Version
API String ID: 2021610734-787855941
Opcode ID: 3dc9912c8470f02887c426715371765667be574435991b21258d3838a1e6efa1
Instruction ID: 0bb33674494456fb916e43b8715ec21b7f21e347daa6d2ff19bd4f89c3fda262
Opcode Fuzzy Hash: 3dc9912c8470f02887c426715371765667be574435991b21258d3838a1e6efa1
Instruction Fuzzy Hash: DAF01DA1A18D42D5EB00AB26E8D11F8A321AB457E8FC55071F90D6A37AFE6CD98D8310

Function 00007FFE148E2B6C Relevance: 10.7, APIs: 7, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mixerOpen.WINMM ref: 00007FFE148E2B95
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2BAF
memset.VCRUNTIME140 ref: 00007FFE148E2BCD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2C06
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2CCF

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: malloc$Openmemsetmixer
String ID:
API String ID: 1988068089-0
Opcode ID: cc1c8c35fa98a414bdaa0c1274cb246fb05c3c6c73e8c2b23607ebc6ae49bf57
Instruction ID: f35c637707dfed6c6b7bda82ceeb2e4ff7991988c1d2b316cb13bf7e40a2f4bb
Opcode Fuzzy Hash: cc1c8c35fa98a414bdaa0c1274cb246fb05c3c6c73e8c2b23607ebc6ae49bf57
Instruction Fuzzy Hash: A881C332B09A568BEB648F17D5C0639B3A4FB4A7A0F058079EF4D577A1DF38E4698700

Function 00007FFE148E1504 Relevance: 10.6, APIs: 7, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32 ref: 00007FFE148E1F8F
timeEndPeriod.WINMM ref: 00007FFE148E1F9F
midiOutReset.WINMM ref: 00007FFE148E1FA8
midiOutClose.WINMM ref: 00007FFE148E1FD5
CloseHandle.KERNEL32 ref: 00007FFE148E1FF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2002

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: Closemidi$EventHandlePeriodResetfreetime
String ID:
API String ID: 4260093607-0
Opcode ID: a64e8874b6a4a95fdd145370a625b989496fed7616c63c101e1f462bd18a23de
Instruction ID: fe167d320902941e47bab336724c98e33e7847ab30f334a7d50467c2f8fe9377
Opcode Fuzzy Hash: a64e8874b6a4a95fdd145370a625b989496fed7616c63c101e1f462bd18a23de
Instruction Fuzzy Hash: 0B216021A09E1282EB55AB67959437CE261AF46FB4F5401B0FD0F777B5CF2CE8498380

Function 00007FFE148E201C Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 55
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE148E2588: midiOutGetDevCapsA.WINMM(?,?,00000000,00007FFE148E204A), ref: 00007FFE148E25AB

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E20B7

Strings

External MIDI Port, xrefs: 00007FFE148E20A5
Windows MIDI_MAPPER, xrefs: 00007FFE148E2081
Internal FM synthesizer, xrefs: 00007FFE148E208A
Internal synthesizer (generic), xrefs: 00007FFE148E209C
Internal software synthesizer, xrefs: 00007FFE148E2078
Internal square wave synthesizer, xrefs: 00007FFE148E2093

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: Capsmidistrncpy
String ID: External MIDI Port$Internal FM synthesizer$Internal software synthesizer$Internal square wave synthesizer$Internal synthesizer (generic)$Windows MIDI_MAPPER
API String ID: 3583098728-2504388736
Opcode ID: 221c7e629a388342e26d320d1552fcd47e950c4bc25ef6db77434b5fe321584b
Instruction ID: bdc1fbbb9a983869310127fb1c89b7acbf5a5a19379209a49830aceb430a8193
Opcode Fuzzy Hash: 221c7e629a388342e26d320d1552fcd47e950c4bc25ef6db77434b5fe321584b
Instruction Fuzzy Hash: 38218371A0CD4689E668AB2BA4D4179E290FF07764F8401B1F54D267F8DE6CE50DC700

Function 00007FFE148E263C Relevance: 10.5, APIs: 7, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mixerClose.WINMM ref: 00007FFE148E2655
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2668
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E267C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2690
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E26A4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E26B8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E26C6

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: free$Closemixer
String ID:
API String ID: 2973367850-0
Opcode ID: 692f0a99281a7137dfa7e55764cd08bd225a13e8381d8c5b2433a07698cb640d
Instruction ID: e21322c6dd39574275cda3c3c3bf4dc21f45cc5f5ed1dac742be0876c1e3c277
Opcode Fuzzy Hash: 692f0a99281a7137dfa7e55764cd08bd225a13e8381d8c5b2433a07698cb640d
Instruction Fuzzy Hash: AD110C22616E02CBFF999F62D4A53396360FF46F68F0407B4DD1E2A279CF6D90588344

Function 00007FFE148E2A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mixerGetDevCapsA.WINMM ref: 00007FFE148E2A56
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E2A6E

Part of subcall function 00007FFE148E1F04: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FFE148E1C29), ref: 00007FFE148E1F48

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E2AB1

Strings

%d.%d, xrefs: 00007FFE148E2A83
Port Mixer, xrefs: 00007FFE148E2AAA

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: strncpy$Caps__stdio_common_vsprintfmixer
String ID: %d.%d$Port Mixer
API String ID: 1905600244-759074455
Opcode ID: 638478c3bb0501f0c30af9271e43d8f77b2d48eee092dee1e959d37d8bf64e07
Instruction ID: 382479b42c4fd846e45bab62c5c47f1524578fc8e7f1b6b840a803b46ca6baa5
Opcode Fuzzy Hash: 638478c3bb0501f0c30af9271e43d8f77b2d48eee092dee1e959d37d8bf64e07
Instruction Fuzzy Hash: DA01F120718E4185FB60DB26E8807A9A350EB4ABB8F800175E94D67775EF6CD28CCB00

Function 00007FFE148E3210 Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE148E3740: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE148E30FC,?,?,?,?,?,00000000,?,?,00000000,00007FFE148E2896), ref: 00007FFE148E3787
Part of subcall function 00007FFE148E3740: mixerGetLineControlsA.WINMM(?,?,00000000,00007FFE148E30FC,?,?,?,?,?,00000000,?,?,00000000,00007FFE148E2896), ref: 00007FFE148E37A2
Part of subcall function 00007FFE148E3740: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE148E30FC,?,?,?,?,?,00000000,?,?,00000000,00007FFE148E2896), ref: 00007FFE148E37BB

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E3319
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E3333
mixerGetControlDetailsA.WINMM(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E3356
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E342E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E343E

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: free$mallocmixer$ControlControlsDetailsLine
String ID:
API String ID: 3737986393-0
Opcode ID: d8efb86b7dd2b432c8e2cfd059ba62d7b5b365b5530eefed140476b1a40f7b3c
Instruction ID: 36c3a5a9e9c726af4e06a01bda888584b126e2c0b40cbe23c795752b63c64aa2
Opcode Fuzzy Hash: d8efb86b7dd2b432c8e2cfd059ba62d7b5b365b5530eefed140476b1a40f7b3c
Instruction Fuzzy Hash: 0F61C132A15E05C7EB54CF16E188A6CB3A5F745BA4F028275EE6E53750CF38D85ACB00

Function 00007FFE148E1028 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

callbackShortMessage, xrefs: 00007FFE148E10A7
([BJ)V, xrefs: 00007FFE148E10CF
(IJ)V, xrefs: 00007FFE148E10A0
callbackLongMessage, xrefs: 00007FFE148E10D6

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID:
String ID: (IJ)V$([BJ)V$callbackLongMessage$callbackShortMessage
API String ID: 0-1382956355
Opcode ID: 9740e262f438b8789765806ab3d1a4793e7526eec3d699e3b6ff1aa7cec5647e
Instruction ID: 9b6f00b0be06e78112aeaea999b8708d75464bd647045612dd5994d6f6d32d34
Opcode Fuzzy Hash: 9740e262f438b8789765806ab3d1a4793e7526eec3d699e3b6ff1aa7cec5647e
Instruction Fuzzy Hash: 0551A222709B8281DE65CF57A8842EAA3A0BB4AFE4F488475EE4D57795DF3CD449C300

Function 00007FFE148E231C Relevance: 7.6, APIs: 5, Instructions: 112
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,?,?,00007FFE148E15B3), ref: 00007FFE148E23CC

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: c9d313e7c698d3566f5dc1283f0417070d3359aebace9fa7ce44f85a5276fa02
Instruction ID: e6b9a69f4540aa5f3ff2d72ab3dd4f2c8cc1bc5cb5351eb890183c050184357d
Opcode Fuzzy Hash: c9d313e7c698d3566f5dc1283f0417070d3359aebace9fa7ce44f85a5276fa02
Instruction Fuzzy Hash: 23419361B08F4289EA559F1BD480639F390AF42BA8F444075EE1D677B5DF3CE4498741

Function 00007FFE148E18F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

midiInOpen.WINMM ref: 00007FFE148E1919
SetEvent.KERNEL32 ref: 00007FFE148E192C
WaitForSingleObject.KERNEL32 ref: 00007FFE148E193C

Strings

, xrefs: 00007FFE148E1911

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: EventObjectOpenSingleWaitmidi
String ID:
API String ID: 138987089-3916222277
Opcode ID: 7b7b3c597a58e9689a5a5c5c2162efbfd450136cc459206a8b635f7251b97114
Instruction ID: 95331268c4a4bce3a737ffec349897d8f627a319b686aaadfd9f2197ad7370ba
Opcode Fuzzy Hash: 7b7b3c597a58e9689a5a5c5c2162efbfd450136cc459206a8b635f7251b97114
Instruction Fuzzy Hash: 4EF07464E09E5686E650EB23E8C52B4A7A0BF8A774F8402B1E85D72374DF7CA14D8600

Function 00007FFE148E1304 Relevance: 6.0, APIs: 4, Instructions: 33sleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FFE148E1EB8
midiInStop.WINMM ref: 00007FFE148E1EC1
Sleep.KERNEL32 ref: 00007FFE148E1ECD
CloseHandle.KERNEL32 ref: 00007FFE148E1EDC

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: CloseEventHandleSleepStopmidi
String ID:
API String ID: 1174883558-0
Opcode ID: f3e5014b63227229b6ed0e3c007381763114db1586378116d4d25922b4a24012
Instruction ID: 9ac25670dcc7437686dd20d01834f24c726c9947a3a7ccafa57e9489118b984c
Opcode Fuzzy Hash: f3e5014b63227229b6ed0e3c007381763114db1586378116d4d25922b4a24012
Instruction Fuzzy Hash: 51016D21E0CE4282EA148B67A58037DA260AF49BE8F5405B4F91F27764CF2DD4498340

Function 00007FFE148E1980 Relevance: 6.0, APIs: 4, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FFE148E1D74), ref: 00007FFE148E1996
SetEvent.KERNEL32(?,?,?,00007FFE148E1D74), ref: 00007FFE148E19C1
WaitForSingleObject.KERNEL32(?,?,?,00007FFE148E1D74), ref: 00007FFE148E19D1
LeaveCriticalSection.KERNEL32(?,?,?,00007FFE148E1D74), ref: 00007FFE148E19E4

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 4060455350-0
Opcode ID: 1019184f23986758b620619342492000e281c04926bf23f0575fc198d43bd14f
Instruction ID: 9d53c97f4a0ef3084ff76ee13dfd2e666a16f67c62a00c7d7a70a69127d6b1ec
Opcode Fuzzy Hash: 1019184f23986758b620619342492000e281c04926bf23f0575fc198d43bd14f
Instruction Fuzzy Hash: 7601A461A08E4682EB10EB17F8C01A4B3A0BF8A774B9840B5E95E62370DE7CA54DC600

Function 00007FFE148E26D4 Relevance: 5.2, APIs: 4, Instructions: 164COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E27B4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E27C9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E27FC

Part of subcall function 00007FFE148E30C0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,?,00000000,00007FFE148E2896), ref: 00007FFE148E31EA

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E28FF

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: e8cfbd72491b04978ba1fcbb6a8aa8cf000ff66440e5cc8b578189279fa2b450
Instruction ID: 7160d4dd585b44e7ee227d0c83bfc17415daee82d440928d636eb2dd0512aa8f
Opcode Fuzzy Hash: e8cfbd72491b04978ba1fcbb6a8aa8cf000ff66440e5cc8b578189279fa2b450
Instruction Fuzzy Hash: 4F619132A05F118AEA60DF13A480969F7A4FB46BA8B011075FF9E27B65DF3CE1458700

Function 00007FFE148E3B30 Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1D58), ref: 00007FFE148E3B63
memset.VCRUNTIME140(?,?,?,00007FFE148E1D58), ref: 00007FFE148E3B80
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1D58), ref: 00007FFE148E3BA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1D58), ref: 00007FFE148E3BB4

Memory Dump Source

Source File: 00000003.00000002.1830523441.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000003.00000002.1830501865.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830562821.00007FFE148E9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1830581694.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: malloc$freememset
String ID:
API String ID: 2835137314-0
Opcode ID: e7459d6239be163082843d5e81bef50b6c3d63922d926c81a6253c073435e8d7
Instruction ID: 687c21e336cc3587714ec795705a36d7f3553b60db3c393cafd4730cc8b9c8c3
Opcode Fuzzy Hash: e7459d6239be163082843d5e81bef50b6c3d63922d926c81a6253c073435e8d7
Instruction Fuzzy Hash: DB218332B04B4681E7148F17E880169B6E5FF85F94B4984B5EE4E67774DF38E8558340

Analysis Process: rundll32.exePID: 7500, Parent PID: 6532COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	460
Total number of Limit Nodes:	2

Executed Functions

Function 00007FFE148E176C Relevance: 6.0, APIs: 4, Instructions: 35
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(?,?,?,?,?,00007FFE148E1010), ref: 00007FFE148E177D
CreateEventA.KERNEL32(?,?,?,?,?,00007FFE148E1010), ref: 00007FFE148E178D
CreateEventA.KERNEL32(?,?,?,?,?,00007FFE148E1010), ref: 00007FFE148E17A1
CreateThread.KERNELBASE ref: 00007FFE148E17D6

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: Create$Event$CriticalInitializeSectionThread
String ID:
API String ID: 3438895259-0
Opcode ID: 2d6e4faee9e6a59898c1b5fa070b56048772e074198fbf9ad4f01bf78210a03c
Instruction ID: 8c296b29048ca6cdb685666cc3b024383b8a3462734b3a8635485046815cfc90
Opcode Fuzzy Hash: 2d6e4faee9e6a59898c1b5fa070b56048772e074198fbf9ad4f01bf78210a03c
Instruction Fuzzy Hash: 2501D632B14F2182FB648F72A485B2A73A1FB49B68F485038DE0E26764CF3CD059C700

Function 00007FFE148E4D08 Relevance: 24.2, APIs: 16, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE148E4D30
__scrt_initialize_crt.LIBCMT ref: 00007FFE148E4D75
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148E4D96
_RTC_Initialize.LIBCMT ref: 00007FFE148E4DC4
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 00007FFE148E4DCE
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE148E4DEA
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148E4E15
__scrt_is_nonwritable_in_current_image.LIBCMT ref: 00007FFE148E4E34
__scrt_fastfail.LIBCMT ref: 00007FFE148E4E6A
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE148E4EAC
_RTC_Initialize.LIBCMT ref: 00007FFE148E4ECB
__scrt_release_startup_lock.LIBCMT ref: 00007FFE148E4EDE
__scrt_uninitialize_crt.LIBCMT ref: 00007FFE148E4EE8
__scrt_fastfail.LIBCMT ref: 00007FFE148E4EFB

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_fastfail__scrt_release_startup_lock$__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_initialize_default_local_stdio_options__scrt_is_nonwritable_in_current_image__scrt_uninitialize_crt
String ID:
API String ID: 627783611-0
Opcode ID: 056d6750fde198f91544434d7cbc5cf67e40d8c08eda44e0ed4b27dfc17de77d
Instruction ID: 98acc305b200f7342822163641d9e01b323c3395413f09cbf90a2e9a9a72914c
Opcode Fuzzy Hash: 056d6750fde198f91544434d7cbc5cf67e40d8c08eda44e0ed4b27dfc17de77d
Instruction Fuzzy Hash: A7919421E08E4385FA50AB5B94C0279E691AF87BA0F5440B5FA0D777B7EE3CE44D8710

Function 00007FFE148E140C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E1457

Strings

Unknown vendor, xrefs: 00007FFE148E144B

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: strcpy
String ID: Unknown vendor
API String ID: 3177657795-662083392
Opcode ID: 3c71d81168211033c740c9c08d3c94051b409b15d84bfb2e5dbf3034804f12cc
Instruction ID: ae0daf717c527defaa890f483d4cad8bae0e61e73bbd43d7407528d874fb58cb
Opcode Fuzzy Hash: 3c71d81168211033c740c9c08d3c94051b409b15d84bfb2e5dbf3034804f12cc
Instruction Fuzzy Hash: 00F06261708AC581EF709725F4913AAA351FB8A798F841171E98C177A6DF6CD10CCB00

Non-executed Functions

Function 00007FFE148E220C Relevance: 13.6, APIs: 9, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2229
memset.VCRUNTIME140 ref: 00007FFE148E224A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2263
CreateEventA.KERNEL32 ref: 00007FFE148E2279
midiOutOpen.WINMM ref: 00007FFE148E22AB
midiOutShortMsg.WINMM ref: 00007FFE148E22C8
CloseHandle.KERNEL32 ref: 00007FFE148E22DA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E22EB

Part of subcall function 00007FFE148E3C10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1B29), ref: 00007FFE148E3C33
Part of subcall function 00007FFE148E3C10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1B29), ref: 00007FFE148E3C3C

timeBeginPeriod.WINMM ref: 00007FFE148E22FE

Part of subcall function 00007FFE148E3AF0: timeGetTime.WINMM(?,?,00000000,00007FFE148E1D90), ref: 00007FFE148E3AFD

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: free$miditime$BeginCloseCreateEventHandleOpenPeriodShortTimemallocmemset
String ID:
API String ID: 2590383263-0
Opcode ID: 945e9617297c58ca91df0ca5ef4782bbb3c99100ad36cadd2da840e40240026d
Instruction ID: 9041818797d37102293e03e151b2338ebeadaebe99cda0fdd3da1073daa89bc3
Opcode Fuzzy Hash: 945e9617297c58ca91df0ca5ef4782bbb3c99100ad36cadd2da840e40240026d
Instruction Fuzzy Hash: ED312332B08D0186EB559B77D89037DA3A1BF86F68F504571EA0EA73B5DF3DD4498201

Function 00007FFE148E47B8 Relevance: 12.0, APIs: 4, Strings: 4, Instructions: 25
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E46E0), ref: 00007FFE148E47D1
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E46E0), ref: 00007FFE148E47E4
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E46E0), ref: 00007FFE148E47F7
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE148E46E0), ref: 00007FFE148E480A

Part of subcall function 00007FFE148E2A30: mixerGetDevCapsA.WINMM ref: 00007FFE148E2A56
Part of subcall function 00007FFE148E2A30: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E2A6E
Part of subcall function 00007FFE148E2A30: strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E2AB1

Strings

Unknown Name, xrefs: 00007FFE148E47CA
Unknown Vendor, xrefs: 00007FFE148E47DD
Port Mixer, xrefs: 00007FFE148E47F0
Unknown Version, xrefs: 00007FFE148E4803

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: strcpy$strncpy$Capsmixer
String ID: Port Mixer$Unknown Name$Unknown Vendor$Unknown Version
API String ID: 2021610734-787855941
Opcode ID: 567ad1e4a81e3fd545a5c905159ce633e43216f62c34595b4ed6e4e0e1358763
Instruction ID: 0bb33674494456fb916e43b8715ec21b7f21e347daa6d2ff19bd4f89c3fda262
Opcode Fuzzy Hash: 567ad1e4a81e3fd545a5c905159ce633e43216f62c34595b4ed6e4e0e1358763
Instruction Fuzzy Hash: DAF01DA1A18D42D5EB00AB26E8D11F8A321AB457E8FC55071F90D6A37AFE6CD98D8310

Function 00007FFE148E2B6C Relevance: 10.7, APIs: 7, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mixerOpen.WINMM ref: 00007FFE148E2B95
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2BAF
memset.VCRUNTIME140 ref: 00007FFE148E2BCD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2C06
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2CCF

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: malloc$Openmemsetmixer
String ID:
API String ID: 1988068089-0
Opcode ID: cc1c8c35fa98a414bdaa0c1274cb246fb05c3c6c73e8c2b23607ebc6ae49bf57
Instruction ID: f35c637707dfed6c6b7bda82ceeb2e4ff7991988c1d2b316cb13bf7e40a2f4bb
Opcode Fuzzy Hash: cc1c8c35fa98a414bdaa0c1274cb246fb05c3c6c73e8c2b23607ebc6ae49bf57
Instruction Fuzzy Hash: A881C332B09A568BEB648F17D5C0639B3A4FB4A7A0F058079EF4D577A1DF38E4698700

Function 00007FFE148E1504 Relevance: 10.6, APIs: 7, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEvent.KERNEL32 ref: 00007FFE148E1F8F
timeEndPeriod.WINMM ref: 00007FFE148E1F9F
midiOutReset.WINMM ref: 00007FFE148E1FA8
midiOutClose.WINMM ref: 00007FFE148E1FD5
CloseHandle.KERNEL32 ref: 00007FFE148E1FF1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2002

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: Closemidi$EventHandlePeriodResetfreetime
String ID:
API String ID: 4260093607-0
Opcode ID: a64e8874b6a4a95fdd145370a625b989496fed7616c63c101e1f462bd18a23de
Instruction ID: fe167d320902941e47bab336724c98e33e7847ab30f334a7d50467c2f8fe9377
Opcode Fuzzy Hash: a64e8874b6a4a95fdd145370a625b989496fed7616c63c101e1f462bd18a23de
Instruction Fuzzy Hash: 0B216021A09E1282EB55AB67959437CE261AF46FB4F5401B0FD0F777B5CF2CE8498380

Function 00007FFE148E201C Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 55
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE148E2588: midiOutGetDevCapsA.WINMM(?,?,00000000,00007FFE148E204A), ref: 00007FFE148E25AB

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E20B7

Strings

Internal FM synthesizer, xrefs: 00007FFE148E208A
Internal software synthesizer, xrefs: 00007FFE148E2078
Windows MIDI_MAPPER, xrefs: 00007FFE148E2081
Internal square wave synthesizer, xrefs: 00007FFE148E2093
External MIDI Port, xrefs: 00007FFE148E20A5
Internal synthesizer (generic), xrefs: 00007FFE148E209C

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: Capsmidistrncpy
String ID: External MIDI Port$Internal FM synthesizer$Internal software synthesizer$Internal square wave synthesizer$Internal synthesizer (generic)$Windows MIDI_MAPPER
API String ID: 3583098728-2504388736
Opcode ID: 221c7e629a388342e26d320d1552fcd47e950c4bc25ef6db77434b5fe321584b
Instruction ID: bdc1fbbb9a983869310127fb1c89b7acbf5a5a19379209a49830aceb430a8193
Opcode Fuzzy Hash: 221c7e629a388342e26d320d1552fcd47e950c4bc25ef6db77434b5fe321584b
Instruction Fuzzy Hash: 38218371A0CD4689E668AB2BA4D4179E290FF07764F8401B1F54D267F8DE6CE50DC700

Function 00007FFE148E263C Relevance: 10.5, APIs: 7, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mixerClose.WINMM ref: 00007FFE148E2655
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2668
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E267C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E2690
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E26A4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E26B8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E26C6

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: free$Closemixer
String ID:
API String ID: 2973367850-0
Opcode ID: 692f0a99281a7137dfa7e55764cd08bd225a13e8381d8c5b2433a07698cb640d
Instruction ID: e21322c6dd39574275cda3c3c3bf4dc21f45cc5f5ed1dac742be0876c1e3c277
Opcode Fuzzy Hash: 692f0a99281a7137dfa7e55764cd08bd225a13e8381d8c5b2433a07698cb640d
Instruction Fuzzy Hash: AD110C22616E02CBFF999F62D4A53396360FF46F68F0407B4DD1E2A279CF6D90588344

Function 00007FFE148E2A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mixerGetDevCapsA.WINMM ref: 00007FFE148E2A56
strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E2A6E

Part of subcall function 00007FFE148E1F04: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,00007FFE148E1C29), ref: 00007FFE148E1F48

strncpy.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE148E2AB1

Strings

%d.%d, xrefs: 00007FFE148E2A83
Port Mixer, xrefs: 00007FFE148E2AAA

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: strncpy$Caps__stdio_common_vsprintfmixer
String ID: %d.%d$Port Mixer
API String ID: 1905600244-759074455
Opcode ID: 638478c3bb0501f0c30af9271e43d8f77b2d48eee092dee1e959d37d8bf64e07
Instruction ID: 382479b42c4fd846e45bab62c5c47f1524578fc8e7f1b6b840a803b46ca6baa5
Opcode Fuzzy Hash: 638478c3bb0501f0c30af9271e43d8f77b2d48eee092dee1e959d37d8bf64e07
Instruction Fuzzy Hash: DA01F120718E4185FB60DB26E8807A9A350EB4ABB8F800175E94D67775EF6CD28CCB00

Function 00007FFE148E3210 Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE148E3740: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE148E30FC,?,?,?,?,?,00000000,?,?,00000000,00007FFE148E2896), ref: 00007FFE148E3787
Part of subcall function 00007FFE148E3740: mixerGetLineControlsA.WINMM(?,?,00000000,00007FFE148E30FC,?,?,?,?,?,00000000,?,?,00000000,00007FFE148E2896), ref: 00007FFE148E37A2
Part of subcall function 00007FFE148E3740: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE148E30FC,?,?,?,?,?,00000000,?,?,00000000,00007FFE148E2896), ref: 00007FFE148E37BB

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E3319
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E3333
mixerGetControlDetailsA.WINMM(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E3356
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E342E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,?,?,00000000,00007FFE148E2848), ref: 00007FFE148E343E

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: free$mallocmixer$ControlControlsDetailsLine
String ID:
API String ID: 3737986393-0
Opcode ID: d8efb86b7dd2b432c8e2cfd059ba62d7b5b365b5530eefed140476b1a40f7b3c
Instruction ID: 36c3a5a9e9c726af4e06a01bda888584b126e2c0b40cbe23c795752b63c64aa2
Opcode Fuzzy Hash: d8efb86b7dd2b432c8e2cfd059ba62d7b5b365b5530eefed140476b1a40f7b3c
Instruction Fuzzy Hash: 0F61C132A15E05C7EB54CF16E188A6CB3A5F745BA4F028275EE6E53750CF38D85ACB00

Function 00007FFE148E1028 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

callbackLongMessage, xrefs: 00007FFE148E10D6
([BJ)V, xrefs: 00007FFE148E10CF
callbackShortMessage, xrefs: 00007FFE148E10A7
(IJ)V, xrefs: 00007FFE148E10A0

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID:
String ID: (IJ)V$([BJ)V$callbackLongMessage$callbackShortMessage
API String ID: 0-1382956355
Opcode ID: 9740e262f438b8789765806ab3d1a4793e7526eec3d699e3b6ff1aa7cec5647e
Instruction ID: 9b6f00b0be06e78112aeaea999b8708d75464bd647045612dd5994d6f6d32d34
Opcode Fuzzy Hash: 9740e262f438b8789765806ab3d1a4793e7526eec3d699e3b6ff1aa7cec5647e
Instruction Fuzzy Hash: 0551A222709B8281DE65CF57A8842EAA3A0BB4AFE4F488475EE4D57795DF3CD449C300

Function 00007FFE148E231C Relevance: 7.6, APIs: 5, Instructions: 112
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,?,?,00007FFE148E15B3), ref: 00007FFE148E23CC

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: ObjectSingleWait
String ID:
API String ID: 24740636-0
Opcode ID: c9d313e7c698d3566f5dc1283f0417070d3359aebace9fa7ce44f85a5276fa02
Instruction ID: e6b9a69f4540aa5f3ff2d72ab3dd4f2c8cc1bc5cb5351eb890183c050184357d
Opcode Fuzzy Hash: c9d313e7c698d3566f5dc1283f0417070d3359aebace9fa7ce44f85a5276fa02
Instruction Fuzzy Hash: 23419361B08F4289EA559F1BD480639F390AF42BA8F444075EE1D677B5DF3CE4498741

Function 00007FFE148E18F4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

midiInOpen.WINMM ref: 00007FFE148E1919
SetEvent.KERNEL32 ref: 00007FFE148E192C
WaitForSingleObject.KERNEL32 ref: 00007FFE148E193C

Strings

, xrefs: 00007FFE148E1911

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: EventObjectOpenSingleWaitmidi
String ID:
API String ID: 138987089-3916222277
Opcode ID: 7b7b3c597a58e9689a5a5c5c2162efbfd450136cc459206a8b635f7251b97114
Instruction ID: 95331268c4a4bce3a737ffec349897d8f627a319b686aaadfd9f2197ad7370ba
Opcode Fuzzy Hash: 7b7b3c597a58e9689a5a5c5c2162efbfd450136cc459206a8b635f7251b97114
Instruction Fuzzy Hash: 4EF07464E09E5686E650EB23E8C52B4A7A0BF8A774F8402B1E85D72374DF7CA14D8600

Function 00007FFE148E54DC Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE148E5508
GetCurrentThreadId.KERNEL32 ref: 00007FFE148E5516
GetCurrentProcessId.KERNEL32 ref: 00007FFE148E5522
QueryPerformanceCounter.KERNEL32 ref: 00007FFE148E5532

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: ec2b26dfd0f8d2385e38df15ba1bbdf8fa87fe85032632b51f52bfdc86b47aa3
Instruction ID: 7d34cce8dd01dc251d4bcce7b131e6edec79d3b1f0210638d06e1747a8dfd1a4
Opcode Fuzzy Hash: ec2b26dfd0f8d2385e38df15ba1bbdf8fa87fe85032632b51f52bfdc86b47aa3
Instruction Fuzzy Hash: 9E113C32A04F418AEB10DF62E8942A833A4FB1E76CF441A71FA5D567A4DF7CD1A88340

Function 00007FFE148E1304 Relevance: 6.0, APIs: 4, Instructions: 33sleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00007FFE148E1EB8
midiInStop.WINMM ref: 00007FFE148E1EC1
Sleep.KERNEL32 ref: 00007FFE148E1ECD
CloseHandle.KERNEL32 ref: 00007FFE148E1EDC

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: CloseEventHandleSleepStopmidi
String ID:
API String ID: 1174883558-0
Opcode ID: f3e5014b63227229b6ed0e3c007381763114db1586378116d4d25922b4a24012
Instruction ID: 9ac25670dcc7437686dd20d01834f24c726c9947a3a7ccafa57e9489118b984c
Opcode Fuzzy Hash: f3e5014b63227229b6ed0e3c007381763114db1586378116d4d25922b4a24012
Instruction Fuzzy Hash: 51016D21E0CE4282EA148B67A58037DA260AF49BE8F5405B4F91F27764CF2DD4498340

Function 00007FFE148E1980 Relevance: 6.0, APIs: 4, Instructions: 27synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00007FFE148E1D74), ref: 00007FFE148E1996
SetEvent.KERNEL32(?,?,?,00007FFE148E1D74), ref: 00007FFE148E19C1
WaitForSingleObject.KERNEL32(?,?,?,00007FFE148E1D74), ref: 00007FFE148E19D1
LeaveCriticalSection.KERNEL32(?,?,?,00007FFE148E1D74), ref: 00007FFE148E19E4

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterEventLeaveObjectSingleWait
String ID:
API String ID: 4060455350-0
Opcode ID: 1019184f23986758b620619342492000e281c04926bf23f0575fc198d43bd14f
Instruction ID: 9d53c97f4a0ef3084ff76ee13dfd2e666a16f67c62a00c7d7a70a69127d6b1ec
Opcode Fuzzy Hash: 1019184f23986758b620619342492000e281c04926bf23f0575fc198d43bd14f
Instruction Fuzzy Hash: 7601A461A08E4682EB10EB17F8C01A4B3A0BF8A774B9840B5E95E62370DE7CA54DC600

Function 00007FFE148E26D4 Relevance: 5.2, APIs: 4, Instructions: 164COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E27B4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E27C9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E27FC

Part of subcall function 00007FFE148E30C0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?,?,00000000,00007FFE148E2896), ref: 00007FFE148E31EA

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE148E28FF

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: e8cfbd72491b04978ba1fcbb6a8aa8cf000ff66440e5cc8b578189279fa2b450
Instruction ID: 7160d4dd585b44e7ee227d0c83bfc17415daee82d440928d636eb2dd0512aa8f
Opcode Fuzzy Hash: e8cfbd72491b04978ba1fcbb6a8aa8cf000ff66440e5cc8b578189279fa2b450
Instruction Fuzzy Hash: 4F619132A05F118AEA60DF13A480969F7A4FB46BA8B011075FF9E27B65DF3CE1458700

Function 00007FFE148E3B30 Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1D58), ref: 00007FFE148E3B63
memset.VCRUNTIME140(?,?,?,00007FFE148E1D58), ref: 00007FFE148E3B80
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1D58), ref: 00007FFE148E3BA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE148E1D58), ref: 00007FFE148E3BB4

Memory Dump Source

Source File: 00000029.00000002.1779042863.00007FFE148E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE148E0000, based on PE: true

Associated: 00000029.00000002.1778998287.00007FFE148E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000029.00000002.1779149265.00007FFE148EA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_41_2_7ffe148e0000_rundll32.jbxd

Similarity

API ID: malloc$freememset
String ID:
API String ID: 2835137314-0
Opcode ID: e7459d6239be163082843d5e81bef50b6c3d63922d926c81a6253c073435e8d7
Instruction ID: 687c21e336cc3587714ec795705a36d7f3553b60db3c393cafd4730cc8b9c8c3
Opcode Fuzzy Hash: e7459d6239be163082843d5e81bef50b6c3d63922d926c81a6253c073435e8d7
Instruction Fuzzy Hash: DB218332B04B4681E7148F17E880169B6E5FF85F94B4984B5EE4E67774DF38E8558340

Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.dll	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: file.dll	String found in binary or memory: http://www.digicert.com/CPS0

Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_00007FFE148E176C		3_2_00007FFE148E176C
Source: C:\Windows\System32\rundll32.exe	Code function: 41_2_00007FFE148E176C		41_2_00007FFE148E176C

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6728
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6036
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6768

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6768 -s 356
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6728 -s 356
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetName
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6036 -s 528
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetName
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nOpen
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortType
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortName
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortCount
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetControls
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlSetIntValue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlSetFloatValue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlGetIntValue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlGetFloatValue
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nClose
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixerProvider_nNewPortMixerInfo
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixerProvider_nGetNumDevices
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nIsSigned8
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nIsBigEndian
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nGetLibraryForFeature
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nGetExtraLibraries
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nSendShortMessage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nSendLongMessage
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nOpen
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nGetTimeStamp
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nClose
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVersion
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVendor
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetName	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetDescription	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetName	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiInDeviceProvider_nGetNumDevices	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nOpen	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortType	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortName	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetPortCount	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nGetControls	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlSetIntValue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlSetFloatValue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlGetIntValue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nControlGetFloatValue	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixer_nClose	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixerProvider_nNewPortMixerInfo	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_PortMixerProvider_nGetNumDevices	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nIsSigned8	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nIsBigEndian	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nGetLibraryForFeature	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_Platform_nGetExtraLibraries	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nSendShortMessage	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nSendLongMessage	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nOpen	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nGetTimeStamp	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDevice_nClose	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVersion	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",Java_com_sun_media_sound_MidiOutDeviceProvider_nGetVendor	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: vcruntime140.dll	Jump to behavior

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin\jdk8u361\3183\build\windows-x64\jdk\objs\libjsound\jsound.pdb source: rundll32.exe, 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1858789941.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1876625033.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1845055529.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1775538392.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1774962600.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1775772661.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.1779009700.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1778970705.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1776288921.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1779014099.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1779041307.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1779110136.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1779057663.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.1780573721.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000027.00000002.2924216865.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000028.00000002.1780499954.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, file.dll
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin\jdk8u361\3183\build\windows-x64\jdk\objs\libjsound\jsound.pdb!! source: rundll32.exe, 00000003.00000002.1830544768.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1858789941.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000A.00000002.1876625033.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000E.00000002.1845055529.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000000F.00000002.1775538392.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000012.00000002.1774962600.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000014.00000002.1775772661.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000016.00000002.1779009700.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000019.00000002.1778970705.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001A.00000002.1776288921.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001B.00000002.1779014099.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000001C.00000002.1779041307.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000021.00000002.1779110136.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000023.00000002.1779057663.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000024.00000002.1780573721.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000027.00000002.2924216865.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000028.00000002.1780499954.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000029.00000002.1779102324.00007FFE148E6000.00000002.00000001.01000000.00000003.sdmp, file.dll

Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 4716
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 5284

Source: C:\Windows\System32\rundll32.exe	API coverage: 8.9 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 9.5 %

Source: C:\Windows\System32\loaddll64.exe TID: 6560	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7472	Thread sleep count: 4716 > 30
Source: C:\Windows\System32\rundll32.exe TID: 7472	Thread sleep count: 5284 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_41295953bbcbb6c049bf78baaa48b958e26b4df_d75f6fa5_70893c81-26e0-49bf-b072-f56d5596ff66\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_41295953bbcbb6c049bf78baaa48b958e26b4df_d75f6fa5_aa9297c9-4bb3-4dd6-90b8-f5b8ad05b9a0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_fil_65e4b14aae1adf98ac97cac7affb5dbf3d4bee80_d75f6fa5_24b3bb7f-f7de-4dd9-aa14-369834d33aef\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER474C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER476B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47CA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER47FA.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4848.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4888.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52D5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5382.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A2.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Network Behavior

Windows Analysis Report
file.dll